Okta, Inc. (OKTA) Earnings Call Transcript & Summary

Thanks for joining us this afternoon at the Okta session at the GS Communacopia and Technology Conference. I'm Gabriela Borges. I cover security here at Goldman and delighted to have on stage with me, Todd McKinnon, CEO, Chair President of the Board and Co-Founder of Okta. Thanks for your time.

Yes. Thanks for having me. I'm excited to be here. Hi, everyone.

So Todd, when we met for the first time a couple of years ago now, you talked about wanting to reprioritize and upgrade the level of innovation and the R&D organization at Okta. And I fast forward then to Oktane this time last year and the number of product announcements that the company talked about was significantly higher than at least what I could recall on prior. So talk to us a little bit about the evolution of the R&D organization? And how that fits into your evolution of Okta's and Identity Platform today versus perhaps at the time of the IPO or at the time of its founding?

The, the space we're in is very -- it's a critical space, identity and it's critical for security and does a lot of things for companies. It's also a space that's I think the industry, identity speaking and particularly the security industry, we haven't done a good enough job making it super easy to snap everything together and get really positive outcomes for fast, high ROI positive outcomes for customers. I'm speaking broadly of the industry over the history of it, not specifically of Okta in the recent period, which I'll get to in a second. So all of that, the point of all that is, I think that R&D and innovation is incredibly important. And 1 of the things I'm most proud of over the last few years is the progress and the velocity and innovation we've had at Okta. I think one of our main priorities for this year is reaccelerating growth. And the job is not -- we can't say we have great R&D and not reaccelerate growth. The job of reaccelerating growth is the most important and R&D is an input of that, but we still have to deliver that outcome. But that being said, I am very proud of the innovation. And I think that there's a couple of things that are behind that. One is that I think we had some growth and some maturity and we got our processes and R&D better and in terms of investing in tools and technologies and capabilities to have an R&D organization scale. We've done a good job there. But I think one of the biggest things we did was when we bought Auth0 a few years ago, it actually -- we had a ton of capacity into the company. And so particularly, the team that was working on Okta could really -- instead of having to focus so much on customer identity, they could really double down on privilege and governance in some of the new areas we've recently launched and are having traction with. So it's -- sometimes things are simple. And in that simple case or sometimes part of the reason is simple and a simple reason there is that we just got more capacity, and we could focus some of those teams on those new product areas. And I think that things in the R&D pipeline are good. They're in the market now. And now it's about us executing and actually using that foundation to drive reaccelerated growth.

As you think about what the longer-term road map for Okta looks like, what's the next technical challenge that you're excited to solve for your customers given that you now have all of these different products, Identity Governance, Privileged Access, Identity Threat Protection, et cetera. What's next on the road map?

We can -- broadly speaking, there are specifics, but broadly speaking, we can make it a lot simpler for customers to get value out of Identity and get value out of everything else in the security ecosystem and everything else in their technology ecosystem. So a simple example I'll give you is, right now, it's very hard for a company to comprehensively across all of their SaaS applications and on-premise applications and cloud infrastructure and on-premise infrastructure, actually guarantee that every user interaction and every machine-to-machine interaction is coming from a known and trusted network. Internally, at Okta over the last year, we've gone through a comprehensive assessment of this. And completely locked down all access to known IP addresses. And it's actually quite challenging to do and very, very few companies actually do it. And I think the reason why is because there's not good standards for how this should work. Every SaaS application, every piece of infrastructure implements IP range restrictions differently in a nonstandard way. Some of them don't support it, some support of it, limited support. Some of them do it a different way. And so it's really nonstandardized. So when you get a company that's trying to lock down their whole environment to be one of the most secure organizations in the world, it's quite challenging. So one of the innovations I'm excited about is thinking about how we can help the industry standardize that and get this flat, consistent ecosystem so that customers, when they want to adopt a Modern Identity when they want to go to Zero Trust when they want to have these, the things we all talk about, they know that they're going to get complete value in tons of control and visibility right out of the box, which isn't the case today. So that's a broad -- there's various different ways on how we do that, but it's an area I'm excited about.

Are you talking about essentially going to more of a whitelisting approach to IP identities? And if so, how is that technically different from what you currently do with SaaS identities or user identities?

So the user -- I think it's the right approach for a security architecture is multiple layers. So there's -- you want strong personal identity, biometrically authenticated and efficient resistant way, and you want whitelisted, you want managed and secure devices that are only -- access is only permitted from managed and secure devices. You want the ability to flexibly have a policy so that in the case that you do have to relax those, those restrictions, you can do it only for the applications that are on high risk and the workloads that are high risk. So it's like multiple layers and a policy engine that can make it all possible. And one of the layers beyond just biometric phishing-resistant authenticated users and a trusted device that's managed and known and secured by endpoint security. You also, at the network layer, you want to have a controlled network perimeter and trusted validated network, and that's where the IP whitelisting comes in. The challenge is that the things I'm talking -- I just talked about are kind of well known in Zero Trust conversations about like the things you need to do for Zero Trust user identity and Zero Trust security. The challenging thing is when you try to go to this -- you try as a company, you're trying to not only secure the users, but also every API integration and every machine-to-machine integration, then there's really not a -- there's not the equivalent of standards for phishing-resistant MFA for inbound API calls. It's not specified very clearly. You kind of store some token in a certain way. It's really hard to get all of your network of the web of machine-to-machine interactions all come from your trusted corporate network, Because half of them are other SaaS providers that aren't on your corporate network. Not only are your own applications not on your own network because they're in a SaaS providers data center, but the things that are calling them agents or other SaaS apps or you're forecasting [ to a call ] in Salesforce is not on your corporate network. So then how do you do it? It gets really, really hard. And this is -- this is an example of the complexity that people aren't able to deal with seamlessly out of the box that if we -- I think we standardize things more, I mean the really clear to SaaS providers how this should work, made it really clear in terms of the protocols for how machines should integrate with each other, we could simplify it all, have customers get much quicker time to value by installing all these products and make it better for everyone.

And how do you think about where some of this functionality naturally falls between what some of your competitors in network security are doing versus what your core competencies are on the identity side?

I don't actually -- I think about that, but only in a second order type of thinking. The first order is how do you solve the problem for the customer. And the second -- in solving that, you get down to who -- what's the best approach and what should each party do and what should the network people do and what should [ identity ] people do and what should the endpoint people do and what the overlap should be. And then you kind of think about, all right, if this is the right complete solution for the customer, then what do we have the right to win? How does identity fit into that? And these -- it's -- and I think it's kind of -- when you get -- when you take from that approach, it becomes pretty clear who should do what. That doesn't mean that all the vendors are kind of sticking to that. There's a lot of people trying to poke into other people's lanes. But when you actually look at who's -- what people are doing and how they should be integrated -- interacting, it's fairly clear, at least from a customer perspective, what they want each player to focus on.

That makes sense. One of the things were -- or one of the dynamics or I think you do have a right to win that you've consistently talked about is the level of integrations that you have, especially versus someone like a Microsoft, talk a little bit about how your integration network is architected. And how do you think about maintaining and extending that ecosystem of opportunities?

Yes. It's related to the -- I think -- and if you really assume that, I think this -- what I've been talking about here on how we're -- our goal is to standardize more things, and we wanted to seamlessly plug together and get good security outcomes and good productivity outcomes and technology usage outcomes for customers. That's really an extension of what we've been about from the beginning. It's just taken to the next level. So in the very early days of Okta, we were the first to market with this concept of -- there were some identity standards out there, this thing called SAML and this thing called WS Federation. And there's various other people -- things people trying to standardize. We were the first company that said we're going to we're going to like guarantee you a customer that we're going to build you a single sign-on system that worked with everything. And we're not going to bother you at all with different protocols or different standards, we're going to guarantee you that it works. And we're going to take care of like managing the complexity of different standards. And by the way, 90% of the applications didn't support any standard. So we had to do really kind of down and dirty things about screen scraping and how we could make these applications look like they support a single sign-on when they didn't. And that's what we did. And the way the company grew and got momentum is that customers really like that, the fact that we had so many customers and just the fact that more and more apps built support for these standards. And we had this kind of this system where we could -- as they brought new standard interfaces online, we could swap out our maybe nonideal screen scraping integration and go for the standards. And then the standard evolved, and we evolved and kind of grew from there. And so the dimensions of how integrated, there are really 2 of them. There's the breadth, how many applications, and we talk about this number, 7,000, 8,000, which is quite, quite wide at this point. But probably as important as the depth dimension, which is there's one thing for an application to be integrated to identity from a single sign-on perspective. I mean like you click the button and you actually -- it can sign you in. There's all these other capabilities that make an integration deep, namely, not only can it sign you in, but actually, it can actually replicate the user accounts. So IT doesn't have to manually do it. Or another one is, can it -- if it's an HR system, can it do like employee onboarding? Can it take that business process and copy it not only from HR into your single sign-on system, but copy that account into all the other systems downstream that might need that account? And so there's the depth of integration as well. And so when you talk about standards and standardizing machine-to-machine integration or when we talk about standardizing how -- we're talking about standardizing like how log files can be collected and how companies can get centralized visibility about single -- about [indiscernible] or we talk about a product we have called Identity Threat Protection, which is all about, okay, you log-in, but Okta keeps monitoring your device management, your endpoint security system, your network security system. And anything that's detected during your login session, any kind of malware, any kind of network intrusion, we automatically shut down your identity session and we log you out of everything else. That's not a single sign-on. That's like some kind of continuous session monitoring, plus integration with CrowdStrike and Zscaler and Netskope and Palo Alto Networks. That's a very deep integration. And so our competitive differentiation has always been breadth of integration and depth of integration, and we're pushing that forward in all fronts, even to the extreme where we want to create new kinds of standards, enhance the existing standards so that it all just works together. And so companies say, "All right, I'm going to pick this endpoint in this network and this identity in this application, this HR system, and it just works. And I don't have to worry about how do I secure the machine-to-machine interactions, the APIs that are going to call this, how do I worry about the difference between my employee users and my contractor users and my partner users. It's just too complicated." And the more standardized and systematic we can make it, the bigger the pie is going to be for everyone.

Absolutely.

And we'd love it, by the way, if this maybe sounds counterintuitive. We love it if all of our competitors and every -- all the Zero Trust people and all the security people had the same idea and wanted to rush to standardize everything. Even if maybe that meant that our identity competitors could do some of the stuff we could do. Maybe in the short term, that wouldn't sound like a good thing for Okta. But I think, for customers, if they knew that it would be standardized, that's going to accelerate the velocity and the purchasing so much are the best -- we have the best products. So that's going to -- the bigger pie is going to make us much more successful.

That makes sense. I want to come back to where we started this conversation, which is your point on R&D. Ultimately, the goal is to reaccelerate revenue growth.

Yes, yes. R&D is a means to that end, yes.

If I think through the bull case for the stock, which we subscribe to you, it's Okta being a 15% plus, 20% plus revenue grower. I compare that to the 9% growth in cRPO that you're guiding to for 3Q. Help us understand how to separate out some of the macro headwinds that may be impacting the business today versus some of the secular growth opportunities that we spent the last 15 minutes talking about.

In that -- in the -- I think big picture, our conversations with customers are interactions in the market, our competitive position. It's all -- they're all very positive. -- consistent, very similar to what we've heard in the past. On the -- when we talk about macro headwinds, we're really, in my conversations with investors, I reiterate this over and over, is that macro headwinds we're talking about an environment that's been consistent for over a year now. It's not getting worse, it's not getting better. It just kind of is what it is. In fact, at some point, we're going to have to start calling it macro -- stop calling it macro headwinds and just call it the new normal. And so I think -- that being said, there are realities in what we're seeing in the business. We think that big deals, particularly if a couple of years ago, they would have taken 2 approvals, now it takes 4, there's extra scrutiny in the purchase. The deals get done. The projects are as big. They are as strategic. It's just a little harder, a little slower. And -- so that is a thing I think, which makes sense, right? Because Okta, as a company, is doing the same thing. We're being more careful about what we buy. We're making sure that we don't have redundant capabilities. We're making sure that we pick a solution in an area and use it and get value-added before we buy some more. So I think a bunch of companies are doing the same thing. And when we're working in the field and sales cycles, we're working with them and accommodating them. The -- in terms of like the base of business we have, that shows up in the numbers, particularly, it impacts the net retention rate. Because a couple of years ago, we would have seen if a company needed -- had 1,000 seats or 1,000 -- a bucket of 1,000 monthly active users on the customer on any side, they were very optimistic. And they'd be like, yes, we'll probably buy 1,500, and we'll grow into it. And now it's like if they need 1,000, they say, "Oh, we're going to buy 750. And we'll make sure we get to 1,000 before we buy 1,000 at the next renewal." So I think you're seeing in the net retention rate you're seeing where in the past, it was -- there was like a tailwind to that. Now you're seeing that tailwind is gone. And it's like the net retention is kind of more instead of maybe people overbuying, like they're actually buying maybe even a little less than what they need. But we think that will over time, as cohorts have been doing that for now over a year. So ultimately, eventually, that's going to normalize out and that will be more of a normal thing that we won't be comparing against the past period. I think the -- I think we're going to have to -- in terms of the guidance, I think the Q3 or Q3 cRPO guide is there's the normal kind of guidance process and how we think about an achievable guidance and in guidance we're confident in. There's also in that number, some conservative for any kind of security incident hangover that we're going to come up on the anniversary of the security incident we had in October. And I think it's probably -- I think the last quarter that we're going to have that conservative built in. We haven't seen big quantifiable impact. We haven't seen any quantifiable impact. So that will probably be appropriate time to reconsider factoring that into the guidance. And then the other thing about the guidance for Q3 is that the second half of our year is the majority of our bookings. And so we're going to get a much. I think we're going to do it in Q3 earnings, we're going to do a revenue guide for next year. we're going to have a much better kind of view on how the second half of this year is going to go, and we'll be in a position to update the guidance then.

I'll ask a follow-up here. You mentioned eventually you get the stabilization in the cohorts. Is there a way to think about perhaps your typical deal length relative to the excess buying of the 2021, maybe 2022 cohort as to when more tangibly you would see a normalization in the cohorts?

Yes, when it's -- I think it's a gradual thing. Meaning -- and I don't -- I haven't done the analysis. We haven't done the analysis to like know exactly when it peaks and when the trend is and all that stuff. I will say that the buying behavior and everyone saw this not only in our results but in the overall market in the second half of '22 calendar '22, so second half fiscal '23. So that means we're 8 quarters or 5 quarters in, 6 quarters in. So I think it's getting to a point where the somewhere near the peak of it right now or we're starting to get to the time where some of those people that didn't overbuy are representing more and more of the cohort. So I think that's a positive trend for the future.

And do you look at internal data on customer utilization of their own footprints? And any comments on how that utilization...

Yes, we definitely see it we've definitely seen the utilization compared to what they bought -- the utilization is a higher rate over the last 6 quarters as the overbuying has slowed down. So that's a good sign as well.

Absolutely, I agree.

For a long time, it's interesting. For a long time, it was -- and I think in retrospect, it's obvious, it was because of this over buying. For a long time, it was -- we were surprised about the relatively speaking, the utilization rates look low. And I think this is because people were overbuying. I was like, we're going to grow. We're growing [indiscernible] 1500, yes. Yes, 1,500, we'll buy -- we need 1,000 we'll buy 1,500.

So let's assume that the macro environment is unchanged to your earlier comment on the new normal. And you have incremental stability in the cohort sizes or in the cohort expansion rates. What else do you need to see? Or do you need to underwrite that's within your control to be able to bridge up to a faster normalized growth rate?

I think there's a few -- a couple of key things that we're really focused on. And -- so really 3 things. One is that just we are seeing a lot of progress in large enterprise, and there's a lot of potential there for us. So it's one of the things that when people ask me like, what do investors not understand about Okta, I think people overestimate how penetrated we are in the large enterprise. And I would say that we're -- we have a lot of potential there. We talk about 40% of the -- we have some kind of footprint in 40% of the Global 2000. But even that 40%, there's a lot of room to expand that -- the usage in terms of number of seats and number of products. So I think of Okta as a company that was successful in mid-enterprise with tons of potential growth and some traction, but tons more potential in a large enterprise. And I think the reason -- like how it's okay, so in your control, like how do we make that happen? Part of it is the products, some of this R&D innovation gets better, and we're able to, particularly with things like connecting to on-premise resources, doing governance, Identity Governance with on-prem resource -- on-premise resources that product is getting better, and we have more capabilities to do that. So there's definitely a product component. Some of these new products that we have that are more directly -- contribute to immediate security outcomes like Identity Threat Protection with Okta AI or Identity Security Posture Management, you could see those being really in short term valuable from a securities perspective to a large enterprise. Identity Security Posture Management scans your entire identity ecosystem and tells you where the problems are, very actionable very quickly, different than an identity provider, which you have to implement and integrate and customers, especially in a large enterprise can look at that and say, "That's great, but it might take me 6 to 12 months to get value out of it." Different equation when you say Identity Security Posture Management, it can give me value very quickly. So products, innovation. The other thing about the large enterprise, too, is that there's an amount -- people have the idea that, oh, the large enterprises like adopted cloud and their cloud transformation is done. Ironically, some of the largest enterprise had the most IT investment, so they had the most on-premise infrastructure. So there's some of the things with the largest amount of cloud transformation to go. And that just is what it is. And as the technology forces of better cloud infrastructure, AI, how do you run your AI workloads? Do they do that in the cloud infrastructure versus on-prem? A lot of this change and evolution is driving them to modernize and upgrade, and I think that's a positive trend for Okta in the large enterprise. We've always seen from the company early days, there's a strong correlation with change in the technology stack with the company's proclivity to want to adopt Okta. So that's a positive impact there. The example -- I think a good example of a recent deal I was involved in, just to make it very concrete for everyone. So this company is a very large company, and this is a significant transaction for Okta. And the reason what it was happening is very simple. The Broadcom computer associates identity products, they were -- Broadcom was raising the price of them. And the company that I was working with that just catalyzed we're going to -- this thing is an old thing. We instead of paying so much more money, we want to look at modern alternatives. It wasn't just that. They also want to have more diversity in their ecosystem away from relying so much on Microsoft. They wanted to move to some cloud infrastructure. And so all of these changes together, it was like we really should look at a Modern Identity platform. So thus, we have this opportunity for this big deal. That's the kind of thing. The more that happens, the more people look at modernizing their identity. And when they're moving off of Legacy Identity, for a lot of reasons, we talked about all the time, we're at the pretty clear choice, and that's a good thing. So that's one thing. The other, you talked about things that are in our control. I think we have to do -- continue to do a good job of selling value from a security perspective. And these new security products help Security Posture Management, Identity Threat Protection, Privileged Access. Traditionally, Okta was thought of as IT enablement. And we can help companies have a great end user experience. Yes, of course, there's a security benefit with multifactor, but it's really kind of convenience, and we can help you get new projects rolled out, and we got to get the SaaS app adopted, it will be better. But now we're, in terms of value prop, immediate helping these companies with security issues, we have a better set of products, and we have to be -- continue to be good at selling that value and positioning the company that way. That's something we're working very hard on. And then the third thing I'll say is that in the customer identity realm, we have to continue to get better and have success selling Customer Identity, not to just the CIO or the CSO, but also to the Digital Officer Marketing, Product Officer, Technical Officer. The idea is that identity can help all of these departments. We've traditionally been good with companies that are very -- the IT group controls a lot of the technology or a lot of the decisions around Customer Identity. A good example is a great customer of ours called JetBlue, and IT there owns the employee identity, but also the TrueBlue loyalty app. And so we have a great deployment there of Okta Customer Identity. It's a great customer for us. If it's like a tech company, it's likely that the product organization or the engineering organization makes the customer identity decision. And we have to continue to be able to do that at scale because it's harder for us we grew up sell into IT and security. And there's a -- I think like a lot of part of the -- a big part of the market is those people building it themselves and we are often in a better way. We have to continue to do that. So those 3 things: large enterprise, selling security and non-IT buyers are 3 things that are important for us.

So all those things connect with the go-to-market. And I think you've commented on this year being a better year for sales productivity versus last year. We've seen time and time again in SaaS that sometimes SaaS companies that do really well with the mid-market, coming up market ends up taking longer than they expect. So talk to us about how you're investing in the move upmarket and the move to build more sponsors at the customer, et cetera? What are some of the key milestones we should be looking at?

All the -- like we do all the things that are, I would call, that you would expect like the kind of people we hire in the sales team, the relationships with -- this is a really important one, really working on the relationships and the alignment with Global Systems Integrators. Because one thing about large enterprise is that the Global Systems Integrators are very important to help them make decisions and execute on things. We're -- call it "basic things like making sure that the marketing and the advertising is dedicated at that -- those influential buyers in these organizations." The thing that might not be as obvious is -- that's very important is that you have to have really successful customer references. And we work really hard to make these accounts that are large enterprise accounts incredibly successful, and then so there'll be advocates for us. A good example of this is FedEx, right? We have 350,000 users of FedEx, and the CSO there is, I work with them frequently and talk to them all the time and where we've really worked hard to prove that -- to make sure that they're incredibly successful with Okta. And that word gets around. And a lot of this is it's not just the technical environment and the evolution and the ability to upgrade -- it's also when those people look around at other large enterprises because they don't -- as they -- make sense, right? It's like when they look for inspiration, they don't look for the small companies. And so the more examples like FedEx or the -- and we're getting a pretty good roster of these kind of referenceable customers. So that portends well for the future.

Absolutely. I want to end here with a question on Okta AI. Give us a couple of examples of some of the most impactful applications today, either on the product side or for your own internal organization. And then what do you think is most promising in the next 3 to 5 years, perhaps something that isn't quite ready for prime time today, but maybe in the future?

So the one that we've shipped is this -- I talked about it already, but at the core of Identity Threat Protection, is Okta AI. And it's a little bit of machine learning, a little bit of GenAI algorithms to, really, at the core of what it's trying to do is just trying to figure out what pattern of signals from -- remember, this product has way more signals because I talked about how deeply integrated it is, there's way more signals than we've ever had before. And not only has the context from your login, but it also has the context from other layers of the security stack. It has risk scores from endpoint, it has the network security risk being fed into it. It has mobile device management status being fed into it. So it really gets a lot more data, and then it can do a lot -- it can be have more sophisticated -- does have more sophistication on the kind of patterns that looks for that detects anomalous activity. And it takes a lot of refinement because a lot of customers in early beta, it's like a typical thing, right? It's like too many notifications, too many false positives. So we had to tune it to make sure that it didn't have too many false positives and get it right. For now that it's GA, it's like hits the mark there. So that's an important one. That's kind of like maybe what you'd expect, right? If you would have been at this conference 3 or 4 years ago, someone would have said a similar thing about machine learning and pattern recognition and threat detection, right? So that's good that we're doing that. probably more novel one and more from like, oh, that's a different perspective, more interesting is we're working on something called Governance Analyzer with Okta AI. And it's pretty cool. It's basically training the model on the anonymous policy setups and configurations of thousands of Okta customers and generating a suggestion -- suggested setup for a company. So it's like, you have these apps, you have these resources, you have these users. So this is how you should set [ your lock ]. This should be your security policy. This should be how you lock things down. This is what companies do. This is what companies don't do. And it's pretty amazing. It's like, wait, what it's all set up for me. Of course, they got to check it and make sure it's right. but it's not something customers expect from a tool like this. And it's -- that kind of stuff is pretty exciting just as a -- from a technology perspective, like a technologist, it's like that's pretty cool.

I agree. Absolutely. Please join me in thanking Todd for his time. Todd, thank you.

Thanks. Thanks for having me.