CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

My name is Doug Bruehl, and I'm an associate on the software research team. With me this morning, we have the privilege of hosting CEO and Founder, Udi Mokady, of CyberArk, as you know. So we'll do about a 20-minute Q&A between the 2 of us, and then reserve the final 15 for any questions from the floor. So you can submit them electronically on the conference app or just raise your hand, and we'll get you a microphone. So Udi, thank you so much for being here. So for those not as familiar with the CyberArk story, can you give a brief overview of both the platform and the business?

Sure thing. First of all, good to see everybody, and to be back in person and see things opening up. We've been traveling quite a lot, and it's good to see things come back to normal as much as possible. So CyberArk is an Identity Security platform centered on Privileged Access Management. We're, first and foremost, a cybersecurity company, and we create a layer of security that allows organizations to secure their human identities, their machine identities, embrace digital transformation, but really protect against -- to protect those identities against lateral movement against credential takeover. We cover -- we basically pioneered the Privileged Access Management space. I can say that we even coined it and have been leading that for many years and expanded to what we call Identity Security to cover that proliferation of privilege, where a lot of types of identities can become privileged in certain scenarios. And now CyberArk with the platform can cover all humans, the workforce employees of our customers, their suppliers, third parties along with those machine identities that I mentioned. We're excited to have transitioned to a subscription model, and we announced in this last earnings results that we did it in 5 quarters versus the 8 to 10 original time line. And so we're seeing both the benefits of the change in the business model and of course, the expansion to more and more SaaS led Identity Security platform.

Great. Yes. And I think within cybersecurity as a whole, the principle of Zero Trust has gained a lot more attention in recent years. How does AI on your platform intersect with the Zero Trust principle within the underlying architecture?

No, absolutely. First of all, you -- Identity Security is critical for Zero Trust. I would say, first and foremost, how can you have Zero Trust if you have privileged users with access to everything, and they can turn off security controls and do everything. So first of all, Privileged Access Management and the concept of least privilege that is all across our platform is critical to achieve Zero Trust. On top of that, with AI, we're able to create machine learning algorithms to really study what's normal behavior around those users that we're managing and able to create dynamic policy so that the organization doesn't have to deal with setting those up and to put restrictions and controls based on anomaly behavior. And so I would say that it's an important part of the infrastructure. It was very important when we were monitoring anomalies with privileged users. Imagine an IT employee with the ability to do anything in the organization, and that IT employee can be hacked as we expanded to all identities, the platform now supports the ability to run AI and detect those anomalies and reinforce controls transparently to the organization.

Great. Thank you. So development security operations is another critical piece of the identity and access management puzzle. How have you integrated that as well in your platform? And how does that benefit the customer?

Yes. So I mentioned we started with the human privileged users. Those were the IT employees, the administrators that expanded to developers. And later on, with the proliferation of privilege, we expanded to all types of humans. But behind the scenes, machines and applications, they consume credentials as well and keys. And so you can almost put on these glasses and see and in an enterprise, those human users and behind the scenes, those applications, all consuming credentials. And that's -- again, with work with our customers over the years, they -- we expanded to what's called secrets management and that ability to secure how applications communicate between each other. And it's become a growth engine, an important growth engine for CyberArk, and it's part of the platform. So in a typical enterprise, we may land and solve the -- and begin with a privileged human user problem. But part of the expansion is also to cover their application credentials, their secrets and do that under that one platform really enabling them to expand the control over their DevOps processes, and I would say, the -- the shift left side of the organization.

Great. So moving on to security gaps that you commonly see within customers. What common mistakes do you see enterprise making or sort of incorrect assumptions that have about identity and access management?

Well, I think we've come a long way. I think it used to be a world where you thought that if you -- you had the control over your users and if they're within the organization, then the organization has control. I think the last 2 years really showed the world that they have back to that Zero Trust that they even given a trusted employee, they can -- their machine can be breached. They may be using their own machine. They can be a third party and that, therefore, they have to provide those real deep controls. We're seeing that Privileged Access Management has become almost close to cyber hygiene, like how can you defend an organization if an attacker can get strong access to resources and the environment. And so I would say there's improvement there around organizations going with an assumed breach mindset. Of course, we kind of see these often in the tale of 2 cities. You can see companies in the same vertical, those that haven't assumed breach mindset and those that are still a little bit more compliance driven. Of course, we help those, but we are very prescriptive and partner with these companies to go deep and wide in understanding the risk and put controls over their identities, human and machine. In the recent survey that we put out around 1,500 IT decision-makers, we found exactly to your point that a lot of them pointed out that they feel their organization created cybersecurity debt. So they ran ahead to digitize, to connect their workforce from home, to connect their suppliers, but they miss those identities. And so they're closing these gaps. It's part of why we have such a huge opportunity because we're a critical layer of security, and we're enabling this digital transformation.

Great. So switching gears to the business side a little bit. You recently displayed a list of 200 -- or over 200 certified partners. How does this affect both growth potential and your platform reach?

Yes. I'm very passionate about that. I think when you go -- when you go along as a business, you're able to create long-standing partnerships that really pay off over the years. So I think in our partnerships, you can -- we can talk about a few flavors. There's the advisory firms that actually built CyberArk practice, there's the VARs and the resellers. And that combination is about 450 or 500 around the world of channel partners that we work with. And to your point, we also have the technology partnerships, what we refer to as the C3 alliance, where it's integrations that we deliver to our customers, where they can benefit from other investments they made. So it could be a vulnerability management company. We just -- you'll have some presenting in the conference, just met them outside, where CyberArk is going to secure the privileged access that the -- that they need in order to conduct their scans. It could be partnerships with the likes of Red Hat and others where we're securing their expansion into DevOps. They're helping us expand with our secrets management to DevOps. So that C3 Alliance is very powerful for us. I would say one recent one that's exciting is our partnership with AWS, where they've become also a force that we can land with an organization. So it's a big part of how we can land and expand an organization.

Makes a lot of sense. So in Q4 of 2021, you added about 375 new logos. Do you attribute this to general economic recovery? Or are there some other factors driving that new business development?

I think it's execution on this powerful pipeline that we've built. We've been talking about the record pipeline that we built over the last 18 months, and we've been executing on it both with our workforce and with the channel partners that I just mentioned. And we have also more landing points. Part of building the platform, part of our SaaS expansion is that we can land with more solutions. We can also expand faster, and we're very excited. So you talked about the number in Q4. In Q1, we added 250 new logos, which was a record for non-Q4 for us. So we're seeing that trend really continues. So it goes back to the demand environment, identity security being a critical layer of security in the modern enterprise, our ability to land in more places, our ability to now expand further down market with the SaaS platform, which is very exciting for us. And this is still the top echelon of the mid-market and doing that both with our -- with, I would say, a more productive, stronger sales force and with the channel partners. And we're very excited about the new business growth, actually doubled in Q1.

Okay. Makes sense. So we saw a bit of margin compression in 2021. When, if at all, do you expect that to revert to previous levels?

Yes. I would say it's important for us. We're excited about the subscription transition. And I just mentioned that we're also ahead of plan with that. So the right way to look is to look through the subscription transition and factor for headwind of revenue that we're now recognizing ratably. So even if you look at 2021 numbers and adjusting for the transition, we were an 18% operating margin company. So we really know how to run it this way, you just have to mine the transition, and we're going to merge out of it a profitable company, just like we were before.

Great. So you mentioned you accomplished your SaaS transition in 5 quarters versus the 8% to 10% target. Turning towards a revenue growth rate around that transition, do you have a specific quarter that you're targeting to be the peak of that year-over-year growth?

So basically, I think the way to look at everything we're talking about is in the ARR measure, and we just showed acceleration in ARR off of a very strong Q4, and we're able to guide for growth in our ARR. So it's -- and we see ourselves as attacking a huge opportunity and the financial -- and the business model right now really supports continuing that high growth.

Okay. So when you look at a typical customer profile, does it differ between the international market versus the U.S?

That was always very big to me. Again, we started the company in Israel. I moved here to Boston, throughout the journey and built a real global company through the process. I mentioned those channel partners. It's always been a very strong source of also diversity of revenue for us. So we really go after the world, and we've been doing that for years even before going public. We celebrate a deal, whether it's here in the U.S. or in Asia or in EMEA. Very often, we see that these things -- the U.S. awareness to, I would say, modern base attacks first comes here in the U.S. and then trickles around the world. And I think awareness level right now is very high given geopolitical tensions, given the amount of ransomware out there. I mentioned the survey those 1,500 surveys were global, 70% of them said that they had at least one ransomware attack. These were enterprises. At least one ransomware attack in the last 12 months, most of them said they had 2. So this is a global phenomenon. So I would say the only difference is really making sure that we work with the right channels in the right places. In some countries, there's more compliance drivers and others. But overall, we're able to really kind of replicate and leverage the scale of the organization to sell worldwide to all enterprises. And now more and more going into the mid-market.

Great. And then turning towards the competitive environment very directly, who do you view as your direct or primary competition?

Yes. I would say, and I said it in the earnings call, that I view this as probably one of the most favorable competitive environments we can recall. I think part of it is our culture and is a pioneer in the space to always run fast, be the innovator, and again, take a global approach to it, like really build a global business doing it. We've seen -- and again, the pioneer in PAM. We've seen our PAM competitors really change hands in private equity and therefore not really invest in innovation. And given everything I just mentioned, it is so important for the customers to invest in innovation and create that dynamic and adjustment to ongoing threat. So really, on the PAM, it's only changed favorably for us and again, we see that in the Gartner Magic Quadrant. We see that in our win rates. And with our expansion to Identity Security, with our expansion to also going after access there, we compete with Okta. And Microsoft, we really come out to it very differently with a security-first approach, and we also lead with Privileged Access Management. On the secrets management front, our only competitor there really is Hashi, who go in from the developer standpoint, and we come in from security for, so really taking very different approaches.

Makes sense. So moving back to talking about international markets. Are you eyeing any M&A partnerships? Or are you just focusing primarily on organic growth outside the U.S?

No. So I think we've proven over the years that to be very, very disciplined, we made acquisitions, but those were when we thought that there's something important to accelerate our time to market on an expansion, but otherwise innovate on our own. And again, the M&As we did in the past were both U.S. and internationally, mostly U.S. and Israel, if I look at the past 7 years. I think engine number 1 is innovate organically, and engine number 2 is those partnerships that I talked about, really leverage those technology partnerships that bring us deep into organizations, but we're also -- we have a discipline to always look at M&A and where can it accelerate our road map. And now we really have that ability to be very global about it.

Okay. So for -- well, over 2 years now, we've seen significantly increased hiring challenges, particularly within hiring sales and hiring qualified developers. This is something we've seen for pretty much every company under our coverage. How have you -- or how has CyberArk been dealing with that specific challenge?

I think, like everybody, it was a challenging environment for everybody. I think we fared very well. Some of it is our geographic locations and a big part of it is something you can't really measure in P&L, but it's our culture, like we have very high retention rates. And also a word on the street is that you're going to be successful joining CyberArk. So I think we've been very successful in retaining, first and foremost, and also attracting talent both on the sales side and on the development front. It was never something where we felt is holding us back, and we did very well, again, leveraging our various locations and hiring the right people in the right places. I also think the dynamic on that will change in -- potentially in the market.

Okay. Great. So last question before I open it up to the floor. Is there anything that I haven't covered here that you really would like to communicate to potential or current investors?

First of all, I think we covered a lot, but it's -- I would say it's our opportunity in this face-to-face to really talk about massive changes that CyberArk has gone through in the last 2 years: a, the business model transformation that we talked about, and b, probably the most exciting and long term is our move to a SaaS-led Identity Security platform that really allows us to address -- continue to focus on our sweet spot in the enterprise, but to address more and more and expand down market. And with the -- the good velocity of add-on that comes with SaaS and subscription, and so we -- with this platform, we now cover privileged users. We cover workforce employees, third-party access, the least privilege on endpoint, which is also a growth engine for us, our Endpoint Privilege Manager and the secrets management that we talked about. So I think we leverage the last couple of years to emerge a much stronger company and able to address a wider opportunity, both from a portfolio, but also a delivery model.

Okay. Great. Well, thank you for the first portion. So I haven't received any questions electronically. So if you have any questions now, feel free to -- yes. Do we want to get a mic over there? Or do you...

Good morning. First, I was wondering if you could explain how cyber insurance ties into the spend? Like how much of it is it a requirement? And how far along are we into that process, so you've had benefit out of that? And so how much of a tailwind does it still remain when it's mandatory for companies to spend on your offering? And secondly, on SaaS, you mentioned addressing the long tail and going down market. So how big of an opportunity is this versus what you've sold so far?

Excellent. So I'll start maybe with the second part. So today, CyberArk has 7,500 customers worldwide. And when we look at the opportunity, we're looking at the next 60,000 type of organization and that includes about seeping into like about 40,000 of the top end of that mid-market. And so it really expands our opportunity, the ability to sell SaaS to the mid-market, and this is still the higher end of the mid-market. So it's very much greenfield. I would say they had the same issues that enterprise customers have been dealing with, but we didn't have the SaaS solution for them, a light quick way to get them on board. And that's very exciting. It also explains some of that -- the new business that Doug was asking about earlier. With regards to cyber insurance, I love the question. I should have mentioned it. We mentioned it in our Q1 results that we're seeing that as an emerging new driver. I think the driver for our business, the first and foremost, is really securing against advanced attacks and enabling digital transformation. Those are really the prime ones. But we saw more and more cases where organizations, especially on the -- in the mid-market or the higher end of the mid-market, are getting very specific requirements from -- to be able to even get cyber insurance, and a lot of that is requiring cyber hygiene and listing, least privilege, Privileged Access Management, multifactor authentication and other elements that CyberArk provides. So where are we in this stage? I would say it's early. I think it's primarily here in the U.S. We're seeing some trickle to other countries. And I think it's going to remain because the insurance companies have seen -- back to my statistics around the ransomware that all of their target policyholders are potential targets, and they're paying a lot and they want to be smarter about it and put provisions in place that really make a difference. So I think it's going to be an additional driver, sometimes an accelerator in a sales cycle, sometimes a reason to land.

Colin Ducharme with Sterling Capital. Quick question, clarification on your SaaS business model transformation. Can you talk about feature parity and also tech road map in terms of as new functionality is introduced, whether it is purely on the SaaS side or also on on-prem? And then the question is on swim lane convergence. You've made a deal in identity. Can you also talk about ambitions for IGA from a functionality standpoint, but also you mentioned endpoint, and I'm curious as well as trying to build that CyberArk ecosystem, how broad do you need to be? And how quickly do you need to get there?

A great question. I would say, so I'll kind of frame the parity from 2 angles. We are in Privileged Access Management, where CyberArk originally started with an on-premise solution. Now our Privilege Cloud, our SaaS solution for it has full feature parity. It's been that for a while. And of course, we save time for the customer. So they have all the benefit of SaaS and getting up on board quickly with our SaaS platform. The other solutions are actually SaaS first. So you look at the platform. Everything is now SaaS first. Identity is only a SaaS solution, our access solution, our endpoint privilege management is only in a SaaS solution. Our secrets management that's coming up this year to bring that to also to give SaaS optionality to our customers. And our customers expect that new innovation will primarily happen on the SaaS front. It's a quicker time to delivery. We'll, of course, continue to support our on-prem customers. But even those, we see them go for a mix. Even if they want the keys to the kingdom to be or the privileged access management to be consumed on-premise, they augment that with Identity as a Service and or EPM as a service. And so we're very excited about that. We're going to have an event in July here in Boston, where it's, again, first live one after a while, where we show the beauty of the platform to our customers. Some of them will be the on-prem customers who are joining us for the rest of the journey and they understand. They understand that the future and the quicker time to innovate is with SaaS. With regards to conversions, yes, you're right. We've expanded to what we thought was really the second more security-oriented part of the swim lane. So Privileged Access Management is the most critical expanded to access because those are identities that need to be managed. And we continue to partner on IGA, where we see it as more of a compliance layer to certify the type of employees and their access and less of an Identity Security control. To the extent that there will be workflows, I mean we've already released the ability to manage workflows for privileged users in terms of onboarding and the life cycle management of privileged users. To the extent that there are lightweight elements that our customers require from us to deliver on that platform will go there. But we will probably not go into the full compliance part of IGA. We want to keep it Identity Security. And so far, it's been working very well.

Can you just talk a little more about the mid-market go-to-market motion? First of all, how do you compare the competitive dynamics in that space versus the enterprise? And then what investments do you need to make over the next couple of years to take advantage of the opportunity?

Yes. So the mid-market is a relatively new muscle for us, but we've organized our sales force around it with the team that's targeting that's specifically targeting the commercial space. We were lighter on the channel front. I talked about the global investment we made with channel partners. We were lighter when we began, but we've expanded with partnerships with the likes of CDW and others to be able to also have the channel coverage. So I think we're now organizationally set up for it, we're measuring it, and the team has been very successful. So I think it's now to a point where we know how to scale it with, I would say, leveraging what we've learned in going after it in North America to then expand more internationally on the commercial space, and it's happening as we speak. So I would say we -- we found our motion, and we found that it's -- the beauty of SaaS is really catching there. From a competitive dynamic, I would say probably the same ones we meet for PAM, the same ones we meet for access. But we're seeing that the security-first approach that we take is also resonating in that market. It's not a given. If you look back 3, 4 years ago, the enterprises were very security-first oriented and the mid-market thought it won't happen to me. And I think that really changed with ransomware and everything that is happening. So we feel that, that security-first Identity Security platform is well perceived in the market. And the fact that they can easily get on board with SaaS and the various packages is working.

I'll use the timing if nobody asks questions. So wondering, if you could -- you mentioned mid-market, all the new products, cyber insurance. If you could rank those for us in terms of what's the most attractive from a growth standpoint? And just longer term, like if we add all those kind of growth drivers, what's kind of the long-term algorithm for the company in your mind in terms of sustainable growth that you can offer on a multiyear view?

Yes. So again, I would say that from everything we look at in terms of the expanded TAM that CyberArk can now address, the ability for us to go after that expanded TAM with SaaS, modern SaaS solution, the ability to go beyond enterprise into mid-market, we really see the foundation and the capability to drive long-term durable growth, which is super important for us. The business model is now also very strong and emerging out of this subscription transition for us to get that visibility we need to ensure that. So I think the basic element is demand for Identity Security and the beauty of it being both an important security layer, but also an enabler, and it gets that high priority up there because it's a critical security layer and also an enabler. So I'm not giving new numbers out there, but we really believe we have the foundation for long-term durable growth in every measure. We look at it again, from looking at pipeline from analyzing the drivers from looking at the global presence and the global strength, competitive advantage and all of these elements. To your first part of the question, how do I rank priority of business drivers? If I understood correctly, I would put first the -- what we call protection against advanced threats as the #1 business driver and all the others are just additional accelerators, like cyber insurance and various compliance in different regions. It's spiking up in various verticals. You see critical infrastructure, more responding to recent threats. There are areas where there's more government dictation. But the underlying thing is a critical security layer that is an enabler for digital transformation for our customers and that effectiveness. I mean whenever they run any type of drill, red teaming when they attack themselves, whenever they bring in an incident response firm, it always comes down to credentials were stolen. They steal credentials to move laterally. They steal keys to attack the infrastructure. They steal keys to expand to cloud. And so there's strong demand and awareness for the importance.

Maybe just a couple of clarifications on this SMB opportunity. You were talking about building the go-to-market motion to get to the -- I think you described it as the upper part of the mid-market as you have now a SaaS forward product offering, you have the ability to go even lower market should you wish. Oftentimes, that's more of a pull versus a push go-to-market, things like documentation, things like prebuilt APIs, et cetera. Can you talk about whether that market at the lower end is of interest, and if you're pursuing those types of pull go-to-markets? And then another clarification, you mentioned in the competitive landscape, Hashi for secrets management. Friend or Foe, I guess, and not Hashi specifically, but I mean deeper in the stack at the end for layer, is that essentially a belt and suspenders type of approach? Or if enterprise were to implement some sort of solution at the infra layer, does that obviate functionality at the app layer? If you could just discuss that dynamic.

Yes. So I think coming from an enterprise play, and we still see a huge opportunity in the enterprise, as we went further downwards, we didn't want to go too far deep to -- not to lose focus and not to get into the radio commercial business, not at this point. I think theoretically, it can go down further deep. Once in a while, we get those examples, where we're surprised that a size of organization that comes to us. I agree with you that to get there, it's going to be much more a web-based type of interaction and easy to consume. The SaaS does support that. But we see a greater opportunity right now in focusing the team on enterprise on the upper side of the mid-market, but it's going to be there down the road when we want to go after it. And by definition, by then, things will be even simplified further from a user interface from documentation and those elements that you mentioned. So I would say it's upside down the road, and there's nothing really preventing that because we see examples of some adoption in the SMB that even if we weren't going after it. With regards to the secrets management and Hashi, I think it's not a zero-sum game. We do have customers that started with CyberArk for -- of course, for human privileged access and for Identity Security, expanded with CyberArk to securing secrets management for their critical applications. And they have Hashi in some of their environments that were brought in more from the motion of developers and open source, and we can live side by side. And so it's not a zero-sum game. I think, of course, in terms of how we work our strategy. We want the customers to be successful with us and then eventually go after the entire infrastructure. But the mix also works and we do see that in enterprises, there'll be things that we will announce down the road that actually make it even easier for customers not to have to choose certain camps and have us as the central platform for all Identity Security, human and nonhuman, and on those human, it can be -- it can have that centralized in one place even if they're using other solutions.

Great. So we are just about out of time today. So Udi, I want to thank you so much for your time and for coming here. Very insightful to me, especially. Yes, have a great day.

Thank you. Thank you. Thanks for the questions, everyone.