Innovation, Bruce Lee Style

To celebrate the Year of the Dragon, here's some business inspiration from Bruce Lee (born the hour and year of the Dragon) — an edited excerpt of my interview from 2022 in Thomas Lee's The Bruce Lee Code, Chapter 3: Innovation, Bruce Lee Style

Christian Hosoi chose to be "Bruce Lee on a skateboard" 🤙 Life ruined my skateboarding, so I did startups instead!


Dug Song is the co-founder of Duo Security, the leading provider of two-factor authentication, a widely used technology that protects computer systems from unauthorized intrusions. In 2018, Cisco Systems purchased Duo for $2.4 billion. Song is now chief strategy officer for Cisco’s security business. Here's how Song describes the impact Bruce Lee had on him:

I grew up watching Saturday morning kung fu shows on TV and remember seeing people that looked like me. It was pretty badass. Those shows really affirmed my own identity as an Asian-American. I felt like a fish out of water, growing up where I did around Washington DC.

Maybe every child of color in America has had to deal with that. You learn about all kinds of heroes and warriors throughout US history. But growing up Asian-American, you weren’t represented by anyone.

My dad looked like Bruce Lee and had the same haircut. But he didn't know martial arts and he was pretty mild-mannered. I worked at my dad's liquor store and he got mugged all the time. Once, he was stabbed eleven times. So people like Bruce Lee portrayed a vision of Asian masculinity that was absent from our experience.

A lot of martial arts is theory, more or less a kind of dance; it's a formalized ritual, a bunch of movements that are choreographed. It's great training, it's great exercise and coordination and so forth, but maybe not the most practical. I think in Bruce Lee's view, martial arts is actually about winning. There are things that work and things that don't. He was driving toward what was true in practice versus in theory. You learn through trial and error. You find your way to truth and what works.

When it came to starting a company, I didn't want to follow someone else's footsteps. There's plenty to learn from the folks that have come before you, but there's nothing to say that you simply have to follow someone else's playbook. Why should we be any more successful copying our competitors' playbooks that they developed, trained on, and perfected? There are things that we could take and borrow, observe and try to incorporate. But at the end of the day, our truth would need to emerge just as it did for Bruce Lee, who adapted from the various forms, techniques, and practices that came before him.

In that sense, Bruce represented the American immigrant story. People bring their histories from other countries with them, but they're not entirely bound by them. It gave me real comfort in being Asian-American. I could learn and appreciate the history from where my family originated, but forge my own path.

I knew children of immigrants who had a much harder time finding their own way, because their parents constantly pressured them to fit into a model, a notion of what their home culture was like decades ago when they first left.

Bruce was someone who took the best of what worked for him into a new environment and made it uniquely his. He exemplified the American dream for lot of entrepreneurs.

In my early career, I used to spend a lot of time breaking other people's security software. I quickly realized that the industry was like the emperor who had no clothes. It was a similar experience to Bruce Lee, like watching a whole history of martial arts that wasn't very effective. All these styles and disciplines that don't really work. The cybersecurity industry was full of products that were basically snake oil.

The vendor would sell you a box, a piece of hardware you would put in your network. And nothing would happen. And the vendor would say: "See, you're more secure. Nothing's happening." And the customer thinks: "What did I just buy?"

And it took folks that had a bit of a chip on their shoulders, like me, to poke and prod and ultimately break those products, for people to realize that many of them weren't very good.

It was like Bruce's sparring matches, testing other people's martial arts disciplines, and realizing none of them worked. I was so disillusioned with that industry. It was something of a lemon market, where you buy a used car and you don't know if it's good or not until you drive off the lot, by which time it's too late. And again, a lot of computer security was like that.

I eventually left the industry to go do an Internet TV company. But I came back when I saw a shift happening with the rise of the commercial Internet. More and more companies and organizations were getting online and not just the big ones, like banks, hospitals, governments, but also your small businesses and corner coffee shops. All these folks were getting connected to the Internet and none of them had the skills or technology with which to protect themselves.

And a lot of them were being targeted. By 2007, 2008, the American Banking Association had guidance around using a separate computer for online banking. An auto body shop in Sterling Heights, Michigan, got popped. Someone wired millions out of their accounts. The bank at the time said: “Well, we're not liable. It's the customer's fault. They're the ones who got their passwords stolen." You sort of quickly realized that, wow, this is a really bad situation.

So my co-founder, Jon Oberheide, and I decided we would build a company to protect others from harm. Just as Bruce Lee wanted to share his knowledge, to share his gift, to share what he knew and understood about the world. With Duo Security, we had a mission to ultimately democratize security, putting security within everyone's reach by making it easy and effective.

Because it wasn't easy. The industry was hopelessly opaque and convoluted. It encouraged complexity, admiring the problem versus actually solving it. In that early era of Internet security, there weren't as many people who had experience on both sides like myself and Jono, as attackers and defenders. We knew what worked. And so we tried to simplify.

We also thought deeply about the plight of those users and how painful and onerous it was. We wanted to build better security, not just more. We focused on highly integrating design and engineering to lead to innovation. We wanted our technology to have personality; it didn't have to be cold, sterile, or even scary for it to be effective.

At a time when the rest of the computer security industry was selling to the 1% of enterprises, we decided to go for the mass market. But that was hard because those people weren't looking for security, had never bought it before, didn't know how to evaluate it. So we had to educate, we had to inform, in some cases we had to entertain.

There was plenty of security software out there that tried to terrify you with ominous red and black warnings and sensationalistic marketing. We tried to make everything approachable and accessible, to deliver things with personality or style to be intriguing and appealing. So our colors were green, meaning "go", to offer a path right through all the chaos.


Those early kung fu films from Shaw Brothers were super flowy and campy. It took fifteen minutes of back and forth between two opponents for anything to really happen.

But Bruce Lee movies hit different. Literally. His punches and kicks were super fast. He would take on a room full of people coming at him. And you quickly realize that's what real combat looks like. You take someone out as fast as you can. He was like a flash of lightning. Whether ripping off his shirt or licking blood off his face, Bruce had style. He held your interest. The dude represented.

In Game of Death, that yellow jumpsuit he wore? That was like the height of style. When you saw that, it was almost as if he was foretelling where things were going, that martial arts would become cool, a mainstream thing.

A lot of that is probably what attracted mass-market audiences to his films. Bruce was all about integrating pop culture into his movies. Casting celebrities and athletes like Kareem Abdul-Jabbar and Chuck Norris. It said something about what he did. It's contemporary, it's fresh, it's modern.

We tried do the same thing. We had a lot of swagger because we knew we could back it up. We used to talk about slogans: "Frustrate the attackers, not your users." We were pitting ourselves against the rest of industry, which was so much junk. We would taunt the other vendors in the industry, how they were ineffective. It was almost like Bruce with his palm outstretched, wiggling his fingers at them, like: "Come on."

Our business really grew through word of mouth, which I think is the best way to grow business, and lots of customers referring each other. There's a fine line between arrogance and confidence and that was something that Bruce embodied. You always rooted for that guy. 

Bruce and Steve Jobs were big inspirations for what we did. Finding your own route to success is a process of trial and error, not blindly borrowing and stealing things, but adapting and integrating them into something new.

It was about reducing things to the essentials. Perfection happens, not when there's nothing left to be added, but when there's nothing left to be taken away — that was the essence of Bruce and Steve Jobs. They streamlined things to the core and in such a way that it itself represented a certain kind of aesthetic.

Bruce wasn't flat as a fighter. With every move, even when he was dancing around, it was to keep people off-kilter. Those choices to omit or elevate something, they represent a strategy. People misunderstand that. All they see is that they just took away a lot of stuff. It's almost too simple. People ask us all the time: "Wait, so you're just doing two-factor authentication? That's all you're building? That's just a feature." The technology was actually commercialized in 1985 and invented even earlier. And here we were in 2010, starting a company doing the same thing hundreds of companies had already done.

And I had already built some pretty sophisticated stuff, like machine learning systems for network security, things that wouldn't hit until twenty years later. With two-factor authentication, my colleagues in the industry were thinking: "Wow, why are you doing something so simple?"

And I told people: "Because it works." But we took a contemporary spin on it. We focused on access security and integrated mobile devices instead of our own hardware. In 2010, the iPhone was only a couple years old but was rapidly becoming popular. To me, implementing two-factor authentication via smartphones and delivering it from the cloud was a little bit like Bruce Lee putting on a yellow-and-black jumpsuit.

No, you don't need do all these other things. You just need to do what works, what's efficient and effective for you. That summarizes a lot of Bruce's philosophy. The rest is just wasted motion — or in many cases for our customers, wasted money.

Popular posts from this blog

Making Michigan More Competitive

Tribe of Hackers