Varonis Systems, Inc. (VRNS) Earnings Call Transcript & Summary

Well, good morning, everyone. Those of you who are here and those of you who are listening on the webcast, my name is Hamza Fodderwala. I'm the cybersecurity analyst here at Morgan Stanley. And with me this morning, I have the pleasure of having Brian Vecci, the Field CTO; and Jamie Arestia, the VP of IR from Varonis. Guys, thanks so much for coming.

Thank you.

Thanks.

All right. Well, before I begin, just a brief programming note for important disclosures, please see the Morgan Stanley research disclosure website at www. morganstanley.com/researchdisclosures.

With that, I'll kick it off. So first question for you, Brian, which I've kind of asked all the time. But can you talk a little bit about Varonis and how it's different versus the average security company? And how you're really solving that -- the problem of that intersection between data and security?

Sure. The right way to think about Varonis is you're right there where you need. There's nothing else that does what we do. We say sometimes that we're fighting in different battles than other security companies, which have traditionally focused on things like the perimeters, the endpoint, the network itself, the firewalls, the big gates that you build. But the object of any security initiative is to protect data, and that's what we do. So we look at data through 3 particular lenses. We know what data is sensitive and important. We know who's got access to it, how it's exposed, how people are getting that access. We look at things like active directory and other entitlements and we watch how it's used. And if you don't do all of those 3 things together, it's very difficult to -- it's impossible to protect data, but we do that and we combine it and then we make sure that the right people have access to just what they're supposed to that you're monitoring the data itself, which is the most reliable way to detect something goes wrong, so you can detect threats and respond to them. And if you do those 2 things well, if you protect data and ensure what we call least privilege or zero trust is another way to think about it, and you monitor and you can alert when somebody is accessing data strangely, it turns out that you do a really great job of being compliant and keeping data private. So those are the reasons that the folks use us. And we focus really specifically on what I think of as collaborative data, files and e-mails. The stuff that sits on file servers and in 365 in cloud platforms like key G-drive and Box or even Salesforce or GitHub, that's the data that people use and collaborate with each other with. And it's a fundamentally different problem than trying to secure stuff like things in a database or application data. So that's what we do.

Yes. And you guys have fighting a long battle when it comes to this market. You talk about Yakov saying, we have blood and the demand from building this platform over the years. Why is the core data governance solution that Varonis offers more important now than ever as we're breaking down a lot of these perimeters in traditional securities.

Well, if you think about the data that we focus on files and e-mails, we've seen over the last 5 or 10 years, what can happen when the wrong person gets access to that data. You have an insider that has access to -- the average employee has access to 17 million files on their first day on the job, which is insane. 90% or more of that data has no relevance to their business function at all. It would be like if Morgan Stanley gave every new employee access to 17 million bank accounts when they started, right, you would go out of business. Because the data itself is the asset that -- it's a digital asset that matters most. Nobody breaks to a bank is steel the pens, right? They're after money. Now we break into the network unless they're after data. So what we're doing is securing the data that we know has intellectual property or other proprietary information that nation state actors or insiders are going to be after. If you lock down files and hold them for ransom, you can take down the business or an organization. We've seen cities get taken down, hospitals get taken down, other big organizations. And we also live in a world where all of these regulations, whether we're talking about privacy regulations like the GDPR, CCPA or SOX, HIPAA, PCI, whatever, they're all data centric, right? They're all about what is this information, who's got access to it? How is it being used? So if you don't secure it properly, you end up putting yourself at risk of serious fines.

And one of the things that we talked about at the last earnings call, and you've actually heard us say this prior to that, was that our technology has never been a better fit than it is for today's market conditions. And to just kind of build on what Brian was talking about, since we started Varonis, the 3 that we had really bet on were just the growth of data, which has really not slowed down and if anything, has just accelerated. The threat environment has just become increasingly dangerous, and that's only moving in 1 direction. And the need for sort of compliance with regulations is just sort of a byproduct of that. And then the more recent one that we've been seeing and hearing more and more from customers, it's just the need for automation, just given how much of a scarcity there is in terms of security headcount. And just there's not enough resources to help address this problem. We hear that from our customers time and again that they really need automated platform solutions that provide them that value to help them kind of do more with less. So I think that's just another reason why -- what we see today, the demand environment feels very healthy.

Yes. And I guess that's a good segue into the next question. Obviously, the current security demand environment is quite strong. And now you've had recent events like [Indiscernible], the Russia-Ukraine conflict, which obviously is raising the risk of potential cyber warfare. Talk to me a little bit about what you're hearing from your customers and how you think this will help the importance of having this sort of layered defense approach that Varonis preaches as you start to see more insider threats and potential for ransomware?

Yes. So I think the right way to think about it is there's no particular breach or incident or geopolitical condition that Varonis would be a response to. What it is, is it highlights the need to -- they highlights an elevated threat environment, right? There is -- you need -- as you say, you need defense and depth. You need to assume breach. There is -- if you've got data, somebody wants it, an inside or an outside attacker, a cybercriminal group, a nation-state actor. If you've got data, somebody wants it. So if you assume, if you come from that assumption, then what do you need to do? You need to protect the asset. You need to make sure that it's not exposed to people who don't need it. You also need a reliable way to determine whether something is going wrong, whether an insider is accessing data or a nation-state actor is moving through your network or traversing from the cloud, on-prem or escalating privileges or reconning the network and the most reliable way to do that is to monitor what they're after, monitor the data itself. So what we've seen is, you're right, there's increased security awareness. You can't open -- turn the news or read the paper these days without reading something about a ransomware attack or a cybercriminal group or some sort of cyber attack. And so there's heightened awareness, but there's also now a much more -- there's heightened awareness of what do we actually need to protect. And I said this earlier, but it's really true that I think everybody needs to understand the object of any security initiative, the entire reason to spend money on cybersecurity is to protect data. There's really no reason otherwise, like the devices, the network, the servers, that stuff can be easily replaced. If it's -- somebody steels your laptop, you replace the laptop and all the data is going to be encrypted on it. It's going to be really difficult for somebody to do anything with it. Someone steals your data, you can't put that to pace back in the tube. The data is what's important. That's the asset.

Yes. So want to talk a little bit about DA Cloud. So you have this new SaaS solution built on the acquisition of Polyrize that you did a couple of years ago. Just maybe before we dig into details, talk to me a little bit about how this is different? Because I think you did address cloud data stores before. So what's the difference about this delivery model that you have?

So you're right. We are -- we had support for cloud data stores, specifically Microsoft 365. We made a big bet a few years ago that -- that's where data is going to start going and it's come true, right? Most enterprises that use Microsoft at all are using 365 because it lets you access anything from anywhere from any device share with anybody who might need it like all my data is in 1 driving teams these days. But we've certainly had customers, prospective customers that have been asking us, all right, when -- 365 is great, but what about Google? What about G-Drive. What about Box? They got a lot of data there. What about Salesforce? What about GitHub. What about S3 Amazon? So we made a decision. We've been looking at supporting cloud and other cloud data stores and SaaS applications for a while. And what Polyrize did was just to accelerate that time line. So we acquired Polyrize. It was really -- it was -- the goal was to acquire the technology. We launched it last year as DatAdvantage Cloud, and it supports file storage that behave a lot like 365 like G-drive and Box. There's also S3 and infrastructure in AWS. In SaaS, there's also applications that aren't necessarily data stores, but store a lot of data. Salesforce is a great example, right? Salesforce is a business-critical application. If you're using Salesforce, that's your business. It goes down or somebody walks off with all of your customer and contact information that can -- that might be the thickest valuable data store that you have. And with the trick with SaaS applications, you asked what makes it different. What makes DatAdvantage Cloud different is that what we're addressing is that beyond the data protection problem, all of these SaaS applications are designed for collaboration. They're designed for people to access what they need from a web browser from anywhere, that makes it harder to secure. Each application is basically its own set of configuration, its own set of switches that you have to tune right in order for them to be secure. We said how many data breaches are started with an exposed S3 bucket. So if you make 1 wrong configuration, then your data can be exposed and they're all designed to be connected together through what we call APIs, programming interfaces, which can be used via threat actor to move between applications. And in the on-premises world, moving laterally meant going from a device to a server to another server to find more data in the SaaS world, that means going from application to application. We've seen attacks where a threat actor will go from Okta sign themselves access to a GitHub environment, get access to a GitHub repository, find API keys and use those to access Salesforce data. And I just went to 3 different applications that have no real relevance to each other. And what data managed cloud does is solve those problems. Make sure that Brian only has access to what it's supposed to in all of these different applications. And I know what Brian is doing. And when something goes wrong, either through my account or through a personal account that I've given access to or through an API, you know about it quickly and you can investigate it quickly.

Yes. And at Varonis, you can map all those connections versus -- I know Microsoft talks a lot about data governance, you probably get this question. They're a partner of yours but they can't, I guess, map those connections as well as Varonis.

The intellectual property that we have, the 15 years we have of -- you say, mapping those connections, really understanding what a given user or application account actually has access to in these galaxy of files and shared folders and now applications and connecting all that together, that's the core of the technology that we built. And we're not like a SIM where we just copy logs and give you the ability to search it. That's useful but that's not very predictive, and we're doing something fundamentally different. So Microsoft is a great partner of ours. We are solving a different problem in a different way. When I talk to customers, I focus on outcomes. Because I can talk tech all day. But what's the outcome? Why would you even do this? The outcome is, is data protected. Are you detecting and responding the threats without a lot of noise? Are you compliant? And if you can't reach those outcomes, then what are you even doing. And we are approaching those problems by looking at the data and resources in a unique way. And then the tech -- with the underlying technology, what it does is process and use that information in ways that nobody else does.

Jamie to bring you in the conversation. So in your 2020 guidance, you guys talked about generating $5 million ARR from DA Cloud. Just curious how you came up with that number? And how much of it is based on existing pipeline from people who have expressed interest in DA Cloud versus pipeline that you're looking to generate throughout the year?

Yes, it's a good question. So there's a couple of points. The first that I would just make is DA Cloud is a SaaS or hosted solution. And so it's part of the reason that we started introducing guidance for ARR. Because while the expectation that this year, well, the contribution will be relatively modest at around 1% of our full year ARR guide as it becomes a more meaningful contributor, it will only make ARR more important as sort of a KPI for us. And that's really what we believe investors should focus on. The bulk of our business today, though, because it's on-prem, the revenue recognition is different and about 80% of a booking is recognized upfront. That's the license component and then the other 20% is recognized ratably. So the DA Cloud offering will be fully ratable because it's SaaS. So I just -- I wanted to raise that point because I think it's an important distinction as people think about the financials. In terms of the guidance and the $5 million, I think what we really just want to stress is that it's very early days. And it takes a good amount of time for us. Even with our licenses that are relatively new and sort of growing and gaining a lot of momentum, it just takes time. Office 365, those licenses came out a few years ago, but it was only kind of in the more recent years that they've become a much more important contributor to our results. The same is true for Automation Engine and Edge and other sort of our newer products. So I think we're really happy with the customer conversations that we're having. And again, it sort of goes with our philosophy of following the data and going where customers are asking us to go. And in terms of sort of the pipeline, I would think about it as consistent with what we generally see from our results every single quarter, which is a pretty healthy balance of business from new customers and the sort of expansion into the base. So all of our reps are selling the entire platform to customers, to prospects. There's not a separate team there. So it's a part of every single customer discussion. But I think, again, with our guidance, even though the ARR guidance is new, and obviously, we're talking about sort of a modest contribution from DA Cloud. Our philosophy around guidance is consistent and the way it's always been, which is to say we want to guide responsibly. We want to, I think, have sufficient data and sort of a sense of customer buying patterns before we put out sort of bigger and bigger numbers. And we're just still in early days. So we only had a few hundred thousand of ARR contribution from DA Cloud in the fourth quarter because we really only launched it sort of the early part of June of last year. So it's just, I think, something that is taking time and is going to be a bit more gradual.

Got it. I know it's early days, rather. And the adoption will be gradual over time. But can you give us any color as to what the ARR multiplier could be between a SaaS deal versus a term license?

Sure. So I would think about the pricing of the different licenses as sort of very consistent. So DatAdvantage, I mean, most of our products are based on the number of users with access to data. So you can sort of simplify that and just think about the number of employees within the organization. So it's headcount based. Each DatAdvantage license, whether it's one of our legacy offerings or the Data Advantage Cloud license will be the same price for each data store that you're covering. And then the data classification licenses are about 75% of the price of a data advantage license, and there's multiple DatAdvantage Cloud classification licenses as well. So I would think about sort of a pretty healthy uplift if a customer had a number of our DatAdvantage licenses and then decided to add on 1 or 2 DatAdvantage Cloud licenses as well. But every customer is going to be different, and I would just -- we're probably going to sound like broken records. But without sort of a ton of meaningful customer data yet, I think we're probably -- we want to kind of wait and see before we sort of give a lot more color. But we're very happy with our progress so far, and we'll plan to be -- give color each quarter this year.

Yes. And when you do see adoption of the DA Cloud solution, is it coming from net new customers? Is it coming from your existing base? Just how should we think about that?

So it's going to -- it's coming from both. I think -- and Brian can probably talk about this a little bit more. But one of the things that I think is interesting is DatAdvantage Cloud, I think, opens up the opportunity pretty meaningfully to talk to a subset of customers that maybe we hadn't sort of initially had as meaningful of dialogue with. I don't know if you want to...

Yes. We -- so it's a good question. And the answer is both. There are customers that have been asking us for support for S3 and G Drive and Box and Salesforce for a while. So we can upsell to that. There are also potential customers that are born in the cloud that don't have anything on-premises and weren't using Microsoft 365. There's nothing for us to talk to them about. Now there is because they're using G Drive for file storage or box. They've got tons of infrastructure in AWS data in S3. So the answer is we're going to see -- we are seeing activity from both our existing customer base as well as new customers.

Yes.

And it's also important to note one thing to add on that, just to -- because I don't know if you're going to ask this, but some people ask. Everything in DA Cloud, all those licenses are totally additive to our existing product set. There is nothing -- there is no license in DA Cloud that would replace anything from our existing license set.

Right. So there's no conversion from the base.

That's correct. Okay.

Got it. Got it. I think in the past, Varonis was a bit more of an evangelical sale. And now people are starting to recognize more of the importance. So when you think about getting net new customers -- how much of them are coming to you or coming to you already knowing what Varonis offers rather than you having to evangelize.

So the right way to think about this is there's nobody that has a line item for Varonis unless they -- like the CISO has bought us somewhere else. And now here, she's at a new company and is like, oh; I know I need to run us. That's the only time that, that happens. The difference now, though, is that we have to have evangelize both the problem and the solution. You have tons of file system data and so much of it is open to everybody and none of it's monitored. That's a huge problem. That -- we don't have to evangelize anymore. Everybody understands that that's a problem. They just look at the news and they realize, oh, if my files get locked down and held for ransom we're going to be up a creek and my cyberinsurance premiums are tripling or quadrupling year-over-year. Like they know there's a problem. We still have to evangelize the solution because there's still nothing that does what Varonis does. So it's -- there is no bucket then there might be a bucket for cybersecurity, there certainly is. There might be a bucket for data protection, data privacy or data security. But we have to evangelize exactly what we're doing and why it's unique and why you can't solve the problems that we solve by using DLP or a SIM or endpoint protection or a CASB or something like that.

What we also try and do, I think, as Brian mentioned, we're really targeting the CISO and the selling motion. The risk assessment is absolutely critical to sort of showing exactly where our customer is vulnerable with their own data. And obviously, the CISO is the primary audience for that. But given that our customers don't have the dedicated Varonis budget, it's extremely valuable for us when we're able to pull in additional high-level decision makers within the organization. So if we can show the CFO that his 5-year operating plan is open to the entire company, if we can show human resources that there's a payroll file that the entire company has access to, these are things that, obviously, they're never aware of, and they're very interested in fixing those. Obviously, legal and general counsel would be aware. I would want to know about any of these things. It just -- it meaningfully increases our probability of a win because they find the budget to sort of fix these problems because they can't be ignored anymore.

Yes. And then just maybe on the competitive front. So Varonis has seen limited competition in the past. You talked about seeing competitors in 1 out of every 20 deals maybe. Why is that? And why will that continue to be the case in the future?

Well, I can't predict the future. But here's why it is, and this goes back to -- there is nothing that does what we do in the way that we do it. And when we do see competition, we're not seeing direct competition. We're not seeing Oh, I'm going to try to use Varonis or can I use X,Y or Z? There's no other -- I'd love to tell you here is the other company or product that we see as competition. Because in some respects, it would make our conversations easier. We wouldn't -- somebody else would be marketing for us a little bit, right? We wouldn't have to evangelize everything that we do. But our technology is unique, and it's a really hard problem to solve. So 5, 10 years ago, we were seeing Symantec or SharePoint or Imperva try to do what we do, and that's really, really hard. Like -- and we've got thousands of installations. And the only way to make software work is to go use it and break it and actually put it into enterprises, its the only way you can make it scale. When we do see competition, and it's still 1 out of every 20 deals or so, about 5%, and that's scattered amongst point tools that attack a subset of what we do in one place. Like, for instance, we look at Active Directory, and we monitor Active Directory. So we might see a, can't I solve this problem with like an Active Directory management tool? And I'd say, no, that doesn't connect to the data itself, and it doesn't classify data. It doesn't fix any of the problems that you find, you can't solve the problem. Similarly, we might see another classification vendor that goes and tries to find sensitive data, but that doesn't solve the problem. Because if all you know is what data is sensitive, what do you do next? How do you make sure that it's locked down and secured and how do you know when it's being used inappropriately. How do you fix the problems that you find. So our competition is scattered amongst kind of manual methods, point solutions or adjacent technologies. Can't I solve this problem? Can't I solve my ransomware problem by just securing my endpoints? I'd say no, because ransomware doesn't lock down your endpoint these days, it locks down the file servers, it locks down the sanction data, the core repositories and your end point is not going to protect that. So we -- the competitive landscape is really just trying -- it's organizations trying to solve these problems using ineffective or adjacent technology is the right way to think about it.

Yes. Jamie, so seems like 3 months ago, SaaS investors all of a sudden started caring about profitability. So the margin guide you gave out was a bit lower than, I think, the consensus expectation. How much of that was attributed to more adoption of the SaaS solution, which I think is going to be a little bit lower gross margin and the FX headwinds versus really just trying to step on the gas and investing in the opportunity ahead of you?

Yes, it's a good question. And we certainly -- I think we've been consistent in saying that we always have cared about profitability. I think we've always tried to balance growth and profitability as we think about how we're running the business. I think the bulk of sort of the delta between our guidance and consensus was due to the 200 basis points of FX headwind that is included in our operating margin guidance for this year. We've always -- I think we try and hedge our exposure to the shekel. Most of our R&D expense and investments are in Israel. And so there's exposure there that we try to address. So there's a 200 basis point headwind this year. There was a 100 basis points of tailwind last year. So we try and use that program as a way, I think, to manage that exposure, but our larger focus is on areas of the margins where we have control. So I think the question about putting the foot on the gas is a good one. And it's important, and it is how we're thinking about things just given the opportunity that we see. So as we look at new logos, it's important for us to continue to add capacity to the sales force as we think about selling more into the base, it's absolutely critical as well to, I think, invest across the sales organization. And we've been talking about the investments needed in innovation across R&D to sort of fuel the continued innovation that we've seen. We've invested quite a bit last year and obviously getting the polarized technology ready to launch as DatAdvantage Cloud. And even if there's not sort of specific licenses earmarked in the immediate future, I think it's constantly improving the platform, building in automation value has just been critical on sort of how we've always thought about the need to invest in R&D. So we really feel like the demand environment for every -- all the reasons we've been talking about for the last 25 minutes, really, I think, supports and justifies the continued investments. But we've also, I think, showed very nice margin expansion over the last 2 years since completing the transition. Last year, we had about 800 basis points of margin expansion. And I guess I would just point out lastly that the guidance for this year, like I said, implies 100 basis points of expansion on a constant currency basis. That's certainly a starting point for the year. And we are obviously very expense focused and want to drive efficiencies wherever we can. So to the extent that we can improve on that and sort of continue to show the margin expansion that we have shown, that's going to be important to us as well.

How does the growth today break down between new logos versus expansion?

So I think it's something that's always -- I mean, there's a couple of points to make. First of all, I think in any given quarter, we've always sort of seen the majority of business come from the base. This was true even when we were a perpetual company. And I think if you think about sort of our model and how many products we have to sell that sort of makes sense. Even when we were a perpetual company, we had a lot -- a much lower number of licenses. When you think about what a customer takes versus where they can get to and how much more we have to sell them, it makes sense that we would continue to see the majority of business come from the base in any given quarter. But I think we've, largely speaking, seen a very nice balance between new logos. And I think one of the things that maybe is most underappreciated is just how underpenetrated we are with our base of existing customers. You have to keep in mind that we only started the move to subscription 3 years ago. And so we have thousands of customers who are not anywhere near the double-digit number of licenses that we're targeting for every single customer. And I think we could grow very nicely just by selling into the base for the next couple of years. Now obviously, it's critical for us to continue to bring in new logos because that fuels the future opportunity and our reps are -- obviously, that's an important part of their compensation plan is to meet that quota for not just new logos, but new logos at the right size. So we want to talk -- we want to focus on the larger enterprises with more than 1,000 employees who can make bigger commitments to us upfront and expand more over time. So certainly in the course of 2020 and 2021, it was very balanced, I think, between new business and selling more to the base.

All right. Now we have a few minutes, I just want to check if there's any question in the audience. Okay. Well, I can ask questions for days. Just when you think about the drivers of operating leverage, right, because a lot of investors are concerned about the macro. So let's say the demand environment does slow down a bit. What are areas where you think you can find leverage in the model?

I think certainly, we've -- there's a lot of leverage in the sales and marketing line. The subscription move has really opened that up because, obviously, the cost of renewals is quite a bit less than signing new business or selling more to existing customers. I think in general, we're a very metric-driven organization and we track the number of risk assessments very closely. We have a very good sense in a real-time way of what our pipeline looks like, and we can respond accordingly. So I think an example of that was certainly in Q1 of 2020 when COVID was hitting and there was a lot of uncertainty, it was appropriate for us at that moment to be defensive in our sort of investments in our operating of the business. And so we froze salaries. We didn't -- we froze hiring, we reduced salaries across the organization. And I think that was really in a way for us to avoid reducing our workforce and just respond to the uncertainty that we were seeing from our customers. But then I think as business pick back up, in the second and third quarter of 2020. And that momentum really continued to close that year and certainly through last year, you can see the sort of corresponding pickup of our investment in headcount across the organization. So I think we're able to sort of respond very quickly in that regard. So I think the biggest opportunity for leverage regardless of the macro environment will be in the sales and marketing line. That, I think, is where we see the biggest opportunity.

Yes. And just last question for me. So you got 73% of customers now with 4 or more products, 40 -- around 40% with 6 or more products. When you think about the path to $1 billion ARR for Varonis, how much of that is coming from the existing base getting to double-digit licenses over time versus net new customers?

I think, again, it will probably be a balance of the 2. I think there's just a huge opportunity just with the base, but that's obviously not what we want to focus on. So those numbers will keep increasing just because every new customer is really starting with a higher number of licenses than they were under the perpetual model. And what we've said is that it's easier for us to get a customer from 6 licenses to a double-digit number, which is what we're targeting, than it is to get them from 1 license to 5. Because the level of value that they get when they start with that half dozen versus the 1 is just -- it's night and day. And so it's easier for us to expand with them and sort of sell them more to help them kind of build out their deployment with us. So we would expect that to sort of again continue to be a balance between new logos on the base as we continue to move towards that $1 billion number.

All right. Well, it looks like we're just about out of time. Thank you so much, gentlemen. Really appreciate your time this morning. Thank you very much.

Thank you.