Okta, Inc. (NASDAQ:OKTA) Goldman Sachs Communacopia + Technology Conference September 10, 2024 6:45 PM ET
Company Participants
Todd McKinnon – Chairperson of the Board, Chief Executive Officer, Co Founder
Conference Call Participants
Gabriela Borges – Goldman Sachs
Gabriela Borges
I think we can go ahead and kick it off. Thanks for joining us this afternoon at the Okta session at the GS Communacopia and Technology Conference. I’m Gabriela Borges, I cover security here at Goldman and delighted to have on stage with me Todd McKinnon, CEO, Chairperson of the Board and Co-Founder of Okta. Thanks for your time.
Todd McKinnon
Yes, thanks for having me. I’m excited to be here. Hi, everyone.
Question-and-Answer Session
Operator
[Operator Instructions]
Gabriela Borges
So, Todd, when we met for the first time a couple of years ago now, you talked about wanting to re-prioritize and upgrade the level of innovation in the R&D organization at Okta. And I fast forward then to Okta in this time last year and the number of product announcements that the company talked about was significantly higher than at least what I could recall in prior years. So talk to us a little bit about the evolution of the R&D organization and how that fits into your evolution of Okta as an identity platform today versus perhaps at the time of the IPO or at the time of its founding?
Todd McKinnon
The space we’re in is very, it’s a critical space identity and it’s critical for security and does a lot of things for companies. It’s also a space that I think the industry, identity speaking and particularly the security industry, we haven’t done a good enough job making it super easy to snap everything together and get really positive outcomes for fast, high ROI, positive outcomes for customers. I’m speaking broadly of the industry over the history of it, not specifically of Okta in the recent period, which I’ll get to in a second.
So all of that, the point of all of that is I think that R&D and innovation is incredibly important and one of the things I’m most proud of over the last few years is the progress and the velocity and innovation we’ve had at Okta. I think one of our main priorities for this year is reaccelerating growth, and the job is not — we can’t say we have great R&D and not re-accelerate growth. The job of re-accelerating growth is the most important, and R&D is an input of that, but we still have to deliver that outcome. But that being said, I am very proud of the innovation. I think that there’s a couple things that are behind that. One is that I think we had some growth and some maturity, and we got our processes in R&D better in terms of investing in tools and technologies and capabilities to have an R&D organization scale. We’ve done a good job there. But I think one of the biggest things we did was when we bought Auth0, a few years ago, it actually, we had a ton of capacity into the company.
And so, particularly, the team that was working on Okta could really, instead of having to focus so much on customer identity, they could really double down on privileged and governance and some of the new areas we’ve recently launched or have interaction with so it’s sometimes things are simple and in that simple case or sometimes part of the reason is simple and a simple reason there is that we just got more capacity and we could focus some of those teams on those new product areas. And I think that things in the R&D pipeline are good. They’re in the market now. And now it’s about us executing and actually using that foundation to drive reaccelerated growth.
Gabriela Borges
As you think about what the long-term roadmap for Okta looks like, what’s the next technical challenge that you’re excited to solve for your customers given that you now have all of these different products? Is there any governance privilege access? Are there inter protection, et cetera. What’s next on the roadmap?
Todd McKinnon
We can broadly speak there’s specifics, but broadly speaking we can make it a lot simpler for customers to get value out of identity and get value out of everything else in the security ecosystem and everything else in their technology ecosystem. So a simple example I’ll give you is right now it’s very hard for a company to comprehensively across all of their SaaS applications and on-premise applications and cloud infrastructure and on-premise infrastructure actually guarantee that every user interaction and every machine-to-machine interaction is coming from a known and trusted network. Internally at Okta over the last year, we’ve gone through a comprehensive assessment of this and completely locked down all access to known IP addresses and it’s actually quite challenging to do and very, very few companies actually do it. And I think the reason why is because there’s not good standards for how this should work. Every SaaS application, every piece of infrastructure Implement IP range restrictions differently in a non-standard way, some of them don’t support it, some support of it, limited support, some of them do it a different way.
And so it’s really non-standardized. So when you get a company that’s trying to lock down their whole environment to be one of the most secure organizations in the world, it’s quite challenging. So one of the innovations I’m excited about is thinking about how we can help the industry standardize that and get this flat, consistent ecosystem so that customers, when they want to adopt the modern identity, when they want to go to zero trust, when they want to have these things we all talk about, they know that they’re going to get complete value in tons of control and visibility right out of the box, which isn’t the case today. So that’s a broad, there’s various different ways on how we do that, but it’s an area I’m excited about.
Gabriela Borges
Are you talking about essentially going tomorrow for a whitelisting approach to IP identities? And if so, how is that technically different from what you currently do with SaaS identities or user identities?
Todd McKinnon
So, user, I think it’s the right approach for security architecture is multiple layers. So there’s, you want strong person identity, biometrically authenticated in an efficient and resistant way, and you want whitelisted, you want managed and secured devices that are only, access is only permitted from managed and secured devices. You want the ability to have flexibly have a policy so that in the case that you do have to relax those restrictions, you can do it only for the applications that are high risk and the workloads that are high risk.
So it’s like multiple layers and a policy engine that can make it all possible. And one of the layers beyond just biometric, phishing resistant authenticated users and a trusted device that’s managed and known and secured by endpoint security, you also at the network layer, you want to have a controlled network perimeter and trusted validated network and that’s where the IP whitelisting comes in. The challenge is that the things I’m talking, the thing I just talked about are kind of well-known in zero trust conversations about like the things you need to do for zero trust user identity and zero trust security. The challenging thing is when you try to go to this, you try as a company, you’re trying to not only secure the users but also every API integration and every machine to machine integration, then there’s really not a — there’s not the equivalent of standards for phishing resistant MFA for inbound API calls.
It’s not specified very clearly, you kind of store some token in a certain way. It’s really hard to get all of your network of the web of machine and machine interactions all come from your trusted corporate network because half of them are other SaaS providers that aren’t on your corporate network. Not only are you your own applications, not on your own network, because they’re in a SaaS provider’s data center. But the things that are calling them, agents or other SaaS apps, or your forecasting tool call in Salesforce, is not on your corporate network. So then how do you do it? It gets really, really hard. And this is an example of a complexity that people aren’t able to deal with seamlessly out of the box, that if we, I think, we standardized things more, made it really clear to SaaS providers how this should work, made it really clear, in terms of the protocols for how machines should integrate with each other, we could simplify it all, have customers get much quicker time to value by installing all these products and make it better for everyone.
Gabriela Borges
And how do you think about where some of this functionality naturally falls between what some of your competitors and network security are doing versus what your core competencies are on the identity side?
Todd McKinnon
I don’t actually, I think about that, but only in a second order type of thinking. The first order is how do you solve the problem for the customer? And the second, in solving that, you get down to what’s the best approach and what should each party do and what should the network people do and what should the identity people do and what should the endpoint people do and what the overlap should be. And then you kind of think about all right, if this is the right complete solution for the customer, then what do we have the right to win?
How does identity fit into that? And I think it’s kind of, when you take it from that approach, it becomes pretty clear who should do what. That doesn’t mean that all the vendors are kind of sticking to that. There’s a lot of people trying to poke into other people’s lanes. But when you actually look at what people are doing and how they should be integrated, interacting, it’s fairly clear, at least from a customer perspective, what they want each player to focus on.
Gabriela Borges
That makes sense. One of the things where, or one of the dynamics where I think you do have a right to win that you’ve consistently talked about is the level of integrations that you have, especially versus someone like a Microsoft. Talk a little bit about how your integration network is architected and how do you think about maintaining and extending that ecosystem over time?
Todd McKinnon
Yes, it’s related to the, I think, and if you really zoom out, I think this what I’ve been talking about here on how we’re, our goal is to standardize more things and we want it to seamlessly plug together and get good security outcomes and good productivity outcomes and technology usage outcomes for customers. That’s really an extension of what we’ve been about from the beginning. It’s just taken to the next level. So in the very early days of Okta, we were the first to market with this concept of, there were some identity standards out there, this thing called SAML and this thing called W S Federation. And there’s various, other things people are trying to standardize. We were the first company that said, we’re going to like guarantee you a customer that we’re going to build you a single sign-on system that worked with everything.
And we’re not going to bother you at all with different protocols or different standards. We’re going to guarantee you that it works. And we’re going to take care of like managing the complexity of different standards. And by the way, 90% of the applications didn’t support any standard. So we had to do really kind of down and dirty things about screen scraping and how we could make these applications look like they support a single sign-on when they didn’t, and that’s what we did. And the way the company grew and got momentum is that customers really liked that, the fact that we had so many customers, and just the fact that more and more apps built support for these standards. And we had this kind of this system where we could, as they brought new standard interfaces online, we could swap out our maybe non-ideal screen scraping integration and go for the standards. And then the standard evolved, and we evolved, and it kind of grew from there.
And so the dimensions of how integrated, there are really two of them. There’s the breadth, how many applications. And we talk about this number, 7,000 – 8,000, which is quite wide at this point. But probably as important is the depth dimension, which is there’s one thing for an application to be integrated to identity from a single sign-on perspective, meaning you click the button and you actually can sign you in. There are all these other capabilities that make an integration deep, namely not only can it sign you in, but actually it can actually replicate the user accounts so IT doesn’t have to manually do it. Or another one is if it’s an HR system, can it do employee onboarding, can it take that business process and copy it not only from HR into your single sign-on system but copy that account into all the other systems downstream that might need that account.
And so there’s this depth of integration as well. And so when you talk about standards and standardizing machine-to-machine integration, or when we talk about standardizing how, we’re talking about standardizing like how log files can be collected and how companies can get centralized visibility out about identity threats. Or we talk about a product we have called identity threat protection, which is all about, okay, you log in, but Okta keeps monitoring your device management, your endpoint security system, your network security system, and anything that’s detected during your login session, any kind of malware, any kind of network intrusion, we automatically shut down your identity session and then we log you out of everything else. That’s not single sign-on, that’s like some kind of continuous session monitoring plus integration with CrowdStrike, and Zscaler, and Netscope, and Palo Alto Networks, that’s a very deep integration.
And so, our competitive differentiation has always been breadth of integration and depth of integration, and we’re pushing that forward on all fronts, even to the extreme, where we want to create new kinds of standards, enhance the existing standards, so that it all just works together. And so, companies say, all right, I’m going to pick this endpoint, and this network, and this identity, and this application, and this HR system, and it just works. And I don’t have to worry about how do I secure the machine-to-machine interactions, the APIs that are going to call this, how do I worry about the difference between my employee users, and my contractor users, and my partner users, it’s just too complicated. And the more standardized and systematic we can make it, the bigger the pie it’s going to be for everyone.
Gabriela Borges
Absolutely. I want to come back —
Todd McKinnon
And we’d love it, by the way, if this maybe sounds counterintuitive. We’d love it if all of our competitors and all the zero trust people and all the security people had the same idea and wanted to rush to standardize everything. Even if maybe that meant that our identity competitors could do some of the stuff we could do. Maybe in the short term, that wouldn’t sound like a good thing for Okta. But I think for customers, if they knew that it would be standardized, that’s going to accelerate the velocity and the purchasing so much, we have the best product, so the bigger pie is going to make us much more successful.
Gabriela Borges
That makes sense. I want to come back to where we started this conversation, which is your point on R&D. Ultimately, the goal is to re-accelerate revenue growth.
Todd McKinnon
Yes. R&D is the means to that end, yes.
Gabriela Borges
If I think through the bull case for the stock, which we subscribe to, it’s Okta being a 15% plus, 20% plus revenue grower. I compare that to the 9% growth in CRPO that you’re guiding to for 3Q. Help us understand how to separate out some of the macro headwinds that may be impacting the business today versus some of the secular growth opportunities that we spent the last 15 minutes talking about?
Todd McKinnon
In that, I think big picture, our conversation with customers, our interactions in the market, our competitive position, they’re all very positive, consistent, very similar to what we’ve heard in the past. When we talk about macro headwinds, we’re really, in my conversation with investors, I reiterate this over and over, is that macro headwinds, we’re talking about an environment that’s been consistent for over a year now. It’s not getting worse, it’s not getting better, it just kind of is what it is. In fact, at some point, we’re going to have to start calling it macro, stop calling it macro headwinds and just call it the new normal.
And so I think that being said, there are realities in what we’re seeing in the business. We think that big deals particularly, if a couple years ago they would have taken two approvals, now it takes four. There’s extra scrutiny in the purchase. The deals get done, the projects are as big, they are as strategic, it’s just a little harder, a little slower. And so that is a thing, I think, which makes sense, right? Because Okta, the company, is doing the same thing. We’re being more careful about what we buy. We’re making sure that we don’t have redundant capabilities. We’re making sure that we pick a solution in an area and use it and get value out of it before we buy some more. So I think a bunch of companies are doing the same thing. And when we’re working in the field and sales cycles, we’re working with them and accommodating them. In terms of like, the base of business we have, that shows up in the numbers. Particularly, it impacts the net retention rate. Because a couple years ago, we would have seen, if a company needed, had 1,000 seeds or 1,000, a bucket of 1,000 monthly active users on the customer at any side, they were very optimistic.
And everybody was like, yes, we’ll probably buy 1,500. And we’ll grow into it. And now, it’s like, if they need 1,000, they say, oh, we’re going to buy 750. And we’ll make sure we get to 1,000 before we buy 1,000 at the next renewal. So I think you’re seeing in the net retention rate, you’re seeing where in the past, there was like a tail end to that, now you’re seeing that tail end is gone. And it’s like, the net retention is kind of more, instead of maybe people over buying, it’s like they’re actually buying maybe even a little less than what they need. But we think that will over time, as cohorts have been doing that for now over a year. So ultimately, eventually, that’s going to normalize out. And that’ll be more of a normal thing that we won’t be comparing against the past period.
I think we’re going to have to, in terms of the guidance, I think the Q3 CRPO guide is there’s the normal kind of guidance process in how we think about an achievable guidance and in guidance we’re confident in. There’s also in that number, some conservative for any kind of security incident hangover that we’re going to come up on the anniversary of the security incident we had in October. And I think it’s probably, I think the last quarter that we’re going to have that conservative built in. We haven’t seen big quantifiable impact. We haven’t seen any quantifiable impact. So that’ll probably be appropriate time to reconsider factoring that into the guidance. And then the other thing about the guidance for Q3 is that the second half of our year is the majority of our bookings. And so we’re going to get a much, I think we’re going to do it in Q3 earnings, we’re going to do a revenue guide for next year, we’re going to have a much better kind of view on how the second half of this year is going to go and we’ll be in a position to update the guidance then.
Gabriela Borges
I’ll ask the follow up here. And you mentioned eventually you get the stabilization in the cohorts. Is that a way to think about perhaps your typical deal length relative to the excess buying of the 2021, maybe 2022 cohort as to when more tangibly you would see a normalization in the cohorts?
Todd McKinnon
Like what, yes, when is, I think it’s a gradual thing, meaning, and I don’t, I haven’t done the analysis, we haven’t done the analysis to like know exactly when it peaks and when the trend is and all that stuff. I will say that the buying behavior and everyone saw this not only in our results but in the overall market in the second half of ‘22, calendar ‘22, so second half fiscal ‘23, so that means we’re eight quarters or five quarters in, six quarters in, so I think it’s getting to a point where somewhere near the peak of it right now or that we’re starting to get to the time where some of those people that didn’t over buy are representing more and more of the cohort, so I think that’s a positive trend for the future.
Gabriela Borges
And do you look at internal data on customer utilization of their offer preference and any comments on how that utilization –?
Todd McKinnon
Yes, we definitely seen it, we definitely seen the utilization compared to what they bought, the utilization is a higher rate over the last six quarters as the over buying is slowed down, so that’s a good sign as well.
Gabriela Borges
Absolutely I agree, so what’s the thing that –
Todd McKinnon
For a long time it’s interesting, for a long time it was, I think in retrospect it’s obvious it was because of this over buying, for a long time it was, we were surprised about relatively speaking the utilization rates looked low, and I think this is because people were over buying, I was like yes, we’re going to grow, we’re growing, yes, okay.
Gabriela Borges
[Inaudible]
Todd McKinnon
1,500, yes, 1,500, yes, we’ll buy, well, we need a 1,000, we buy 1,500.
Gabriela Borges
So let’s assume that the macro environment is unchanged here earlier coming on the new normal and you have incremental stability in the cohort sizes or in the cohort expansion rates, what else do you need to see or do you need to underwrite that’s within your control to be able to bridge up to a faster normalized growth rate?
Todd McKinnon
I think there’s a few a couple key things that we’re really focused on. And so really three things. One is that just we are seeing a lot of progress in large enterprise and there’s a lot of potential there for us. So it’s one of the things that when people ask me like what investors not understand about Okta. I think people overestimate how penetrated we are in the large enterprise and I would say that we’re, we have a lot of potential there. We talk about 40% of the, we have some kind of footprint in 40% of the global 2000 but even that 40% there’s a lot of room to expand that the usage in terms of number of seats and number of products.
So I think of Okta as a company that was successful in mid-enterprise with tons of potential growth and some traction but tons more potential in the large enterprise. I think the reason that kind of it was okay so in your control like how do we make that happen. Part of it is the products, some of this R&D innovation gets better and we’re able to particularly with things like connecting to on-premise resources, doing governance, identity governance with on-premise resources, that product’s getting better and we have more capabilities to do that.
So there’s definitely a product component. Some of these new products that we have that are more directly contribute to immediate security outcomes like Identity Threat Protection with Okta AI or Identity Security Posture Management, you can see those being really in short term, valuable from a security perspective to a large enterprise. Identity Security Posture Management scans your entire identity ecosystem and tells you where the problems are. Very actionable, very quickly. Different than identity provider which you have to implement and integrate and customers, especially in a large enterprise, can look at that and say, that’s great, but it might take me six to 12 months to get value out of it. Different equation when you say, Identity Security Posture Management can give me value very quickly. So products innovation, the other thing about the large enterprise too is that there’s an amount, people have the idea that, oh, the large enterprise is like adopted cloud and their cloud transformation is done. Ironically, some of the largest enterprise had the most IT investment, so they had the most on-premise infrastructure. So there’s some of the things with the largest amount of cloud transformation to go.
And that just is what it is and as the technology forces of better cloud infrastructure, AI, how do you run your AI workloads? Do they do that in the cloud infrastructure versus on-prem? A lot of this change in evolution is driving them to modernize and upgrade. And I think that’s a positive trend for Okta in a large enterprise. We’ve always seen from the company early days, there’s a strong correlation with change in the technology stack with a company’s proclivity to want to adopt Okta. So that’s a positive impact there. The example, I think a good example of a recent deal I was involved in, just to make it very concrete for everyone. So, this company is a very large company and this is a significant transaction for Okta. And the reason it was happening is very simple. The Broadcom Computer Associates Identity products, Broadcom was raising the price of them. And the company that I was working with, that just catalyzed this thing is an old thing. We instead of paying so much more money, we want to look at modern alternatives. It wasn’t just that. They also want to have more diversity in their ecosystem away from relying so much on Microsoft.
They wanted to move to some cloud infrastructure. And so all these changes together, it was like, we really should look at a modern identity platform. So thus, we have this opportunity for this big deal. That’s the kind of thing, the more that happens, the more people look at modernizing their identity. And when they’re moving off of legacy identity, for a lot of reasons we talk about all the time, we’re the pretty clear choice. And that’s a good thing. So that’s one thing. The other, you talked about things that are in our control. I think we have to continue to do a good job of selling value from a security perspective. And these new security products help. Security Posture Management, identity for your protection, privilege access. Traditionally, Okta was thought of as IT enablement. And we can help companies have a great end user experience. Yes, of course, there’s a security benefit with multifactor. But it’s really kind of convenient. And we can help you get new projects rolled out. And if you want to get the SaaS app adopted, it’ll be better. But now, in terms of value profit, immediate helping these companies with security issues, we have a better set of products.
And we have to continue to be good at selling that value and positioning the company that way. That’s something we’re working very hard on. And then third thing I’ll say is that in the customer identity realm, we have to continue to get better and have success selling customer identity, not to just the CIO or the CISO, but also to the digital officer, marketing, product officer, technical officer. The idea is that identity can help all of these departments. We’ve traditionally been good with companies that are very, the IT group controls a lot of the technology or a lot of the decisions around customer identity. A good example is a great customer of ours called JetBlue. And IT there owns the employee identity, but also the TrueBlue loyalty app. And so we have a great deployment there of Okta customer identity.
It’s a great customer for us. If it’s like a tech company, it’s likely that the product organization or the engineering organization makes the customer identity decision. And we have to continue to be able to do that at scale, because it’s harder for us. We grew up selling to IT and security. There’s a I think like a lot of part of that, a big part of the market is those people building it themselves and we are often a better way, we have to continue to do that. So those three things, large enterprise, selling security and Non IT buyers are three things that are important for us.
Gabriela Borges
So all those things connect with the go-to-market and I think you’ve commented on this year being a better year for sales productivity versus last year. We’ve seen time and time again in SaaS that sometimes SaaS companies that do really well with the midmarket coming up market ends up taking longer than they expect. So talk to us about how you’re investing in the move up market and the move to build more sponsors at the customer et cetera. What are some of the key milestones we should be looking at?
Todd McKinnon
All the bit like we do all the things that are I would call that you would expect like the kind of people we hire in the sales team, the relationships with, this is a really important one, really working on the relationships and the alignment with global systems integrators. Because one thing about large enterprises, that the global systems integrators are very important to help them make decisions and execute on things. We’re in, you call them basic things like making sure that the marketing and the advertising is dedicated at that, those influential buyers and these organizations. The thing that might not be as obvious is that’s very important is that you have to have really successful customer references, and we work really hard to make these accounts that are large enterprise accounts incredibly successful and then so they’ll be advocates for us.
A good example of this is FedEx, right? We have 350,000 users of FedEx and the CISO there is, I work with them very frequently and talk to them all the time and we’re, we’ve really worked hard to prove that, to make sure that they’re incredibly successful with Okta and that word gets around and a lot of this is, it’s not just the technical environment and the evolution and the ability to upgrade, it’s also when those people look around at other large enterprises because they don’t, as they it makes sense, right? It’s like when they look for inspiration, they don’t look for the small companies and so the more examples like FedEx or the, and we’re getting a pretty good roster of these kind of referenceable customers so that portends well for the future.
Gabriela Borges
Absolutely. I want to end here with a question on Okta AI. Give us a couple of examples of some of the most impactful applications today either on the product side or for your own internal organization. And then what do you think is most promising in the next three to five years, perhaps something that has been quite ready for prime time today that may be in the future?
Todd McKinnon
So the one that we’ve shipped is this, I talked about it already, but at core of Identity Threat Protection is Okta AI and it’s a little bit of machine learning, a little bit of GenAI algorithms to really, at the core of what it’s trying to do is it’s trying to figure out what pattern of signals from, remember, this product has way more signals because I talked about how deeply integrated it is, it has way more signals than we’ve ever had before. It not only has the context from your login, but it also has the context from other layers of the security stack, it has risk scores from endpoint, it has the network security risk being fed into it, it has mobile device management status being fed into it, so it really gets a lot more data and then it can do a lot, it can have more sophistication, it does have more sophistication in on the kind of patterns it looks for that detects anomalous activity.
And it takes a lot of refinement because a lot of customers in early beta, it’s like typical things right like too many notifications, too many false positives, so we had to tune it to make sure that it didn’t have too many false positives and get it right. For now that it’s GA it’s like, hits the mark there. So that’s an important one. That’s kind of like maybe what you’d expect, right? If you had been at this conference three or four years ago, someone would have said a similar thing about machine learning and pattern recognition and threat detection, right? So that’s good that we’re doing that, and probably a more novel one and more from a like, oh, that’s different perspective, more interesting, is we’re working on something called governance analyzer with Okta AI, and it’s pretty cool. It’s basically training the model on the anonymous policy setups and configurations of thousands of Okta customers and generating a suggested setup for a company.
So it’s like, you have these apps, you have these resources, you have these users, so this is how you should set it all up, this should be your security policy, this should be how you lock things down, this is what companies do, this is what companies don’t do. And it’s pretty amazing. It’s like, wait, what? It’s all set up for me? Of course, they’ve got to check it and like make sure it’s right and but it’s not something customers expect from a tool like this, and that kind of stuff is pretty exciting, just from a technology perspective, like a technologist, it’s like, that’s pretty cool.
Gabriela Borges
I agree, absolutely. Please join me in thanking Todd for his time. Todd, thank you.
Todd McKinnon
Thanks for having me.
Read the full article here