Varonis Systems, Inc. (VRNS) Earnings Call Transcript & Summary

Okay, well hey, good morning everyone and welcome to day 1 of the Barclays TMT Conference, my name is Saket Kalia, I cover software here at Barclays. Very happy to have with us the team from Varonis. We've got Guy Melamed, CFO and COO. We've also got Brian Vecci, Field CTO; as well as Jamie Arestia, Head of Investor Relations as well. We've got about 25 minutes together. Maybe what we'll do is I'll lead some fireside chat for the first 15 or 20 minutes. And then we're going to take some e-mail Q&A from the audience. What you can do is just send in your questions on e-mail to [email protected], during the presentation, and I'll do my best to get through as many of them as we can. We'd love to make this active, so definitely don't be shy and just send them along. So with that, Guy, Brian, Jamie, thanks so much for being with us here today.

Thanks for having us.

Thank you.

Yes. Yes, absolutely. Guy, I'd love to start with you. Just to make sure that we're all on the same page. Can you just level set for us a little bit, what were some of the things that you were particularly proud of from Q3 earnings from a financial perspective?

I think the overall theme that we're most proud of is our execution in an environment that for many is challenging. And when you think about kind of the transition from perpetual to subscription, that was very much scripted. We knew what we were hoping to do. We knew what we were hoping to achieve. We had a set plan. We communicated it to the team and everything was kind of structured and it worked out very, very well. And then when we were done with the transition, COVID hit and then you had a challenge that you have to deal with that didn't have a playbook. And we, I think, very much dealt with it in the same way we've dealt with all the challenges that we've been facing. We embraced the challenge and we addressed it to the best of our ability, and it worked out very, very well. So if you go back a year plus to even Q1 2020, the sky was falling, everyone thought that the world was coming to an end. End of March, we had the shelter in place, which was the worst possible time for us. We had a hit the revenue, we stopped the hiring apart from the sales force. We cut salaries to our employees. And -- but at the same time, we started seeing the pipeline build up when we started seeing momentum under the hood that made us change from a defensive mode to a much more offensive mode, and we started making investments way before we saw the revenue kind of come into play. And when you think of how 2020 evolved, Q2 was a much better quarter. Q3 was an even better quarter and Q4 of 2020 was an outstanding quarter. And again, it was a direct correlation to the metrics that we were tracking very, very closely. So we're a very metric-driven-type company. It allows us to see things way before they occur and allows us to make the adjustments. And the adjustments that we made very, very quickly at the beginning of 2020, allowed us to benefit from a digital transformation. Now I know a lot of companies talk about the digital transformation, and this has become kind of a common theme but we never benefited from COVID. We always stated throughout 2020 that in the short term, COVID was a headwind. But the COVID and the digital transformation has longer-term implications on our ability to capitalize on a much bigger and larger opportunity. And that's what we've been doing. We've been making, I believe, the right investments in the right places, mostly in sales and marketing and the R&D department to be able to capitalize on this on a much larger scale and for a longer term. So if you ask me kind of what was the most encouraging part about Q3 is the fact that we were able to continue to execute according to our plan. We put our guidance for Q4 that signals how good we feel about the business and about the momentum, it's basically the highest guidance we've provided since 2014, 26% to 29% top line growth against an outstanding Q4 quarter. And that just signals how we feel about the business and how everything that we've invested has kind of come to fruition, but we haven't even scratched the surface at the same level. So there's a lot of moving parts, and we can dig into kind of the metrics and the numbers and the themes. But that's kind of the overview of how we feel about the business.

Got it. Got it. That's very helpful, Guy. Brian, maybe for you, just from a high level, just to complement a little bit about what Guy talked about. You spent a lot of time with customers. What are you hearing from customers about their desire to invest in data security tools like Varonis? And maybe particularly, how do you feel like the active breach environment that we've seen this year has maybe contributed, if at all, in your view? Does that make sense?

It does. And I think it has -- I think the right way to think about this is if you have valuable data, somebody wants it, whether it's an insider, walking off with your intellectual property, customer list pricing lists or an outside attacker who's trying to exfiltrate your data or maybe get access to it, lock it down and hold it for ransom and extort you for it, all of which are symptomatic of the breach environment. But what's happened is -- and we've known this for 15 years, the whole reason Varonis as a company was founded, is organization's ability to create data has completely outpaced their ability to protect it part of it is just the amount of data. That's clear. It's growing, and it's growing fast, but it's not just that. More and more data -- like maybe look at it this way. When Varonis was founded in 2005, 2006, when we released our first product and had our first customers, a really big customer might have a few dozen or 100, 200 terabytes of data sitting on file servers and NAS devices inside a data center, protected by firewalls, their endpoints were generally protected, users had to jump through a lot of FOUPs to get access to that data. And the data, while there was certainly a lot of collaboration going on, it was basically kind of a one-to-one relationship between the users and the data. But we don't live in that world anymore. More and more data lives both on premises and in cloud repositories like Microsoft 365 and G-drive and Box. There are huge applications like Salesforce and GitHub that aren't necessarily file stores or data stores in particular, but they store huge amounts of really valuable data. All of these platforms are designed with collaboration in mind. I can get access to anything that I need to do my job from any one of my devices, I've got 3 laptops in front of me, a phone an iPad. I can do it from anywhere in the world at any time. 3 of the devices in front of me have cell phone connections basically, I'm always on, and this is true of all of our workers and all of our employees these days. And all of these devices, they don't really store data. If my laptop were to break, my IT department would just replace it, and it's fully encrypted, and it's no problem. The devices are a lot more like access points. Your laptop is a lot more like your phone and that it just connects to these sanctioned repositories, both on-prem and in the cloud. And these repositories are growing in the amount of data and the complexity of how people collaborate has been growing, too. And what that means is we're now in a world where data is designed -- by design, it's set up to collaborate inside and outside the organization with users and applications and guests and external users and contractors . And we're also in a world where the incentives for an attacker inside or outside and advanced persistent threat, a cybercriminal group the incentives to get access to data are higher than they've ever been because, of course, cryptocurrency means that I can get paid if I get access to your data. All of that combined together means that to go to the first part of your questions, our customers and I think any enterprise is -- has to invest in security tools because the data -- unlike the devices or the servers or the network, the data is a business asset. And in some respects, maybe the second most valuable asset a company has behind their employees. If -- you can reduce all of your information in cybersecurity risk to 0. I say this to every CISO at the top of almost every meeting I have, you can just delete it all. Turn off your 365 tenant, unplug your NAS, delete all of your data and you don't have to worry about anything. You can sleep well at night. But of course, we can't do that because the data has value and it has value because we can collaborate, all this collaboration make security much harder and you need a platform-based approach to securing it, which is exactly what we provide.

Got it. Got it. Makes sense. Guy, maybe just picking up off that a little bit. I mean, with all these different types of data that are out there and all the different licenses that Varonis offers. One of the things I feel like you've said very consistently, particularly since the subscription transition is that the path to double-digit licenses has never been clearer. And so I guess the question is, can you just walk through why you think that's the case? As customers go to double-digit licenses, how do deal sizes look? I'd love to you to talk about sort of that path to double-digit licenses a little bit.

So I'd have to go back to kind of what we saw when we sold perpetual because it ties to how we're selling subscription and how the path to double-digit licenses on average per customer has never been clear. So when we sold perpetual, we would usually start with 2 to 3 licenses and they would usually be data advantage, data classification and data alert. That was kind of the security bundle. But what we saw very, very clearly at the time, and that's the reason we initiated the transition is that customers didn't want to start with only 2 to 3 licenses. They wanted to consume more of the platform. They wanted to be protected not through a 3-, 4-, 5-year process where they come back and purchase additional licenses. They wanted to start with protecting some of their platforms more than 3, and then come and continue to be better protected and there were many licenses that were geared towards automation, that we came out with between 2015 to 2018. So when we went public, we had 10 licenses. It made a lot of sense to be under a perpetual model. But when we initiated the transition, we had more than 25 licenses. Now we have more than 35 licenses and it's just a no-brainer to provide it with a lower entry point with a subscription model, but with having the customers consume more of the product. So when we look at subscription today, we see customers, new customers start with double the number of -- approximately double the number of licenses they've consumed under the perpetual model. So when you think about their ability to be better protected, they're gaining more licenses that have automation. They see more value within the product and their ability to come back and justify additional purchases goes up. So if you start with data advantage, data alert, data classification and then add automation engine, directory services. The Office 365 in itself is like 5 to 7 licenses depending on what you need. That in itself gets you to around the double-digit licenses. And that doesn't even talk about the DA cloud licenses, which are 9 licenses today. And that doesn't even talk about some of the other licenses that we had for years that we believe customers should need in order to protect their platforms. So when we look about some of the KPIs that we've provided, when you think about the 6 or more licenses, companies with 500 employees or more, then have purchased 6 or more licenses over a 2-year period, we more than doubled that number from 17% 2 years ago to 37% at the end of Q3 2021. But think about it in a slightly different way. That basically means that 63% of our customers have 5 or less licenses. Think about how much more we can sell to our existing customer base. And we're seeing kind of the -- we're seeing the progression. We're seeing how a customer that buys under subscription, more licenses, they are happier customers, and it doesn't cannibalize the growth. It allows them to justify additional purchases. In some cases, they start talking about the second purchase as we go through the first initial purchase. And when they see the value, they come back and they buy more. So there's a lot of meat on the bone that we need to be able to execute against and focus on extracting those dollars from our customers by providing them value. And I'm not talking about the fact we've never neglected the new customers. We're very focused on getting that new fuel in. A major part of the commission plan for our sales force is getting new customers. And for the majority of our sales force, it's that customers at the right size, which, for us, is over 1,000 employees. So we're very much focusing on getting new customers, but we also understand the opportunity we have within our existing customer base and how we can increase value and dollars ARR for us with sending to that.

Got it. Got it. That's helpful. Brian, maybe kind of [ similarly ], I'd if you can just add a little bit of color to what Guy is saying in terms of you've seen customers that are at double-digit licenses versus that average of 5 plus, let's say. The question is, what are those incremental licenses? Guy's wrote a couple of examples, right? Office 365 can have 5 to 7 DA cloud, which is still very early, of course, right? What are those incremental licenses that take a customer from those average of kind of 5-ish, let's say, to double digit? What is that -- what are you seeing that's most popular to take them there?

It's important to understand how our platform is licensed and that all of these products kind of build on each other, build on a single platform rather than being separate products and a portfolio of different tools. So the right way to think about this is where our customers start is typically on one or more core data stores. And when you need to secure data, you need to understand it through a couple of different dimensions. You need to understand not just what you have and where it is, you need to understand where it's at risk, meaning who's got access to it and where it's exposed and how it's being used so that you can alert when something goes wrong. So in order to do that on, say, an on-premises Windows file system or a big NAS platform like Isilon or NetApp, you need data advantage and you need -- and that will help you understand what you have and where it is and how it's being used. But then, of course, you also need to know what's important, where do I have PII or PHI, intellectual property, the really important data, so you want classification and maybe you're subject to a privacy regulation like the GDPR. So you want some advanced classification or maybe you acquired a company you want to add that on. You're monitoring data and how it's being used, but you also want to know when something goes wrong, like when an insider starts accessing a bunch of sensitive data that they've never looked at before or a human being or a service account starts behaving like a piece of ransomware and you need to alert quickly and reduce your time to detection and prevent a breach. Well, you need data alert as well. So generally, what our customers are doing is starting with 4 or 5 or 6 core licenses on a data store or two and then they'll expand where it makes sense, either to, as Guy said, maybe I, at the beginning of COVID, suddenly realized that my 3-year Microsoft Teams rollout plan needed to happen in 3 weeks because we sent everybody home and now everybody needs to work remotely. So now I need protection there. And that means I need OneDrive and SharePoint Online and classification for both. Or maybe I've had -- I have Varonis and I'm monitoring and alerting and I'm measuring risk, and I'm reporting for compliance, but I don't want to leave data open to everybody. And I need to really put better stricter protections in place. And I can't do that manually, so I need to automate it. So the automation engine makes a lot of sense. So as you say, Varonis has 200 [indiscernible] ourselves. We have 200 SaaS applications, about 20 of which are core. And now I realize I need to be able to connect these behaviors and protect data in Salesforce and AWS. And I've got client-facing data that's in G-Drive or Box. So I'm going to expand in there through DA Cloud. The beauty of our platform is that everything is tightly integrated together because it's all built with this operational plan in mind, and it's all built on a single code base where everything kind of works together. Yaki says more is more. What that means is the more of our platform you have, the more valuable everything becomes. So there's lots of different paths to go from 6 licenses to 10 or 12 or 15 or even more these days. It depends on kind of where you started and how and what's most important and why. But everything kind of tightly integrates together, everything enhances itself. And the more you have -- as you say, I've seen these customers with double-digit licenses, the business value reviews where we sit down and measure their business cases, business challenges, what are you trying to accomplish and why who cares about it? And what are the risks we're measuring? And what are the measures of success. When they're using our entire platform, those value reviews are incredible. And so that's where we're trying to get all of our customers.

Got it. Got it. That makes a lot of sense. I want to shift to some financial questions here. And Guy, maybe for you, I think a great place to start would be ARR. You've said -- I think one of the things that we said last quarter was that there was some confusion out there around convergence between revenue growth and ARR growth. Can you just talk a little bit about that confusion and also touch on just potentially new thoughts on ARR going into 2022?

So I'll start by saying that I think we were trying to be as transparent as possible and provide all the color. We provided ARR when we started the transition because that was the most important metric to follow as we go through the transition. And then towards 2021, at the end of 2020, we started talking about the fact that ARR, we kind of have some sort of a lower number just because of the mechanics of the mathematics of being post the transition. And then the revenue should be kind of the number to focus on in 2021. And then as we end 2021, and we start thinking about the DA Cloud, the leading indicator for next year is ARR again because if we start selling DA Cloud and obviously, we'll provide more color as we go through it, it's still very early innings. We're just in the very early stages of it, and it takes some time. But as we started selling it more, it's recognized ratably. So again, there's this kind of changes in KPIs, and we want to make sure that investors are thinking about it the right way, which is part of the reason that in the last earnings call, I talked about the fact that we will give guidance for ARR next quarter because we want to make sure that everyone understands how we're thinking about the business. And what is the right way to think about the business? And I think part of the confusion is not in the investor's fault. It's just the fact that we moved so quickly. Companies usually take between 4 to 6 years, we did it in 5 quarters. So there was a lot of mechanics that we had to make sure everyone understands in a much shorter period of time. And that's okay. We're happy that it took us only 5 quarters, much better than taking 4 to 6 years, even with that small confusion that we're trying to clarify. And as we go towards next year, everything becomes much more apples-to-apples, we have 1 year of being a true subscription company under our belt. And I think it clarifies things just by the mechanics of things even further. So that was kind of the color that we were trying to provide in the last earnings call, and we will continue to provide that color going forward.

So I'd actually love to pick up on that point, right, in terms of -- we'll have a year of really pure subscription under our belt here with 2021. And so as we go into 2022, we're done with the subscription transition. One of the questions that I get every once in a while sort of what are the puts and takes to ARR growth? Again, ARR is now arguably going to be apples-to-apples in terms of subscription mix. So does ARR growth kind of now reflect market growth plus share gain that you're benefiting from plus more licenses? Like how do you think about sort of the building blocks of ARR growth now that we kind of have like apples-to-apples compares? Does that make sense, Guy?

Absolutely. I think when you look at the components of ARR, it has the maintenance of perpetual, which is one kind of separate, isolated component and you have the subscription licenses that are acting much similar to a pure subscription company. And I'll dig into that for a second. ARR, and for that matter, NRR are usually metrics that work with companies that have been subscription companies for many, many years, in most cases, since inception. Part of the reason that I've provided some color on NRR and we'll give the number on an annual basis. So in the next earnings call, we'll provide the NRR for the year. But some of the components that investors need to think about is that NRR and ARR for that matter, still has the headwind of the maintenance of perpetual. And investors can pretty much get to the number of the maintenance that is comprising the part of ARR because we have a very small part of professional services in that line item. It's roughly low single-digit percentages out of total revenue. So the majority of that line item is the maintenance of perpetual. And we're not going back and converting those customers. We're not forcing the conversion. So that number is roughly going down in single-digit percentages, which is kind of the normal churn. We've had a renewal rate that has been consistently over 90%. And that's kind of the result of that ARR impact that's coming from that portion. So that's one component of ARR. The other component of the ARR is the subscription revenue. And again, for next year, it's going to be kind of comprised of 2 separate revenue recognition ways. One of it is going to be the regular on-prem subscription licenses that we sell. The other one is going to be the polarized licenses that hopefully will start selling at a much larger scale. And from a revenue perspective, it would be recognized ratably. And from an ARR perspective, it doesn't really matter. And that's why we want to simplify it. That's the metric to focus on for next year. That's the right number to think as the leading indicator for the company because all the rest has a lot of noise that can confuse investors. And that's why we're trying to emphasize that. I hope that makes some sense.

Yes, that does Guy. That does. And definitely, I mean I think definitely excited to see DA Cloud maybe be a bigger part of ARR next year, which I would argue, makes that metric, to your point, right, a lot more important just given the ratable rev-rec. So understood that, that's very helpful.

And it will take time. I do want to emphasize that it takes time to see those licenses kind of come into play and become a major part. It took us a couple of years for Office 365 to take off. And we haven't looked back on those licenses. It took us a while with the automation engine. I will tell you that all the indicators that we're kind of tracking from a meetings perspective and interest, the amount of kind of buzz that it's creating with our customers is very, very healthy. But I do want to kind of just put everyone in the right mindset, it takes us time to start seeing that flow into the POs and the ARR number.

Got it. Got it. Guy definitely have one more financial question for you, but I actually had an e-mail question coming from an investor for Brian, if we can. Brian, maybe for you. I think that we saw CrowdStrike introduce a product, I think it's called FileVantage. I had a question or 2 just whether it was competitive with DatAdvantage. Can you talk about the competitive environment a little bit? And if anything comment on that product announcement.

Sure. I think the only way it competes with DatAdvantage is in the name. It sounds like something that we might have released. But it's CrowdStrike is a great company. It's great in the endpoint. That product is what we would consider and what they consider a file integrity monitoring product, and it competes with something like Tripwire, which has been around since before Varonis and doesn't reach the same outcomes. It doesn't help you classify data and reduce risk and monitor behavior and tell you when something goes wrong at scale. So it doesn't compete with us at all. We welcome other companies making investments in security and Varonis is certainly part of a broader security landscape. Again, CrowdStrike is great. As far as the broader competitive environment, I'm glad you asked because it's important to know where Varonis fits. And if we're competing with anybody. And to this day, that we still don't have any credible competitor. In fact, we're seeing less competition than we did even 6 or 7 years ago. And the reason is the technical mote around us, the platform that we've built, along with the people that we have and the methodology that we have for our customers is unique. There's nobody else that does what we do in the way that we do it. And as Guy can attest, we measure every single deal very, very closely. I'm involved with basically any competitive scenario that we have, and we still only see competition or even perceived competition in about one out of every 5 -- one out of every 20 excuse me, deals or about 5%. And that -- those competitive or CodonCode competitive scenarios are scattered amongst point solutions and point management tools like active directory management tools or data classification tools that don't have near the breadth of functionality that don't have all of the different dimensions and automation that Varonis has. So you can't solve the same problems or it's adjacent technologies, which is where I would put something like CrowdStrike, endpoint protection, firewalls, e-mail filters, DLP, identity management. These other technologies that while useful, don't solve the same problems. And so often times, we're in situations because Varonis is unique. There is no product category with half a dozen different vendors that a customer can compare against. There's nobody else that does what we do. So that's part of why we do these risk assessments because it is so visual. We need to show our customers what it means to solve the problems that we solve in the way that we solve them. So they might try with an adjacent technology, of course, they'll fail. They will not protect their data. It remains exposed. The average user at a given company has access to 17 million files in the first day that they start and 20% of the data is just open to everybody, very hard to protect yourself from ransomware when any single person in your company clicks on the wrong e-mail and that attacker has access to 17 million files that can bring down your business. So nobody does what we do. We're always competing when we do against adjacent technologies, like endpoint protection or firewalls or identity management or what have you or point tools that only address very small pieces of what we do, let alone up across a variety of data stores in a single platform or -- and we see this less and less these days. We still see organizations that feel like I can do this myself. I can just hire a team to do this. And I'll give you an example of why that's impossible. These business value reviews that we do with our customers are something that every time as soon as we -- they become a customer, we schedule these and sit down every quarter, look at their risk metrics, look at the metrics of success . And I did one of these. It was the first one we had done with a brand-new customer, a large health care organization. And the CISO knew exactly the problems that they needed to solve, why the organization was investing in Varonis, but was trying to socialize this with a broader audience. So we had an audience of about a dozen SVPs of privacy and data protection and compliance and incident response and their stock and what have you. And I took them through a broad overview of the Rona's platform and the specific challenges that they were trying to solve for. One, with threat detection and response in which we were unique because we were actually looking at file data, which is what they were most concerned about because they're health care and they're worried about ransomware. The other one was measuring and locking down risk. When I took them through to results of our risk assessment in their environment, which was on a small percentage, less than 5% of their data. And in less than 5% of their data, they had 226,000 folders that were open to literally every employee, contractor and application accounting environment and their SVP of privacy, effectively their data privacy officer looked at the screen on the Zoom, and she said, this is impossible. This is true, we're going to get fined out of business. We can't have this much of our PII and PHI of our patients open to everybody. And I said, "No, you can't, which is why you're using us." When we come back in 6 months, this will all be locked down. And part of this is that they had done an analysis themselves of how long it was going to take to clean up, assuming nobody ever created a new file or a new folder from this day forward, which, of course, is not going to happen. And they estimated it was going to take them 59 years to lock things down. This is why nobody solves this problem. When we compete, it's against somebody trying to use the wrong tool for the job, trying to cross the country on a tricycle or trying to use an adjacent technology that was never designed to solve these problems or trying to do things manually, which will never happen. This is why we say we really have no effective competition, and the risk assessments prove it.

Crossing the country on a tricycle. That's a good one. Well, Guy, as we said earlier, they're just -- there's so much stuff that we could dig into, but unfortunately, just a limited amount of time. So I think we're going to end it there. Guy, Brian, Jamie, thank you so much for the time. We really enjoyed it. And look forward to the next earnings call.

Thanks so much.

Thanks very much.

Excellent. Thanks, folks. Bye now.