Okta, Inc. (OKTA) Earnings Call Transcript & Summary

Good afternoon. My name is Alex Henderson, I'm the security analyst at Needham. It's a pleasure to have participants joining us at Needham's Growth Conference. And it's even more of a pleasure to have Bill Losch in Okta participate in this 40-minute fireside chat that we're kicking off here. Before we get into it, just 2 logistics points. If you want to ask a question, there is a box on your user interface that allow you to type it in. I will then relate it to management, or alternatively, I will keep my e-mail open, and you can e-mail me at [email protected] if you prefer to use that venue. So with that, let me welcome Bill Losch, Chief Financial Officer of Okta, and congratulate Bill. So I think this is going to be Bill's last conference. Am I right?

That is correct. That is correct. So thank you very much.

It's just hard to imagine that that's possible. So your last conference as part of Okta, and we're honored to have you here. Congratulations, Bill.

Yes. Thank you, Alex. I very much appreciate it, and thank you for having me here today.

So before we get into the Q&A, just a little bit about your experience at Okta. You've been there for a long time. How has it changed? And where do you -- what do you think is the most exciting thing right this minute that they'll be doing after you leave?

Yes. I mean I started at Okta in 2013. And at that point, we were much smaller than we are now. I think that fundamentally, what hasn't changed is, I think, the vision that Todd had for the company way back then is still the same today, which is us focused on being in a position where we can help companies and organizations connect their users to technologies that they want to use in the cloud. And I think that, that, coupled with a kind of really focused appreciation and focus on customer success were both elements of the company when I started there and frankly, are consistently been strong elements of the company today. Now what's changed? When I started, we were focused on connecting companies to cloud applications, specifically for their workforce so that their employees could connect to the cloud in a secure way. What's evolved is certainly the capabilities that we have enhanced on the workforce side, whether it's security, policy management, those kind of things has certainly accelerated. And then we've also, in the last few years, really focused on an adjacent but different market, which is the customer identity side. So in other words, connecting -- helping customers connect to their customers, which has become a very big opportunity for us, and we've seen a lot of growth and success with that. So I think those are some of the bigger changes. I think the other change is, and we've seen this over the last couple of years, is we've moved ourselves more and more from a product company to a platform company. And what that means for us is we always started -- we started from the beginning being very focused on integrating all those best-of-breed cloud application technologies into our platform, which has been really important because from a customer perspective, we come to them now with 7 -- almost 7,000 pre-integrated applications. But I think what we've been doing more and more over the last couple of years is really focusing on how we can make our platform more customizable, more flexible so that developers within companies can build and customize on top of us. And that's especially important -- well, it's important in both. It's important in workforce, but it's especially important in the customer identity as companies more and more want to integrate us as a macro or a microservice into their applications or portals. So I think that's another thing that's evolved. We've obviously grown a lot. We're a much bigger company, but I think the customer success focus and the entrepreneurial focus is still the same.

So I wanted to just step back for a second because these fireside chats always tend to jump right into the most timely thing that's going on. Let's talk about SolarWinds. Let's -- but can you just sort of outline the scale of your platform because I think it's worth understanding how many subscriptions you have, how important you can be to a customer and the variety of things that you brought to the platform. It's not just a couple of things. It's a lot.

Yes. It's a good point. So when you think about Okta, first and foremost, you have to think about us as a separate identity platform. And the key thing from a customer perspective is that we're an independent and neutral platform. So we connect to all the best-of-breed technologies, and we bring that to bear for our customers. And that's really important because customers are looking for those best-of-breed technologies, and they're looking for an identity service, which is us, to be a separate platform that those technologies are all connected into and are independent and neutral. So we make sure that we have deep integrations, as I said, close to 7,000 of them with all different types of techno -- cloud applications and other technologies. And that's really important for our customers because that gives them the ability to utilize best-of-breed. I think what we've seen, what's certainly accelerated the trends of our business is really the macro trends of customers adopting cloud, customers wanting to have online interaction, more online interactions with their customers. And then as you think about the new technology framework that companies want to operate in, where there's this cloud technology, it's really driven the framework from a security standpoint into this Zero Trust framework. And that framework, which, in effect, is a framework to secure access and authentication into your key applications and technologies from wherever that user may be, whether they're outside the firewall or inside the firewall, is very much a key driver for our business also. So we do all that. We provide those kind of capabilities. The breadth and depth of our platform integrations allows us to have a significant amount of data running through our platform that allows us to enhance our security capabilities for companies through our multifactor authentication, our advanced multifactor authentication products. It allows us to provide the companies the ability to both set and operationalize very deep and granular policies as far as workflows and how they are going to allow users to access their applications or their technologies. It allows us to put ourselves in a position where we can, now, at this point, as companies and especially as larger enterprise customers are moving to the cloud and are still operating in a hybrid environment, allowing them to really onboard faster into the cloud because we have the capabilities to not only manage their cloud applications but also through partnerships and other technologies we've built be able to also manage their on-prem relationships. And I think the real significant shift over the last 10 years has been the fact that identity has gone from something that was really stack -- specific to the stack of technology you had. So it was vendor-specific, whether it was Active Directory for Microsoft or you had Oracle or CA, to where now, it does have to be in a separate, distinct platform because the real benefit from a productivity and security standpoint is to be able to connect all the different best-of-breed technologies, and that's what customers are looking for.

So I wanted to talk a little bit about the cloud world and the cloud workload world. There's 2 things that really jump off the page at me when I look at identity and cloud workload, which is Zero Trust in the cloud world is all about identity. It is the central tenet on which the whole structure is built. And it has been used extremely well by the Amazons and Googles and Facebooks of the world to protect their platforms, their runtime environments. So it's demonstrated that Zero Trust in that world can work in runtime. So as I think about that aspect of the world and we think about very rapid growth in modern applications, which is something in the order of triple digits on a very large base, how do you guys participate in the machine-to-machine identity world?

Well, I think that as we think about the whole kind of ecosystem, certainly, what we have been primarily focused on is connecting the user to the technology, the application. And that has manifested itself in the success we've had at this point. And frankly, we think those addressable markets of doing that for the workforce to doing that for the customer, for their customers, it's still a huge market that we just really are starting in. And we think that, that has certainly been the focus. I think as you think about identity, to your point, that in a Zero Trust environment, in all these environments where more and more of the technologies are connecting to users but also connecting to each other, identity continues and will continue to be a primary part of that because, ultimately, you're encouraging there to be access and ability to access technologies for machines to connect to each other in a very cloud, outside of the protected firewall type world. And in order to do that, really, that perimeter of security has to be around the identity of the user and then how those connections happen between applications and machines. So for us, that is certainly an area of expansion for us over time. We've started to -- with the Advanced Server Access product we released last year, we started to do identity for infrastructure. And we see that as a potential opportunity for growth in the future because workloads are still predominantly on-prem, but to your point, more and more things are moving to the cloud. And so we see as that moves to the cloud, that presents more opportunities for us.

So the SolarWinds hack is a really interesting event in many respects and there's a lot of different ways we can cut at it. Has the SolarWind hack changed the conversations you're having with the enterprises? Has it changed the budgets of your customers? If you've gotten any read on what they're saying they're going to do? I was talking to a value-added reseller the other day and he said, "Geez, if we could just get a hack like this every December, our budgets would never stop going up," because they were right in the middle of the budget cycle. And I would think that, that would have a real impact. So if hypothetically, spending was supposed to go up 15%, which I think was the baseline going into December expectations, what do you think the impact of the SolarWinds hack is on the budgetary outlook?

I think that -- I think -- the way I think about it, or the way we think about it is that moving toward a Zero Trust framework or a Zero Trust architecture has been accelerating even before SolarWinds. And I think more and more companies were talking to us about that. And frankly, that acceleration was happening before the pandemic, but I think the pandemic has also helped accelerate the movement to the cloud. And therefore, companies realizing that they need to potentially rethink their architecture, their security, and there was, therefore, Zero Trust. I think that what SolarWinds has done is a couple of things. One, I do think it has presented an opportunity for those companies that maybe weren't yet at that point to start reconsidering their Zero Trust architecture. Two, and perhaps more importantly, I think it does continue to debunk the view that on-prem is more secure. And I think that it also -- realistically, when you think about Zero Trust, there is really no singular solution for security. So therefore, it does help that we bring to the table, as I said, kind of best-of-breed partners. And we do that in the security area by bringing together, because we're so deeply integrated with the Zscalers, the Cloudflares, our initiative with CrowdStrike, Netskope and Proofpoint be an example, and that identity because identity really does amplify the visibility into all of this with all these connections. We do think it helps. I think it's more of a continuation of trends that were already happening, but I think it has caused more customers to probably reconsider their architecture than maybe had at this point, not that they weren't going to, but it maybe has accelerated that. So that's what I think the impact has been.

Certainly, it's -- what we've heard in talking to VARs, to demand, they're telling us that it's accelerated the move to digital transformation. It's accelerated the move to cloud direct. It's accelerated Zero Trust -- belief in Zero Trust. But it also raises all kinds of interesting questions about how do you think about trust? I mean one of the things that SolarWind hack I don't think people understand is, well, because I think, well, geez, SolarWind downloaded this hack DLL. Well, that means the Russians got into the DevOps process earlier than the Americans, right? So they had shifted further left than the U.S. had, and as a result of that was they were able to insert it before the authentication certificates were attached to it, and people thought it was secure when it wasn't. That's a trust element, which means it's an identity element. And that means we need to push security and identity deeper into the DevOps process. Is that something you guys are working on engaging in? Or is that something that's going to go to the sticks of the world?

No. I mean I think that we certainly are working and key in the notion of as you think about Zero Trust and you think about the Zero Trust architecture, you really do have to think about setting policies and protocols that you would apply outside the firewall and make them consistent through inside the firewall because I think that was one of the challenges, and to my point earlier, that people tend to think that once you're inside the firewall, everything is safe and hunky-dory. So I think you have to do that. And I think as more of the workloads, let's say, are moving toward a DevOps-type environment where more things are going to move into a cloud-based environment, I do think -- we do play a part in that. And we certainly -- I used the example a few minutes ago with servers like our Advanced Server Access is really for servers in the public cloud. And so we are going to play a bigger and bigger part as it relates to things like that.

Okay. We have a couple of questions that came in here. So let me shift over to those rather than driving the train of thought.

Okay.

So the first question here is what steps can you take to widen your competitive moat? Which competitors, partners do you worry about the most infringing on your competitive position?

Well, I think we believe that the competitive moat that we've established so far, which is strong to why, I should say, is really fundamentally these deep and broad integrations we have with best-of-breed technologies and applications. Because at our size, with close to 7,000 of these applications, now having over 9,400 customers and all the users, that creates a very, very strong kind of network effect, let's say, within the ecosystem because there's so much data that runs through our platform that we can build products that are better based on that information. We can integrate signals from these best-of-breed technologies, especially the security technologies, which I was just talking about. So that really is that moat. And so the reality is the more we can do to enhance that is what we're focused on. And what that primarily means is as we, as I said, move more from a product company to where now we feel like we're a platform, having the ability through the different initiatives we're doing to create more of these platform services such as the Okta Identity Engine, which makes the platform more customizable and flexible for developers to build on top of. As we create through devices more security capabilities of having those signals from the devices so we can build better security as we do more with workflows that are more of an automated and developer or not as hands-on from a developer standpoint, it's like a no code away for people -- for companies to change policies. All of those things, we think, will create more and more of a desire for other technologies and companies to build on our platform, which creates more use case opportunities. And those more use case opportunities is what we think will continue to give us a very big competitive advantage over everyone else. I think from a competitive standpoint, we certainly look at those competitors that have either been smaller and in our space for a long time, or we certainly look at Microsoft with Azure Active Directory. But I think if you look at our competitive versus Azure or Azure Active Directory, it's fundamentally because we connect to best-of-breed applications in a deep and integrated way and are consistently upgrading those integrations, that is a big advantage from a customer standpoint of using us versus Microsoft because those best-of-breed technologies are allowing them to be more productive and more successful. I think that with others, they're competing with us against the sheer scale of what we are, and it's hard for them to match those network effects I was just talking about. I think that as we think about customer identity, that market is actually still predominantly a build yourself versus buying. So it's really working with companies and their developers to make them more comfortable and feel like there's more utility in using Okta as a microservice than building it themselves.

So I want to drill down on that a little bit because I think it's actually a really interesting point. So as an example, if you see something that is out of line with behavior analytics that you're doing, you can then feed that into other systems, for instance, the CrowdStrike system as a data point, or alternatively, CrowdStrike can feed back to you that they're seeing something that looks out of line. And those things can then be used to put a containment around a particular device or a particular user or a particular data traffic flow. That's the type of deep integration you're talking about. Is that a good example?

Yes, it is. That is a good example, Alex. I think that makes sense. And if you think about it, that is an example that we do with numerous other technology partners. And I think that again, security specifically, but certainly in other areas, we believe that there isn't going to be one singular solution to security. But having us bring these best-of-breed solutions together and having the identity platform, which, to your point, identity has to be -- the solution has to be identity-centric to make it as secure as it can be. That's the real value we add. And someone, as an example, like Microsoft, who's not going to have those deep integrations, they'll have integrations, but not as deep to non-Microsoft technologies, they can't bring that up to bear as much as we can.

Just to drill down on that a little bit. One of the key points there is that you have a lot of artificial intelligence capabilities to understand those behavioral analytics and the like. Is that something that you feel the company needs to invest in more? Do you need to buy into that skill set? Do you have enough of that in-house? Or are there other pockets of skills out there in the artificial intelligence arena that would really bring a different flavor of AI into your footprint?

Yes. I mean I think that as we kind of -- where we are today, so to speak, I think that we have those capabilities and that in place. I think though that as we expand and are expanding into growing our capabilities, but as you mentioned earlier, potentially expanding into other areas that identity can be meaningful, whether it's machines, those kind of things. I think that we certainly have the base, as I said, really well. But I think there might be opportunities for us to either bring in organically or inorganically other capabilities that enhance that.

So this next question comes in from a school of management, so somebody who's not in a -- on the buy side. But the question is, what risks are mitigated because Okta is acting as a third-party platform? And do customers express a #1 and #2 benefit of using the Okta platform, which I think is a reasonably good question.

Yes. I mean I think that the primary -- well, the benefits that they see primarily are the fact that we can enable customers to be productive and scale much more efficiently and faster as they try to seek out and connect to these best-of-breed technologies. And the second being that we can do it at scale in a very secure way. I think those are the 2 main elements. I think that having us as a third-party platform has the benefits I said earlier of the fact that we're independent and neutral. And therefore, we have no "skin in the game," so to speak, of preferring one particular technology vendor over another and gives that choice to those customers. I think it also puts in a position because of the security and because of those elements that we enable them to feel comfortable that all we're really trying to do as far as what information we need is just make sure that we can make sure it's authenticated as a -- the user is authenticated and they have the access they say they want to. And that's what we do. And so I think that having that as a third party that does that for them is really, really beneficial to companies.

So the next question coming in again from the audience is pricing. So is there a price pressure on some of the well-established product lines within your lineup? For instance, single sign-on is a pretty well-known technology. There's a lot of people who offer it. Is that something that's getting priced down or putting under pressure? Or alternatively, are you adding more value across your platform so that your price is holding up or even rising?

Yes. I mean I think that fundamentally, because we continue to enhance the value of the platform, we're able to continue to charge premium pricing versus others who compete with us. And you would hear from customers that we do, do that. And we believe that, that value is there. So we're able to do that. That being said, we have on -- in the case of single sign-on, in the case of multifactor authentication as an example, we do have a basic form of that, and then there's the more enhanced form. And we have purposely made the basic in functionality but also pretty basic in pricing because there is a big opportunity for us once we get into a customer, irregardless of their size, but certainly with the large enterprise, that those upsell opportunities of those enhanced features and functionality are pretty important for us. So I think it's not so much a pricing pressure with some of those basic products, it's more of a pricing strategy for us.

I wanted to shift back to the business model. I mean you are the CFO after all, so it seems appropriate. And talk a little bit about your plan going into CY '20, which was before COVID, an expectation that you were going to accelerate investments to drive growth. And I think you were saying pretty clearly to people that you did not expect a margin -- any margin improvement over the course of the year. Now clearly, that's not what happened. Because of COVID, you had significant benefits from lack of travel and conferences and octane costs and all that sort of good stuff. And you've actually managed to deliver some pretty good expansion in margins. Now conversely, as we move into CY '21, and I understand that you may not have put out all of the guide in detail yet. But as we move into that, I would assume that some of that spend will come back and that you're still planning to execute against the strategy of accelerating growth through aggressive investment. So can you talk about how we should be thinking about the trajectory of margins over the next year based on those issues?

Yes. I mean I think that the way you categorized it is correct. I mean certainly, we, like a lot of other companies, had margin benefit from the externalities caused by the COVID, such as no travel, not occupying our offices, virtual versus live events. And I think that we're also going into this because of just like everyone else, there was some degree of uncertainty as to what the impacts were going to be. We were pretty prudent in our hiring plans and things like that. I mean, we're still focused on investing in the business from a customer-facing standpoint and R&D, but we were prudent with that. I think as we come out of this last year, we're obviously finishing up the fiscal year, but as we move into the next fiscal year, I think that we certainly feel like those type of expenses, as we move out of the pandemic and companies, including us, move back into a more normal world, that some of those expenses are going to come back. But -- and in addition to that, what we've seen with the pandemic is, frankly, these market trends that have really benefited us over the years of cloud adoption, digital transformation with our customers and their customers and Zero Trust architecture, Zero Trust framework are accelerating, I think, even faster because of that. And so we see that market opportunity being very strong. And we are going to invest to realize that, and we're going to invest in the areas we've been investing. But we'll probably see increased investment there. So I think there shouldn't be the expectation that we're going to operate at those same margin levels as we did or projecting to do this fiscal year. I think it will be kind of investing back into the business because those growth opportunities are so strong, both here and, frankly, we think, international.

Just to be clear, I don't think you're implying that your margins are going to contract, but rather your margins would not expand from here?

Well, I think that, like I said, this year is a year where there were expenses that just didn't happen because of the situation. I think there should be an expectation that those type of expenses will come back, plus we will be investing. So I think that we should think in those terms that the margins we're seeing this year definitely were benefited from expenses that did not occur this year but will start to occur again in this coming year.

So does that imply fairly flattish margins? Or are you actually implying contraction implied by that? I'm not sure I...

What I'm saying is I think the expectation should be that we're going to -- again, it's hard to say timing just because we're still -- there's still some uncertainty as the economic environment because of the pandemic. But I would assume that we're going to go back to focused investment in the business because we see big growth opportunities.

Okay. I won't push it any harder. Relative to the competitive landscape, it doesn't seem like the Swimlane issue has been brought up in this conversation at all. You've penetrated into some of the adjacent partners, the governance side, the PAM side a little bit more recently. And some of their moves have also kind of blurred it into some of your swim lane. How do you see the adjacent markets versus the blurring of those swim lanes playing out over the next 12 to 18 months?

I mean I think that the -- what's -- in the next 12 to 18 months, I think the trend that has already been happening will continue, which is as more of the kind of center of gravity, let's say, moves from on-prem to the cloud, that's going to move more into our sweet spot as far as how we address the use cases that companies need as they move -- as they're in the cloud. So on the governance side, certainly, as we think about what we do with our life cycle management, that's operationalizing those workflows and operationalizing policies. But as more of that kind of key center of gravity where you need more of the reporting and compliance falls into cloud-type applications and technologies, we see that moving toward us. The same is said on, I would say, with privileged access management, you're actually seeing maybe that sooner with what we've done with Advanced Server Access because those workloads are moving to the cloud. Those server workloads are moving to cloud, and we see that, again, being a trend that's happening. So I think that's where you're going to start to see [indiscernible]. It's really as things move more on-prem to cloud, they're going to move more into our sweet spot versus what is the legacy on-prem sweet spots.

Can you remind me whether you're tying into HashiCorp?

I'm sorry, Alex. You weren't coming through well there.

I'm sorry. Can you remind me if you're tied into HashiCorp?

HashiCorp, did you say? No. Yes. So I think we partner with HashiCorp, and as our customers basically have asked and requested, it's really they want -- if they're using HashiCorp to manage their infrastructure, they also want a strong identity and access management. And they look for us to integrate together to do that. So we've focused on that as far as like with their HashiCorp Vault customers, using -- customers using our SSO and MFA to authenticate for the use of their products in the vault. And then with their Terraform products, us automating their identity across their infrastructure. So it's really been a partnership between the 2, and it's -- and as far as we can tell, as far as we believe, it's going well.

Well, we're running out of time here. I did want to thank you very much for coming on and joining us. And we will miss you immensely. I hope you enjoy your life...

Thank you, Alex. I very much appreciate you having me here today for this discussion with you and all the meetings we're doing. It's been a great ride, and it's really been a pleasure working with people like you. So I am going to miss that quite a bit.

And I think it's the most fun [indiscernible] talk to. And so I want to thank anybody for joining us. I know there was some pretty sizable audience listening in. And I thank IR for allowing us to do this. So great. Thank you very much, everybody. And with that, it's a wrap.

Thanks, Alex.