CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Good morning, everyone. Thank you so much for joining us. My name is Hamza Fodderwala. I'm the cybersecurity analyst here at Morgan Stanley. And this morning to kick off our TMT conference, we have Josh Siegel; and Erica Smith, Head of Investor Relations. Josh Siegel, the CFO of CyberArk. We're really delighted to have them this morning. And before I begin, just for important disclosures, please see the Morgan Stanley research disclosure website at www.morganstanley.com/researchdisclosures. So to kick it off, thank you, Erica and Josh, for joining us this morning.

Thank you, Hamza. It's great to be here.

All right. Well, so I wanted to start off, Josh, with sort of a more macro question, right? I mean we're going to be asking this a lot during the conference. And I wanted to get a sense of, given your relationship with some of the world's largest organizations, could you speak to how the security demand environment has changed post-COVID, right? How is the demand environment looking into 2021? And do you think that COVID has accelerated pre-existing trends like Zero Trust or otherwise?

Yes. Yes. I mean, it's a great question as we start off the new year. And clearly, 2020 was an interesting year from a macro perspective, particularly around COVID. So the first thing I would start off with is that security remains a priority at the beginning of this year, at the end of last year and all really through 2020. And from where we sit, there's really -- there's no doubt that the budgets for security in 2021 are increasing. They increased 2020 versus 2019, although it came out in different forms, and it was a bit more erratic. But certainly, in 2021, we're expecting the budgets to continue to increase. And they really have to. Because when you think about not just what's going on with COVID, but you also just think about the continuation of digital transformation, the movement and migration to the cloud, hacker innovation and, of course, compliance is -- hasn't been reduced, it's only gotten a lot bigger since GDPR and the California rules, and a lot more probably are along the way. And so if you think about kind of the medium and large enterprises, and that's certainly where CyberArk plays, it's just a much more complex cyber environment. The risks are that much higher. And then when you add COVID on top of that, everything just got juiced. Everything just got accelerated in terms of the digital transformation, in terms of the migration to the cloud and in terms of the hacker innovation as well. And we kind of saw that towards the end come out in the public with SolarWinds. When we think about the Zero Trust aspect of it, Zero Trust is really -- it's like a framework for organizations to always verify identity with an assumed breach inside the network already. So it's understanding that even a trusted credential may be malicious and no longer trusted. And when you think about, for example, what CyberArk does, it's around Privileged Access Management, it's already assumed it's really about that, that's the foremost of assuming that you've been breached inside your network. And then when you take it and extend it out to Identity Security strategy, it's that then it goes off to your entire workforce. And then you have to start to manage through your entire workforce and always check whether or not that credential is the real credential. And again, it's also credential for human users and for application credentials. So when you combine Privileged Access Management, you combine it with DevSecOps, you combine it with access, and all of our identity security platforms, when you think about Zero Trust and you think about security, it's just never been more relevant. And again, I kind of like -- when we talk about also DevOps and access, we also address the Zero Trust as it's across human and nonhuman identities. So I think COVID was clearly an accelerator of that from a lot of different angles. And from a macro perspective, we're in a position of investing for that.

Got it. And then sticking on the macro theme for a second. With the recent SolarWinds or the SUNBURST attack, I think, Udi, on the last call, mentioned that he expects this to be a pretty significant event for cybersecurity, similar to kind of what we saw with perhaps Target back in late 2013. I'm wondering, how do you expect this event to play out as it relates to spending, right, both in sort of the near and the long-term? And how do you think CyberArk is sort of positioned for that event?

Yes. I think we're positioned really well because it's just another accelerator of all the things that we talked about within identity security. And SolarWinds had a lot of specifics to it. And actually, I'll turn it over to Erica because she's been following the hearings very closely and let her expand on that.

So yes. Thanks, Josh, and thanks, Hamza. It's great to be here today. Absolutely. I think when you think about this attack, Hamza, you look at and you really hear that Privileged Access was at the center of the attack. And it was actually an attack vector that CyberArk, we have a team of threat hunters. They work in our labs team, and they identified the Golden SAML back in 2017, which was actually the attack vector that was used in this attack. And we think over a long period of time, we -- broadly, it is a wake up call, very similar to what we saw in 2014 with Target and a number of the other breaches like OPM, the Office of Personnel Management, where views will have a -- really be a wake-up call for CIOs and CSOs, where they look at the Privileged attack vector, and they realize that there's something that they have to manage and take care of from a security perspective. And I think just exactly what Josh said about identity security, it really folds in nicely broadly across our portfolio. When you think about the major dynamics that play around digital transformation, cloud migration, you have to really secure across DevSecOps access in PAM. And so it plays really nicely into our broader portfolio. But again, as you know, we sell it to the enterprise. So there's 6- to 9-month sales cycles. And so it won't be an immediate effect as in the impact of what we will see. It will have a long-term tailwind. And again, I think as Josh mentioned, these are trends that were already in the market. These were things that we knew from a business perspective that this was -- PAM is the most targeted attack vector when you think about any of these major breaches.

Got it. Got it. Maybe shifting to CyberArk specific. So Erica, you touched on this, but maybe can you expand a little bit about on CyberArk and its strategy? I mean it went from sort of core Privileged Access Management to now these multiple pillars around access and DevSecOps. Maybe if you could talk a little bit about that product evolution?

Yes. Sure. So when we think about product evolution, it comes first from innovation. And we talk about innovation at CyberArk organically and also inorganically. And one of the things that I think CyberArk has been really successful about is really setting the pace of innovation in identity security. Our positioning today, as I kind of noted in the first answer, is really around identity security, and it's a foundation around privilege access being at the core. And -- but when you think about it, the world is really changing a lot today compared to several years ago. And our view is that, it's not just our view, I think if you go to any kind of security strategy view today, it's really that the identity is the new perimeter. And so we believe that identities need to be secured and not just managed. It's not just about easy access and knowing what they're doing and having them being able to access. It's really about also securing them. So in the same way, that would -- so in the same way that we think about humans and human credentials and securing those human credentials, which has been the core of Privilege Access, we also think about it from an application, a machine, a DevOps tool, an endpoint or whatever. And with the digital transformation, the lines between a privileged user and a workforce user is now more blurry than ever. And then again, that's related to whether or not it's a human user or machine users. So when I say that identities need to be secured and not just managed, it's really important that all these identities have the right security controls depending on their activities. And so essentially, what we're doing is that we're applying advanced AI, artificial intelligence capabilities, to really automatically and dynamically adjust their needed privileged security control to each session based on the levels that the permission that is required. And then...

Okay. That's makes sense. Sorry, go ahead.

So I was just going to add that the permissions are really defined closely by the risks associated with the session or with the activity. And our position is that enterprises, especially large enterprises that we work with, really need the combination of the Privileged Access Management, the access piece and then the DevSecOps, and that's why we've been able to really move into there, both organically, through our products and, of course, we also did some inorganic activity as well.

That makes a ton of sense. I mean, going away from sort of just traditional user entitlement permissioning to what you mentioned, sort of this broader, enabling these security controls between users and machines and to a more holistic identity strategy. I wanted to switch topics for a little bit. So you recently announced that you're going to be doubling down on this SaaS transition, and that's a big topic these days among investors. Maybe just before we dig into numbers, I want to know kind of what kind of benefits fundamentally do you think this SaaS transition will enable in terms of, you mentioned earlier 6- to 9-month sales cycles, do you think that the SaaS product will have shorter sales cycles? Do you think it will allow you to maybe upsell more effectively into your base? Do you think it will allow for these net new customers as well that might not be the largest enterprise in the world? Maybe just touch on some of the benefits there.

Yes. I think in terms of the sales cycle, it's going to be hard. For our sweet spot of the medium and large enterprises, I would still say it's going to be 2 to 3 quarters. And I say that because it's a sticky product. Even as a SaaS, it will be -- we expect it to be very sticky. And it's also very -- it's very crucial to their security strategy. I think where we could start to see smaller or lower or faster than 6- to 9-month sales cycle is as we go down towards mid-market and small enterprise because anyway, it's a lot less complicated of a purchase. And we can see that perhaps being faster. I think in terms of the other dynamics that we can expect to see is, particularly as they move to SaaS and consuming of SaaS, is buying smaller. So buying -- consuming less upfront and then coming back faster to buy more and more, either more seats for the same product or moving across to different products. And that's a phenomenon that we started to already see in 2020. And we expect that -- and it's -- and we expect to kind of see that typical with SaaS consumption. And as a CFO, who actually buys a lot of SaaS applications, I see the same way in terms of how we acquire SaaS applications as well as a buyer. It's your -- the beauty -- one of the beauties of the SaaS model from the customer perspective is that you really get a full engagement by the customer, you really can hold them to a very tight SLA, you can really get and have the most efficient use of your purchasing. And we expect as a supplier of PAM as a cloud or EPM as a cloud or cloud entitlement management or access to the cloud, that customers are going to treat this the same way.

Got it. Got it. No, that makes a ton of sense. And then I wanted to dig into numbers here a little bit. So you called for ARR growth, you expect that to be kind of in the 30s this year, I think, you mentioned on the last earnings call. And SaaS and subscription to be about 55% of the bookings mix. Now it seems like this whole SaaS adoption is something that's very much market-driven. But can you maybe speak to some of the sales force incentives that you're putting in place to drive this accelerated adoption of the SaaS and subscription products?

Yes, absolutely. I mean one -- there are several key components for, I think, any company, and particularly what we've identified for CyberArk to be successful in this whole SaaS transition. One is just what type of offerings are we going to offer, whether it's in the cloud or whether it's on-prem and that they will still choose to subscribe it. Two is the compensation plan, which you just asked about. It's critical that we've revamped our compensation plan with our -- internally with our sales teams, and there are a lot of ways to do this. There's the carrot, the stick, there's a combination. And what we've chosen to do at CyberArk certainly for the first year is really to use the carrot, encourage our sales teams to quote out the door SaaS over non-SaaS, and subscription if they insist on having on-premise as well. And we believe that carrot is enough to have new quotes going out the door to be in that favor. But we're not choosing to penalize them if they want to continue -- if they do make an on-prem or a perpetual sell. And the really -- the reason is, is kind of what we started to talk about earlier, is that we are a 6- to 9-month sales cycle. So a lot of what's happening during the first 6 months is really related to pipeline growth generation that we did in 2020. And second, I mean, it's not a secret. I mean CyberArk took till now to make that transition. And it wasn't because we were lazy or because we didn't want to do it. It's because we sell to large enterprises. And I think these large enterprises have been some of the last to really decide a couple of things. One is that this should be a subscription purchase at all because it's so sticky and we saw much more and they saw much more as IT infrastructure. And two, whether or not they were even willing to consider buying a lot of these products as a cloud on a third-party hosted environment. All those things have changed for a lot of good reasons. Some of them we talked about early on in the first question as it related to COVID and the changes in the macro environment, the digital transformation, the hacker innovation and the likes. And so we're -- we want to be sensitive a lot as well to our customer base and ensure that they understand that we're going to complete -- that we're not going to be pulling the rug out from under them on day 1, that this is a transition. But we have changed internally. And by the way, it's not just for the sales teams. It's for everybody in the organization is now speaking a new language. If you open the doors into the hallway here, it's about annual recurring revenue. It's about total recurring revenue, it's about customer success and high renewal rates and the like, and we're changing all of the systems around that type of the language. So it's -- those who don't get on board will be left behind.

Got it. Got it. And so you're already doing around 40% ARR growth, and you just started to basically really incentivize the sales force. So what's sort of the impediment towards maybe even accelerating ARR growth potentially this year? Or do you think that there has to be maybe some conservatism or caution around as you do align the go-to-market towards SaaS, right, that there might be -- you mentioned these sales cycles, that the benefits will likely come maybe more at the back half of the year and later?

Yes. So there are a lot of moving parts, Hamza. And as opposed to calling it conservatism, I would call it really taking a balanced approach to how we guide and how we try to set expectations for internally and for externally to the investor community. And it's really a combination of opportunity, which we look at our pipeline. We had a record pipeline in 2020. And on our close rates, of course, we have the whole macro environment also to consider as well with COVID in and out situation. You look at visibility, and the visibility is not just annual visibility. It's actually -- we also get look -- we also look into the quarterly visibility, which is several times harder than the annual visibility. And then our ability to execute. And that comes from the capacity of our sales organization. And I can tell you there, we do take in the soft angle of -- there's a lot of things involved in a transition. It's a matter of education to the sales teams. It's a matter of them understanding the compensation plan as well and utilizing that, and not getting confused about what's happening in a transition. So when we're trying to do the best of both worlds by, one, also making our customers really happy, by not being bullies, so to speak, on the transition, but allowing them to also acclimate, we also have to then be even better internally on the education side. So we did take that into consideration when we think about where we want to set expectations.

Got it. Got it. And when we think about the mix of SaaS and subscription, so you mentioned 55% of new bookings this year. And then by the end of next year, it should be 85% or higher. How does that kind of split between SaaS versus term license?

Yes. So we basically are seeing, and we saw this in 2020, and we saw -- and we're seeing the pipeline build in sort of a similar format, where we're going to be SaaS-heavy. So when we think about probably for every dollar of on-prem term base, we'll probably be seeing $2 of SaaS going at that level. And I think it's coming from a couple of different pieces. One is we've really ratcheted up the number of products that we have available as -- to be consumed on the cloud, and I kind of ran through them quickly before, but it's our Privileged Cloud, which is our -- one of our flagship products. It's our Endpoint Privilege Manager, which we used to sell either on-prem or as a service, and it was typically half and half. And in the last year, we've converted it to 90% selling or bookings in the cloud. It's our access products that we acquired through Idaptive. And more recently, the Cloud Entitlement Manager that we just introduced only in the last couple of months. So we've really started to create this very robust product portfolio, cloud product portfolio. And where probably 2 or 3 years ago, it was rare for a medium or large enterprise to even consider putting their keys to the kingdom in a cloud, in a third-party cloud environment, today, they're looking at it. Not all of them are ready to go there, a lot aren't. But they're certainly looking to discuss it and want to know that it's going to be available. And so we are starting to see that trend moving in our favor as well.

Got it. And I think you touched on this earlier, but if you could talk a little bit about kind of what the reception has been so far from your sales force around aligning towards SaaS and the customer reception as well towards this new sales motion?

Yes. I think internally -- you asked first about our sales teams, right?

Yes.

So internally, they get it. And they -- first of all, all of them are very experienced and a lot of them have also come from different companies. Some of them have already been selling SaaS. And as we saw in 2020, 35% of our bookings were already coming from SaaS and subscription with a 2:1 on SaaS to subscription. So this is not like a 0 to 1 type start for them in 2021. They already got it. Last year, they got it from a -- it was neutralized -- neutral to them. So they didn't lose money by selling the smaller deals. But this year, they'll actually be accelerating. So I think like any good salesperson, they -- once -- they want to make their money, but I think that they're very receptive to it. And I think that they also are getting very good feedback from the field. So they're getting good feedback from the partners who are -- this is also -- can be a bonus for them because they're used to selling a lot of all the other software and applications, enterprise software in a SaaS format. And they -- also, as I said earlier, I alluded to it, is that customers, the ones that want to go there, really want to go there because they view it as a way to really create a very powerful engagement with the supplier, with the vendor and a way for them to really manage their spend on the product as well. So when they get the feedback from us pushing it and from the field saying, "Yes, we get it and this makes a lot of sense," it works. I think from the customer perspective, I kind of just alluded to it, some of them are -- all of them want to know that we can get there down the road even if today they're not going to buy it. But on Endpoint Privilege Manager, as I said, 90% of our bookings today are now on SaaS, and we expect it to be 100% this year. They really, really liked the fact that we were able to sell our remote access into PAM on a SaaS basis already last year. So we're -- we feel excited that there's no -- doesn't seem to be a big pushback from the customers.

Got it. Switching gears for a second around sort of the competitive dynamics, right? CyberArk is the clear leader in sort of Privileged Access Management today. A lot of your competitors have either been acquired or taken private. But one of the topics that comes up a lot in security is sort of consolidation and convergence of different security submarkets. So today, there's a lot of focus on the consolidation between broader access management, right, and privileged access management and the competitive dynamics vis-à-vis an Okta or Ping or otherwise. I'm curious what are you seeing from your vantage point around that convergence? You obviously bought Idaptive, which got you more into broader access management. Do you think these markets will eventually converge? Or do you think they'll kind of operate in their separate swim lanes?

So Hamza, I'll start, and then we can hit it back to Josh. But I think if you think about the identity, the IAM space generally, which has the 3 main pillars, so around Access, PAM and governance, I think what we've seen historically is that there has been some good convergence at the use case level. And obviously, our move with Idaptive did push us further into the access market. But I think our approach is very different. And I think Josh talked a lot about it at the beginning, where he talked about the fact that we're really approaching the market from a security-first perspective. And so our vantage point is that, yes, there is blurring of those identities between the human identity as well as the machine identity and the nonhuman identity, obviously. And that those identities need more security controls. And so our view is that our customer base as well as our prospects are very interested in looking at security first motion, and that's where our identity security broad-based approach to the market is coming from. And so I think over time, over a long-time horizon, you are going to see more convergence, particularly at the use case level. But from a competitive perspective today, we aren't seeing any real change in the competitive landscape where, obviously, with Idaptive in some situations, we're competing with some of the access management players. But I think we also see a lot of great partnerships there. And so if you look at someone like a Ping, we've got a great go-to-market field motion; someone like a SailPoint, we have a lot of joint customers where there's a lot of collaboration there. And so I think we absolutely see that moving forward. If you look at a longer-time horizon, I think you will see that blurring of the lines between the identities and the security elements, in particular, that we'll see more convergence there.

Got it. So I think we're -- got a few minutes left, but I wanted to ask a little bit sort of a model question. So coming out of the SaaS transition, right, what kind of growth and sort of steady state margins is CyberArk looking to target, right? Is it going to be a more rule of 40? Can you give us any sort of color on sort of what the composition of what that would look like?

Yes, Hamza. First of all, it's a good opportunity to pitch our Investor Day on March 10. So -- I don't know if I'm allowed to do that on a Morgan Stanley Conference, but...

No, please go ahead.

But absolutely, we'll be talking some about our medium- and long-term framework there. But we've said it before, we definitely believe that with the market and with our leadership in the market, CyberArk should be a 20-plus-percent grower on the other side of this transition. And as a 20% plus grower on the other side of this transition, we definitely will be able to get the leverage across the R&D and across the sales and marketing and G&A to be, I think, a nicely profitable model. And we'll certainly be queuing in around the rule of 40 from a high level.

Got it. Just one more question around margins. It's kind of a question that we're asking a lot of companies is, with COVID, obviously, a lot of companies save money on things like T&E expense. I'm wondering from the efficiencies that you saw from an OpEx standpoint during 2020, how much of those do you think are more sort of temporary onetime in nature? And how much of those do you think are going to be more permanent efficiencies going forward?

Yes. Interesting question. I think for sure that on the travel, that was a onetime. I mean, at some point, we're going to be traveling again. And it may not be at the same level, but I have to believe it's going to be at 70% to 80% of the same -- of the original level. So I think that travel will come back. We've modeled into our guidance traveling coming back in a meaningful way in the last quarter of this year, starting in Q3 but in a much more meaningful way in Q4. Is that right? I don't know, that's anybody's guess, but it will come back. And I know that I'm waiting to get on the next plane as soon as I can to the U.S. But I think where it -- the other area, which is really interesting is around the digital marketing versus physical marketing and physical programming and things like that. And I think though, even there, there's some respite, there's some reduction. But at the end of the day, you just fill the void with more. So I think that overall, I guess, net-net, I don't think there will be leverage off the operating model when COVID is no longer being talked about, there won't be that much leverage in the model because of a new world after COVID.

Okay. Got it. Well, I think we're a little bit over now. But Josh, Erica, thank you so much for your time this morning. Really appreciate it and looking forward to the Analyst Day on March 10.

Great. Thank you.

All right. Thank you, guys. Have a great rest of the week.