Varonis Systems, Inc. (VRNS) Earnings Call Transcript & Summary

Right. Good morning, everybody. My name is Hamza Fodderwala. I'm the cybersecurity analyst here at Morgan Stanley. This morning, we have the Varonis team joining us for a fireside chat. I have the pleasure of hosting Guy Melamed, who is the Chief Financial Officer as well as Brian Vecci, the Field Chief Technology Officer at Varonis. Before I begin, I just want to say -- point out some important disclosures. So for important disclosures, please see the Morgan Stanley research disclosure website at www.morganstanley.com/researchdisclosures. So Guy, Brian, thank you so much for joining us.

Thank you for having us.

So I wanted to kick off the conversation kind of taking a look back at 2020, right? So you had record breach activity across the industry. You had a lot of changes in the way that enterprises think about security, which are still kind of happening right now. I'm wondering from Varonis' perspective, how has the last year changed your view about your market opportunity? You before talked about how Varonis was sort of nice to have now has become more of a must have. So I'm curious for both Guy and Brian, how do you think about your market opportunity? And what kind of customer reception have you been getting in the past year?

So I'll start, and then obviously Brian can provide more color from what we see out there. I think 2020 was a very, very interesting year for us. And the evolution of the year very much fits with kind of the progression in the business. Obviously, the year started with a shelter-in-place that took place kind of mid-March, which was probably the worst possible time for us as we were getting close to the end of the quarter. Many of the companies, first and foremost, wanted to make sure that they were set up to work from home. And their employees have the right technical ability to do so, whether it would be laptops, VPNs. And companies want to make sure that the antivirus and the firewall protection was there. But then they realize that there's elevated risk that they have to address. And we -- when you look at the evolution of the year for us, Q1, we obviously had kind of that hiccup because of that protection that was geared towards the setting employees to work from home. But then we started seeing the pipeline increase, and we started seeing the quarters progress better. Q2 was a much better quarter. Q3 was even better than Q2. And Q4 was an outstanding quarter. I think the understanding that now the collaboration and the fact that it doesn't matter if everyone goes back to the office tomorrow, this digital transformation, and the fact that employees today with a click of a button can share files, can share applications, it's really increased the risk for organizations and the ability to protect their data, and that's where we come into play. So as much as COVID was a short-term headwind for us throughout the year, we definitely see it as a longer-term tailwind that can really help us -- we see this opportunity in front of us in the years ahead is something that will continue to help us drive the business. And when you think about COVID and the digital transformation and the amount of breaches that we're seeing, and we can talk more about kind of the recent breaches, those are not a surprise for us. And we're -- I think we're very well positioned to try and capitalize on that in the years ahead.

Yes. Just to add on to that, if you think about what happened in the last year, and Guy was talking -- Guy mentioned the digital transformation, you're expected now to be able to work from anywhere from any one of a multitude of different devices, access any data that you might need, share with anybody who might need it and collaborate completely digitally. That's meant that, first of all, organizations have to manage a much more diverse and complicated workforce. They have to manage much more data and workloads that are in cloud repositories like 365. Cyber criminals and advanced persistent threats are far more prevalent and sophisticated than they were even a couple of years ago, and privacy regulations now have real teeth. You add all of that together, Varonis doesn't become a nice -- isn't a nice to have, you need to be able to protect data, be assured that people don't have access to stuff that they don't need and they're not sharing up with people who don't need it, that you not only understand where sensitive data is, but that it's locked down and monitored that you can quickly detect when something goes wrong, whether it's an outside attacker, an insider, a piece of malware, like ransomware or something really sophisticated like a supply chain breach, which happened to SolarWinds. And you have to make sure that you're meeting all of these regulations. All of those are outcomes that Varonis helps with. And what's happened over the last year is that this has become the new reality for enterprises. It really was before, and we built a platform designed to support this model. What 2020 showed was, this is now the world that we're living in and it got here a lot faster than I think many enterprises were expecting.

Yes. I'm curious, like were there customers who might have been evaluating Varonis in the past, right? I know you guys do a lot of things like risk assessments and whatnot. And were there customers who might have been maybe in that more POC phase, weren't really fully ready to commit yet, and then after the last year, are really doubling down and really investing in a product like Varonis?

So when we look at our sales cycle. We've seen our sales cycles be between 3 to 9 months. And on the larger deals, it's up to 12 months. We haven't seen sales cycles change much. And that's actually a positive thing for us because we've -- the number of licenses that we have been selling has increased significantly. So when you look at new customers that bought under the perpetual model, we saw them buy between 2 to 3 licenses. With a subscription model, we've seen new customers start with more than 5 licenses. So they're consuming the platform. They want to be better protected and they want to be better protected off the back, which is really kind of the reason why we even initiated the transition. The transition to subscription really came from the customers. Came from the fact that we came out with additional licenses, many Office 365 licenses, many other licenses that were geared towards automation. And we started hearing from the field that they just want that protection sooner. And the transition to subscription allowed them to consume more of the licenses at a lower entry point. But when they consume more, it helps us kind of protect the ASP. So all of that really drove from the customers. We're not the type of company that a breach will happen, and you'll see a spike in revenue the next day. It's just -- it's not us. We're much more of that thoughtful process that organizations go through in order to really understand what they need in order to protect their data. With that said, I will tell you that every single breach and especially what kind of the discussions that we're having recently, companies are more concerned. This is not a problem that they can ignore anymore, and they are thinking about it the right way, which is, we believe, going to help us in the long term.

Got it. Well, that parlays well into my next question. I understand -- so obviously, SolarWinds' breach, which happened last December, right, our work suggests that this is going to be a pretty major event. I understand that there's not going to be an immediate spike in revenue for a lot of companies, right? I think like you mentioned, more of a longer-term tailwind. But from your perspective, how have you seen this more recent SUNBURST or SolarWinds breach impact your customer conversations? Is it showing up in pipeline? And how do you think Varonis is going to sort of play within that response effort, right? Because you've got a lot of different licenses from data governance to threat detection and whatnot. So I'm curious, one, like is it coming up in customer conversations? And is it starting to influence pipeline? And two, how does Varonis sort of help in that response effort?

So I'll start here. And the answer is absolutely, it's come up in customer conversations. One way to think about this, I think the right way to think about it is we've been saying for years that when it comes to threat detection and response, once an attacker has passed the perimeter, Varonis is the only game in town because we're the only ones that are not only helping make sure that given user and service accounts only have access to data that they're supposed to. But that we're watching -- we're starting with watching the data, along with understanding what's sensitive and what's normal for users. And then we add on additional telemetry like authentication telemetry, perimeter telemetry, permissions information and classification that adds additional context. So Varonis is really the only way to accurately and quickly identify when there's a threat that's gotten past your perimeter. Now let's look at SolarWinds. SolarWinds is what we call a supply chain hack, where a SolarWinds update server compromised any SolarWinds customer that was leveraging that functionality and let the attackers in through a SolarWinds -- a piece of IT infrastructure that was already in place. It completely bypass the firewall. It can lead me bypass all of the advanced endpoint protection that they had. It didn't matter how big and powerful your firewall was or how advanced the antivirus and advanced threat detection on your workstations where SolarWinds and SUNBURST completely bypass that. The only way to detect that kind of threat is to know what is normal for this particular server and the accounts on it. What do they normally authenticate to? Do they ever normally touch data? Do we see activity like DNS traffic or web traffic that might indicate command and control? Do we see lateral movement? And really, specifically, do we see data access that is abnormal for that infrastructure in those accounts? Varonis was the only one that was able to detect that. SolarWinds and SUNBURST is the latest example of you need us in place because if you try to rely on your perimeters, you're going to end up being breached somehow, whether it's an insider or an outside attacker that finds their way past your perimeter. So the conversations with our customers have really been about, here is why the broader Varonis platform, not just one license, not just data advantage for Windows looking at file system data. The classification to add context, directory services information to add authentication in device telemetry, perimeter traffic like DNS web and VPN to see command and control and exfiltration. Monitoring 365 in cloud technologies to make sure you have additional context about how other data might be accessed and what other -- what these accounts might be touching outside of the data center, all of that is important. And it speaks to what Guy was talking about, more of a customers need to consume more of the platform. And what SolarWinds and SUNBURST has done is illustrated exactly why Varonis as a platform with all of these licenses working together as a single platform, tightly integrated are so valuable. This is -- So SUNBURST is exactly why Varonis is necessary.

And Hamza, just -- I know we talked a lot about this as part of the earnings call and but it's important to note that when we look at Q4, yes, there was a lot of activity, a lot of conversations that were kind of generated from those breaches. But we didn't see any significant revenue come into plan in Q4. And when we built the guidance for 2021, we didn't factor in any revenue contribution coming from SolarWinds because it's very hard to quantify how that would evolve, especially with the sales cycles that I'm talking about. So we wanted to continue kind of guiding in a responsible way, but we are hearing many more conversations coming from customers with that.

Got it. Got it. No, of course. So one of the things I think to step back is kind of what I'm hearing is, there's been a sort of rapid pace of change towards cloud and digital transformation over the past year. And it seems like security, for the most part, is still playing catch up with security architectures rather. I'm wondering, are you starting to see your customers start to have more of these broader architectural conversations as it relates to their security and how Varonis is participating in that? And do you think that will translate to even larger deals going forward, right, as CIOs and CSOs more radically rethink their architectural approach to security?

I think one way to think about this is that CIOs and CSOs are now realizing that the technologies that they've had in place and the kind of legacy message and approaches that they've taken aren't going to be sufficient to protect their data and secure their environment in this kind of world where everything is digital and many organizations are cloud-first or hybrid and users and applications are expected to connect to each other from all over the world at any time and everything is Internet-enabled. Varonis has built a platform to support that environment. And absolutely, we're having more high-level conversations that are more about why you need a data security platform in place and why your perimeter technologies and other approaches haven't and won't work to reach the outcomes that you need to. And the outcomes that we're talking about are: Is my data protected? Do I understand where I'm at risk? And can I safely and automatically reduce that risk? And how quickly can I detect and respond to threats and then the overlap of that being? Can I keep my data and my systems private and prove that I'm compliant. Those are the outcomes that we help our customers get to. We're absolutely having more high-level conversations. And it's why we're seeing more of our customers consume more of the platform, both initially and over time, which is exactly why the subscription model makes sense for our customers.

And I want to add on that because I think it's a very important point that Brian just pointed out. When we think and look at kind of the consumption of the licenses, and when we started the transition, we said that we believe customers, on average, should get to double-digit licenses. And when you look at the KPI that we introduced recently, it was a number of companies with more than 500 employees that have 4 or more licenses and 6 or more licenses. Now when you look at kind of the percentage there, on the 4 or more licenses, it went from to 54% last year to 63% this year. And in the 6 or more licenses, it went from 20% to 30%. So a 50% increase in 1 year alone. But at the same time, it also shows how much opportunity we still have within our existing customer base. So the path to double digit licenses on average per customer has never been clear to us. And the point that Brian mentioned, the fact that they're buying more licenses is just healthy, is a very important point that I want to emphasize. During the transition, in 2019, one of the biggest pushback we got from investors was kind of the question of, yes, we understand that customers are buying more licenses after that, but does it mean that you're cannibalizing your growth. And we said all along throughout the transition that not only is that not the case, it's actually the opposite. The more licenses you get from Varonis, the more value you will receive, the better the customer satisfaction and your ability to come back and buy more licenses goes up. And that's what we're seeing. We're seeing that kind of the 4 licenses is really the minimum number of licenses that you need in order to get some sort of automation within the platform. And your ability to come back and buy more goes up significantly when you start with that number of licenses compared to starting with 1 or 2 licenses in the initial set.

Got it. Got it. That parlays well into my next question. So you obviously recently completed a pretty successful transition. You mentioned how you're really seeing strong traction within the installed base. We're coming out of on the other side of that now. I'm curious, like how is the subscription model helping with sort of that net new customer, right? Because clearly, it's helping you with up-selling into your existing base. But as far as net new customers are concerned, are you seeing more traction there with this new model?

So I think it goes back to the fact that we're seeing the number of new licenses to new customers go up significantly. We're selling approximately double the number of licenses to new customers under subscription compared to the number of licenses we had under the perpetual. So they're consuming the platform in a much better way for them, but it's a win-win because, obviously, the subscription model is the underlying strength of that model is obviously clear. So we're able to provide more value to customers and at the same time, get the recurring revenue component that is -- that provides more visibility to us.

Got it. So I just wanted to touch base on the Polyrize acquisition. It was your first acquisition that I think you made ever. I'm wondering how that is -- the integration around that is going? And are you, for the most part, still selling Polyrize side-by-side? And kind of what's sort of the broader integration strategy there?

So I'll start with [ the end ]. When we acquired Polyrize, we mentioned that we don't expect to see any revenue contribution in 2021 coming out of Polyrize because what we're trying to do is integrate the platform into the Varonis product. And we want to make sure that it kind of fits the Varonis standards. And when we look at the milestones, we're actually hitting -- so we're very happy with that progress to date. When you think about kind of the acquisition being the first acquisition, you said it right, we've grown organically since inception. And in Q4, actually acquired Polyrize. It really fits with the story of 2020 because we see the opportunity ahead. And in that discussion of build versus buy, it made a lot of sense for us to acquire Polyrize and cut our time to market. And what we believe we kind of saved from a timing perspective is about 2 years going to market with the acquisition. So seeing kind of the progression throughout 2020, getting Q3 to be a better quarter and kind of seeing the pipeline and the discussions and how this has become a long-term opportunity for us, it made sense for us to make that tuck-in acquisition and the raise that we did recently was just part of that. We want to have the flexibility to have additional tuck-in acquisitions that would speed our time to market. Obviously, it needs to make sense from a pricing perspective and a technological perspective. But we want to have that flexibility, and that was part of the reason that we went back to the market and made that raise that worked out very well. So where we sit today, we see tremendous opportunity to be able to capitalize on this tremendous opportunity in the years ahead. We want to make sure that we're executing according to plan. And this short-term execution will allow us to make investments that can help us in the long term. So we always try to balance our investments with kind of the top line growth and kind of keep the 2 metrics of top line growth and operating margin, they're equally important to us. And we've been thinking about it the same way for a couple of years now. But this acquisition was very much a continuation of how 2020 evolved for us and the opportunity we see ahead.

Got it. Yes, I wanted to ask about the recent equity raise. Obviously, you had this big market opportunity ahead of you, right? Clearly, it makes sense to do that and have the capital to really address that opportunity. But I'm curious as you think about expanding the platform, right, whether it be build versus buy, what -- I mean, what are you looking for, right? I mean, where are you looking to expand into in terms of adding more technologies, what's sort of the criteria? Because obviously, Varonis is in a very sort of unique position within the marketplace. So I'm curious, just on a high level, how do you think about adding technologies to your platform?

I think maybe the right way to think about this is to understand why Polyrize was such a good fit for us. So Varonis as a platform. It's important to remember that we're unique. Nobody else does what we do and the way that we do it. And the core of that is that what we do is map the relationships between users and data, how that's used, by who, and what data is sensitive and then reduce that risk over time. And we have a methodology for helping our customers do that. We built a platform to enable that. Polyrize had built a platform that connects users with data and other resources and cloud technologies and match those relationships together. We've had our eye on other data storage and cloud applications for a while. Cloud applications and technologies that behave much like traditional data storage. You can think G Drive and Box, which are broadly similar to Microsoft 365 in being a data collaboration or file collaboration platform. There's also other cloud technologies like Salesforce and GitHub, that are just cloud applications that are massive and business-critical that also store a huge amount of data. There's also cloud technologies that behave in ways that connect users with applications or foster collaboration, Slack and Okta and Zoom and things like that. So we've had our eye on these -- on many of these technologies for a while. And what Polyrize does is get us much closer to supporting those technologies as part of the broader Varonis platform much, much more quickly. Polyrize was unique in what they built in the same way that Varonis is unique in what we built. So it speeds our time to market. We're going to continue to look for opportunities where we can speed our time to market, to help our customers manage and secure their data quickly detect and respond to threats, meet the privacy and compliance requirements. And we now are really seeing infrastructure and configuration management being a huge issue especially in a cloud-first world. So Polyrize gets a support for a lot of technologies much faster than we would have otherwise, and we'll continue to look for other opportunities like that. But they would need to be unique and be a natural extension of what Varonis does in the ways that we do it.

Got it. Got it. So building on sort of the comment on uniqueness, right? So obviously, Varonis is kind of in an -- almost in a different category in a sense because security and then data governance. I'm curious around the competitive dynamics, right? We're seeing more and more conversions between sort of nontraditional like observability and monitoring vendors, getting more into security. I'm wondering, are you seeing any overlaps there with the likes of -- I mean there's always been Splunk, but then you're seeing companies like -- monitoring vendors like Datadog, talk about getting more into security and others. Yes, I'm curious how you see that convergence evolving and whether there's any overlap there with Varonis?

I'll take the second part of that first. We don't really -- we don't see any overlap. We look at competition very, very carefully. We look at every single deal and every engagement and every customer, and we look for -- if we're competing with any other approach or technology and we still only see competition in about 1 out of every 20 deals are about 5%, and those 5% are scattered amongst the galaxy of different approaches, competitive tools or kind of manual ways of trying to address these problems. There is no other vendor out there that does what Varonis does in the way that we do it. Nobody combines the data monitoring that we do at our scale with permissions and relationship mapping at our scale with the automation to reduce risk, with the ability to enrich all these behaviors in such a unique way where you can use all of that activity and data that you've collected to build accurate profiles and detect and respond to threats. So we integrate with these other technologies like Splunk or QRadar and LogRhythm. We integrate with other DLP technologies. We integrate with identity management, and we really sit in the nexus of where all of these other technologies are really playing at the perimeter to use -- W is the phrase there. So Varonis really is unique. We're always we're keeping a very close eye on the market. We haven't seen any other technology even come close to being able to compete with us on even a single portion of what our broader platform does. There is nobody out there that competes with what DataVantage in 2007, let alone what the Varonis platform now does in 2021. So it's -- we're still unique. And we have a huge advantage of we've been building this platform for a decade and a half. We've got thousands of customers that have been using it. We have teams on the ground that know how to help enterprises go from a chaotic environment where they don't know where data is or where it's exposed or how it's being used to locking everything down automatically and nonintrusively identifying and involving data owners and tying Varonis and the unique threat detection that we're doing with their security operations center and the rest of the threat detect and stack. We know how to do it. We have a methodology to get there. And we have a unique technology to get there. So even if somebody wanted to try to compete with us, they're 15 years behind, and it's a pretty large ask for even a small piece of what we do, let alone everything that we can do now and with what's ahead of us.

Got it. Just for my last couple of questions around the model. So Guy, I think you guys have talked a lot about your ambition to get to $1 billion in revenue, right? So I'm not asking you to give any new guidance. But just if you could speak to maybe your level of confidence in reaching $1 billion with the portfolio that you have. And any other -- any color you'd want to add there?

Absolutely. I think when we introduced this plan and started talking about it publicly, it was obviously after we had a lot of internal conversations about it. And that was a couple of years ago. When we started thinking about the plan to $1 billion, we felt that we had the right technology. We had the right customers, obviously, the right employees, the right technology. We did feel that -- at the time we were a perpetual type company, we did feel that the likelihood of getting to $1 billion increases significantly when you switch a model from perpetual to subscription for obvious reasons. With the switch now, I can tell you that we see the path much clearer and the probability has increased. When you think of kind of the time I joined Varonis 10-plus years ago, and we had about $20 million at the time, and the plan was how to get to $100 million. When you think about the probabilities, the probability that we have now are kind of more in our favor. So we feel very good about our ability to get there. I think the market is helping us. We're getting that tailwind, and we believe that, that tailwind will continue. Breaches are not going away. The risk and the way companies perceive the risk is being elevated by the day. And we need to make sure that we execute in the short term to support the long term and make the right investments. I think we've done a good job to date, and we plan to continue doing it in the years ahead.

Right. And just for my last question, just as you think about growth versus profitability, right, obviously, there's a near-term trade-off there because you're investing towards this opportunity. But longer term, how do you think about that? Do you think about it in terms of rule of 40? Any color you can give us there?

So I think the 2 metrics, the 2 -- the top line growth and the operating margin has always been kind of at the forefront of our philosophy of running the business and add to that generating cash flow. So I think those 3 components kind of go hand-in-hand. We've always focused on those 3. It's always a very delicate balance to make sure that you can still take advantage of the market longer term and make the necessary investments now to support that growth. So I think the Polyrize acquisition, some of the investments that we're making today are not necessarily going to be reflected in 2021 growth. But should be reflected in the years ahead, years post 2021, and we want to make sure that we're making those investments now. At the same time, we don't just believe that you need to grow and bring none of it to the bottom line. So when you look at kind of the evolution on the non-GAAP operating margin, we showed very steady growth, very steady improvements prior to the announcement of the transition to subscription. And obviously, in 2019, there was this short-term headwind because of revenue transition. But when you look at kind of the progression from 2019 to 2020, we went from minus 11% non-GAAP operating margin to minus 1.5%. And we're guiding for 1% non-GAAP operating margin positive in the midpoint of the 2021 guidance. So as you can see, kind of the results and kind of the discussion and the philosophy that we have hasn't changed. We're still very focused on growing the top line but bringing some of it to the bottom line.

Got it. All right. Well, with that, Guy, Brian, thank you so much for your time this morning, and we'll wrap it up there.

Thank you very much.

Thanks, everybody.