Varonis Systems, Inc. (VRNS) Earnings Call Transcript & Summary

All right. I think we're ready to go. Thank you very much, everybody, for joining us. Home stretch of the afternoon here on day 1 of the Global TMT conference here at Citi. I'm Fatima Boolani. I [indiscernible] of our research team here, and I am still thrilled to be sharing the stage with Varonis. We've got Guy Melamed; and got Dave Gibson on the stage with me, and I'm very happy to jump right into the discussion. So gentlemen, thanks for being here.

Thanks for having us. We came from the 18th floor, the elevators were stuck. We came down all the stairs, and we got out exactly on the store.

Except, we got out on the street [indiscernible].

So give you investor access and we give you physical education at this conference. All of the things -- all of the things.

Well, thank you very much. I would just start the discussion on kind of the 30,000-foot level, if you will. And then I think there's a lot of folks in the room who are very familiar with your story, but would love to kind of start at the highest level on an overview of Varonis, what you do, where you operate and what part of the cybersecurity arena you're playing in?

Sure. So Varonis is a data security company. We sell a SaaS-based solution that helps people protect their data from external and internal threats. And these days, even potential AI abuse as well. So in a nutshell, we find the data that's important. We identify when it's exposed to too many people, right, or people that shouldn't have access anymore, we programmatically reduce risks like data that's overexposed or misconfigured, then we monitor the heck out of what people are doing with data to detect when you've got an insider threat, ransomware, an external attacker, Copilot abuse. And now with our SaaS offering, we have a new part of that called Managed Data Detection Response, where we can be in charge of looking at the alerts and calling you when there's something we think you need to know and which we do with an SLA. For example, if we see ransomware, we've got 30 minutes to call you. So that's Varonis in a nutshell.

The one thing I would add is that in 2023, we started the transition from on-prem subscription to SaaS. In short, SaaS is a much better product that we have to offer. And another point to mention is that MDDR is only offered under the SaaS offering. So it allows us to provide a much better experience for our customers. And at the end of Q2, we had 36% of our ARR coming from SaaS. So we've progressed very nicely. We initially thought that it would take 5 years. We rolled that out in our Investor Day at the beginning of 2023, and we talked about a 5-year transition period, so we defined the transition to be anywhere between 70% to 90% of ARR coming from SaaS. At the end of last year, we actually shortened that period to 4 years, and we're very happy with the progress. We can talk more about that later. But at the very high level, the reason this is progressing so well is because we're able -- it's a no-brainer for new customers, but we're also seeing our existing customers wanting to convert to our SaaS offering because of the benefits that it holds.

You're touching on the whole concept and theme of transition and there's a model transition that's clearly in the works. But before we get into the nitty-gritty of that, I want to still take a step back and talk about the market transition, right? You kind of gave us an overview of exactly what pain points you solve, and it's around data governance and data security. And you've been doing and solving this problem for customers before it was in vogue, before it was cool, right? I mean I think you're coming up on your 10-year IPO anniversary, so you've absolutely been hoeing the field on this for a very long time. But I think data security as a concept is becoming maybe more recognized in a mainstream fashion. So I'd love to get your perspective on what do you think has changed for data security to become maybe more of a thematic obvious consideration whereas historically was you had to convince people they had a problem versus today and then why that change has taken so long, but also it seems like it's been very quick.

Yes. First off, I think it was always cool, but that's...

I think it was always cool, too. So you have my vote.

Yes. And when we started -- definitely I started with Varonis in 2006, data security really wasn't a thing that people were talking about. Most folks thought of security as firewalls, perimeter security, endpoints and things like that. And that persisted, really kind of that mindset, that sort of perimeter mindset for a long time. And the perimeter controls got more and more sophisticated. And yet, I think we started to see still many, many breaches. I think about the last decade or so, ransomware just started around 2014, 2015 and just has only kept growing and growing despite all of the perimeter controls that are out there. Insiders have probably always been the scariest and most dangerous kind of attack that people worry about. And I think because of the light that some of the breaches continued to shine on data security, some of the regulations, the new SEC guidelines more and more focus on data itself. And I think people started to realize all these controls really are in service of protecting data. If data is safe and endpoint gets compromised, it's just another day. But if data is taken, no matter how that happens, all those other security controls have failed. So I think people are way more mindful and we hear a lot more people talking about data security for which we've got, I think, the most mature and comprehensive solution out there.

We want to be what the credit card companies are doing with fraud detection. And when you think about how they have the ability to do so well in understanding if a transaction is fraudulent or not. And I'm sure all of you got -- get those texts, is it you? Is it real? The reason they have that visibility is because they sit on every purchase that you're going through. We're trying to do the same with data. If you "sit on the data" you can identify any abnormal behavior, you have way better visibility, really like looking at journal entries and understanding if anything is abnormal. So I think in the evolution of where we are and where we want to go and where we want to be, at the end of the day, it's all about the automation, how can we protect the customer in an automated way. Customers cannot deal with this risk in a manual way. The headcount of security teams is cut very thin. They have a ton of projects. The risks are growing by the day, and they're craving for an offering that can help them manage that in an automated way. And we have focused for a long time now on trying to prevent and help customers protect their data in an automated way. MDDR is a whole new level that we have introduced it only at the beginning of this year. This is a very recent offering. The reception of it has been very good, both by our customers and by our sales force. And the overarching theme is protect data in the most automated way you can.

So just back to this notion of data security becoming more prominent in the consciousness of mainstream organizations, CTO organizations, et cetera, and more awareness from a procurement standpoint. So look, there has been actually a lot of active kind of consolidation in the data security market, right, some kind of larger players in the space have sort of picked up some assets on the data security side, right? So as that consolidation happens, some of this M&A activity happens, how has that changed the competitive landscape for you when assets in the data security realm have been acquired and larger players are now maybe talking the talk. We don't know if they're walking the walk yet, but the larger players, in some ways are certifying that this is a very legitimately large problem. So how is that both an opportunity for you, but a potential -- a threat or a risk from a competitive landscape standpoint?

So far, I see it generating activity in the form of RFPs, in the form of conversations with customers that I have. So there are some new players into the space. There's definitely more focus on data. And the good news for us is we don't have to evangelize the importance of data protection as much. And when we get into these opportunities, we've always sold the same way. Don't take what -- our word for it, put us in, look at some production data and let us show you your risks, show you what we can do with those risks, show how we can help you. And when we follow that same playbook, we're still very much alone in the functionality that we can deliver, really we call them the outcomes that we deliver. I see DSPM, Data Security Posture Management, as kind of the new acronym that everybody is talking about. It means something different depending on who you ask. But most of all, it's really a subset of what I think a larger data security platform is. So if we can leverage that concept to get the conversation started, it's a big positive for us.

Another way to think about it is and kind of the reason we focus so much on the visual sell that David was talking about is because when you talk in theory about the risk, it doesn't resonate the same way. And if I look at this crowd and if I -- let's assume that the people here were the CSOs and they were the decision-makers. If I said that, on average, each company that is represented here has millions of files open to everyone in the company. People would shake their heads and they go make coffee. Because you really can't really -- you can't understand the implication and it doesn't resonate the same way. But if we did a risk assessment, and we showed people here that the list of their both long and short ideas, investment ideas for 2025 could be accessed, that Excel could be accessed by anyone, whether it's a guest that joins the company's WiFi or whether it's anyone hacking in a simple way, and it could be provided to everyone within the organization, I'm sure the reaction would be very different. That's all we try to do, the risk is there. We need to show it in a visual way. And through the risk assessment, we can show the decision-makers how vulnerable they are and how we can help them with our software.

So part of the opportunity is that some of your peers are also picking up a slack on educating the market, right? So that helps indirectly, the productivity of your sales organization because to your point, you're not actually spending. You're maybe spending less time evangelizing, educating that a problem exists and then evangelizing that you were the right solution, right? So in some ways, that's helpful. But how do you think about the potential for fractionalization of some of your capabilities and other control points. And as a related matter, when you think about the opportunity at large, I mean, it's been vastly greenfield. But just from a in the trenches perspective, has the incidence of the types of competitors that you're seeing in RFPs changed in a material way?

I think some of the names are different, and there's a little bit more of a focus on kind of the initial phases of data protection, kind of a discovery, where do we have data that we care about. We've been doing this for 2 decades now, though, like we've kind of thought about the questions that people have next, which is, okay, what if you find sensitive data? How are you going to figure out whether it's in harm's way or not, right? If it is in harm's way, how are you going to determine what the right course of action is, especially if you're not sure who is using it. And really, how often are we going to update the inventory, maybe we better do that continually, which means we better be tracking how the data is being accessed. There's new -- some new faces. I feel like when we have a real conversation about what is it that you're trying to do to protect data, that's when a lot of the -- any of the new noise kind of really starts to fall away. And I think, like I said, we've been doing this a long time. We know what the ingredients are to protect data. You need these ingredients. There's no real shortcut to getting the kind of information that we've been getting for a long time in refining and then doing productive things for that information is another river to cross, which we've already crossed and we keep going further and further.

Guy, how does this translate into the SaaS transition you were talking about earlier, right? So you were always doing these POCs, illuminating for customers that, wow, you've got a massive data access risk problem and then your eyeballs just pop out of your head, right? So you've always been doing that from a POC perspective. Can you give us a sense of how the timing of those POCs has changed since you moved to the SaaS model?

The whole customer experience is different and I'd say better with the SaaS offering compared to the on-prem subscription. So the whole risk assessment is done in an easier way. I think the customer experience is better through the SaaS offerings. And we've actually called out at the last earnings call that the sales cycles of SaaS compared to on-prem subscription are better, they're shorter. We expected that to happen when we announced the transition, but this was kind of the first time we came out with that data, and we're very happy with that because it kind of ties to everything that we've talked about. We want to make sure that customers have a great experience with our product, and they understand that they are better protected with our offering. I think the risk assessment is part of that, getting them to value through the SaaS offering is done in a very different way than the on-prem subscription from an efficiency perspective. We're seeing that the offering about -- when we talk to customers about outcomes now, these are the outcomes, we've done some consolidation over the last couple of years in terms of the licensing offering, and we can spend some time on that if there's interest. We used to have 40-plus SKUs when we had the on-prem subscription offering. It was getting very confusing, both for our Salesforce and our customers to understand what every single SKU is doing. And we took the opportunity with our SaaS offering to consolidate. And now we don't offer those individual licenses. That's actually helping us in landing those deals that are larger because some of our customers when they convert, they don't have the ability just to buy the same "number of licenses". They have to increase their spend but they're getting more value. So the SaaS offering is on price list is 25%, 30% higher than the on-prem subscription. But we are seeing that with the MDDR and the fact that we are providing the outcomes we're resonating, landing larger deals, customers are seeing the value faster and the whole experience is very in their favor.

So I think historically with all of the experience we've had in learning about model transitions and different precedent examples of companies that have gone through model transitions, I think there's a carrot approach and then there's a stick approach. Our sense is that you've taken a carrot approach, and I think you brought up MDDR a couple of times. But I'd love for you to spend a little bit of time on what is the philosophy and ethos around the transition, right? Because you do have the benefit of a captive installed base, right? At the same time, you are -- the SaaS model is helping you drive new customer acquisition velocity but the bigger chunk of it right now is still, hey, how do you up-level your own installed base to get the goodness of SaaS, right? So can you talk a little bit about where you are in this journey of conversion of the base but doing it with a gentle approach as opposed to pulling the plug on them because I know that's not been your approach. And how does this factor into the way you're thinking about the momentum on the ARR metrics and momentum of growth?

How many hours do you have?

All day. I'm here all day.

We are going through our second transition. Our first transition was from perpetual to on-prem subscription. We did that in 2019, we were actually able to complete that transition within 5 quarters where I'd say the average is 4 to 6 years. So we were able to move very, very quickly. The second transition, the transition to SaaS is a very different transition, and we never intended to have that type of speed. We rolled out a 5-year plan, as I mentioned, when we did the Investor Day, and we've shortened that for 4 years, and it's progressing really well. I think there are basically 3 pillars that are essential in any type of change like the one we're experiencing. The first and foremost and one of the most critical components is the technology. The change has to make sense to the customer. We have made that 2019 transition in thinking about what's best for the customer, it made sense then. And I can tell you that the change to SaaS, when you think about the technology and the value that it provides our customers, it makes sense now as well. And I say that's the building block when you think about kind of the 3 pillars. The second pillar is, I'd say, the commission aspect. How do you incentivize your sales force to change and move from one type of selling to another. It was way more challenging to convince "the sales force" in 2019 to move from perpetual to on-prem subscription. It's way easier to convince them now because they understand the value proposition. They understand the simplicity of the MDDR offering. They have -- they see the conversations that they're having with customers, and it's resonating really well. Regardless, you still have to make sure that the commission plan makes sense. I'll touch on the commission plan in a second just in terms of what we did with new customers, but I'll get to the third pillar. The third pillar is, I'd say, management commitment of making the change. You can have the first pillar and the second pillar in place. But if your management is not entirely focused that that's the right thing to do, you'll get stuck in limbo. And I think in 2019, we were very committed, we are very committed now on moving and providing that value to our customers. And there's a lot of leverage in the model for us as well in this move to SaaS. We see the leverage in the different departments. We see the leverage in the shorter sales cycles. And there is additional leverage that we think we can see in the future with this move to SaaS. So those are kind of the 3 pillars. When we broke out the plan to move to SaaS. We talked about 2 phases. The first phase was targeting new customers and trying to sell them SaaS. That happened very quickly, very nicely. New customers are adopting this offering because it really is a no-brainer. We also talked about Phase 2 that we initially thought would start when Phase 1 ends and within 1 or 2 years. But what happened at the beginning of 2023 is that we started seeing our existing customers asking to move to SaaS. And they were doing it in a natural way. We didn't incentivize our sales force to do it. We didn't provide any monetary compensation on top of just the uplift that our reps were selling. So we were extremely happy that it's happening in that natural way, and it continues in 2024. So when you think about kind of the carrot and the stick conversation or that debate that you were talking about, right now, we're using a lot of the carrots. It's a better product, the customers see the value, they can be better protected. We're not going to customers and forcing them to move to SaaS. I think we want to be a SaaS company. That's our goal, that's our intention. We don't want to support 2 types of code forever. That's not our intention either. So there will be points where you use some of the sticks. I don't think we need to use them quite yet. And I think the fact that when you go to a customer and you show them the value and they understand the technology and they understand the benefits, it really is a no-brainer, and that's the best way to do a transition of such magnitude.

And in the framing of some of your longer-term targets, it sort of imply that ARR is a path towards acceleration to the 20s ZIP code, right? What is it going to take for you to get there? What milestones do you need to hit so we start to see more visible acceleration in the business? Because clearly, there's pent-up demand. You're doing the right things from a model transition standpoint. So what do you think some of the gating factors are that's maybe flowing some of that curve up into your medium-term targets and what your medium-term targets imply?

There are 3 tailwinds that we're kind of -- we laid out at the beginning of the year. Not all of them are baked into our guidance and not all of them are baked into our kind of [indiscernible] but I will walk through them. When you look at the MDDR, again, this is a newly introduced offering, but we only had one full quarter of MDDR, really, when you think about it. I know it sounds as if we've been selling MDDR forever, but we only really had one full quarter of that. And the way it's been adopted has been so positive that when you -- I get asked a lot, what is the right and a breakdown of MDDR within your existing customers. And the answer is, we believe that every single customer should have MDDR. It doesn't happen overnight. It takes time, you have to educate, you have to show the value. But eventually, you should get to a point or at least the belief is -- but the belief is that all of our customers should have it because they're better protected that way. So MDDR is one element. The second element is really just the environment. There are more and more breaches that are happening every single day, becoming more and more sophisticated. The risk is growing, and we could cater to that and help our customers in protecting against it. The third element is Copilot and AI. And it's not just Copilot but it's all of the different AI functionalities that prevent a focus on how vulnerable organizations are if they haven't sorted out who has access to what data. Because in the past, someone had to get in and they would have to find where the data is and whether it's sensitive or not, and it would take them time. Now all they need to do is put it in a chatbox. And who got a raise last year? And if they have access to that type of information, even if they shouldn't have access, guess what happens? They get the full breakdown of the entire organization of who got a salary increase, and that could be catastrophic for an organization. You can put it in the chatbox, where is the IP, where is the sensitive information? And that's a risk. So we talked a lot about the Copilot opportunity and the AI opportunity. We haven't baked that part into our guidance because we don't know when that starts picking up. But it comes up in every conversation. Almost every conversation with customers, they are concerned about it. We are ready to help customers in that regard. So there are a lot of elements that could help us continue to grow the business. We're very happy with the opportunity. I think as we sit here today, the opportunity is greater than we've ever believed it could be. Our ability to provide value to customers through our offering and that automation component is what we aim to do now and going forward.

Can you spend a little bit of time on the relationship that you have with Microsoft? I mean, clearly, there is a little bit of a chicken and egg dynamic here with the generative AI monetization opportunity is because you do need organizations and mass to adopt Copilot so that you can be right at the front door to help do the governance around that. So fully appreciate that's kind of out of your control, but you're ready to kind of step up to the plate when the time is right. But in terms of the relationship that you have with Microsoft specifically around this, can you talk about some of the joint go-to-market initiatives that you have in place, any elements of exclusivity you have with Microsoft that, hey, are they the -- is the Microsoft reps first call to make and say, you better get Varonis around this environment because of all the reasons you pointed out, right? So as we think about what that generative AI/Copilot opportunity could look like for you how does that relationship with Microsoft differentiate you and your ability to achieve that monetization objective?

So the way I think about it, we've got a few legs to the Microsoft partnership and we've been adding as we go. The first one is we run in Azure. So we're in there...

Exclusively or...

No, but enough so that we're on the Azure marketplace. And that the reps can retire quota. And so there's a go-to-market function there. Then we've been, for a while, helping people protect their data in the Microsoft environments, helping get more value out of purview information protection. So that's been another nice leg to the story. And then more recently, the Copilot leg has gotten a lot of attention, and we're helping people get the right controls around their data so they can feel good and safe about deploying Copilot. We're also monitoring Copilot activity in a way that is helpful for folks and really interesting with a lot of folks. So while I would love if we were the only call on the first call, they have a lot of reps and there's a lot of education to do. But that relationship is growing and continuing to be more positive.

Historically, you've had very strong ties in connectivity to Microsoft environments. But I think what sort of flies under the radar is all the work you've done around being the data security entity for non-Microsoft today stores, right? There's been a lot of R&D effort around that. Can you talk a little bit about what the estate looks like in terms of if you had a telescope on the data under management in your whole environment, in your entire customer base, how much of that was Microsoft 5 years ago? And what does that high chart look like today between the variety of data source, stores and sources that have really propagated over the last 5 years?

Sure. The way we think about them, the data domain or the big buckets of data, we put them into collaborative stores, which can be on-premises and in the cloud, right? So we've covered historically big NAS devices, big Windows shares, big UNIX shares. Collaborative stores certainly are -- have got a huge presence in the cloud with 365 and with Google and with Box. And then there's the second kind of category is what we would call the Infrastructure as a Service, or IaaS. So these are like the AWS environments, the Azure environments where people are spinning up massive object storage, object stores or blob stores and also databases. I used to have to rack a server when I wanted the database. Now it's just code. So it's a little bit of a party with no parents for the developers and a lot of data is growing there. That's the second domain. And then the third domain would be SaaS applications. So like a Salesforce or a Jira or GitHub, there are many of them out there. And that's really where we cover. And we've focused on coverage and automation. Certainly, we have more time behind us with respect to the Microsoft environment. So we do have more of a presence there, but the others are starting to become a thing. I don't know whether that's me.

Okay. And Guy, all of these efforts around driving new customer velocity, selling more to the installed base, layering on MDDR monetization, right? You've been able to do this while doing a very respectable job on improving your ARR contribution margins, right? We've come a long way. So can you talk about the investment priorities relative to all the tailwinds that are on the horizon? And we have seen a big improvement in terms of organizational efficiency, but where do we go from here after having seen such a nice step-up in ARR contribution margins and how you're thinking about the investment profile in the near term but also medium term?

It's a great question. Going back really years ago, even when operating margin wasn't as sexy as it is today and everyone's talking about it, we constantly talked about growing the business, but bringing some of it to the bottom line and the focus is generating cash. Those are really the 3 essence that we believe, and investing $1 in order to generate $0.50 never made sense to us. When you look at where we are today within this transition, I'm really happy that we were able not only to grow the top line and progress within the transition, but also improve our ARR contribution margin and start generating cash. We raised our free cash flow numbers to $80 million, $85 million for the full year guidance. We did that last quarter. So when you look at where we are, we see this opportunity as one that we want to take advantage as a much larger opportunity as we sit here today. We want to invest. We want to make sure that we invest in R&D and sales and marketing to take advantage of this larger opportunity. We've also -- we did our first acquisition in Q4 of 2020. Going back to what you talked about of protecting other platforms that we didn't protect before, there are additional platforms that we want to protect going forward. We want to go wider and deeper. So we constantly look at M&A as well to see if there's anything that would make sense and speed our time to market. But overall, when you think about how we want to invest, it's going to be, let's say, taking advantage of the larger opportunity but still thinking about things in a prudent way to make sure that we can increase our cash generation and bring some of it to the bottom line. When you look at kind of the 5-year model that we laid out, we felt comfortable about an ARR contribution margin of about 20%. And when you look at where we are now, just under 15%, I think it's been progressing very well. And I think it's a testament, not only to how we're thinking about the business, but also on how efficient the SaaS technology is. We've built it in a way that allows us to see leverage within the gross margins of our SaaS offering, but also generate leverage in some of the different departments that are supporting the company.

And just specifically from an investment standpoint, what do you feel are your biggest constraints? I mean, from our vantage point, there has been a shortage of innovation in the platform, right? Your ability to do more automation faster, data detection and response, MDDR, right? This seems like the R&D engine is firing on all cylinders. So is the correct inference that you are sales capacity constrained, and this is incrementally where you're going to focus? So you have a bigger or larger go-to-market footprint and any nuances you can share from a go-to-market perspective, especially now that when we talked earlier about, hey, this problem is becoming more of a mainstream problem, so maybe that takes pressure off the go-to-market organization in some ways. But how should we incrementally think about the investment dollars and where they should be or where you're thinking about allocating them for the course of this year, but also within the medium term, long-term target model?

I'm not sure I would use the word constrained, but I think one of the areas of focus and what we see continuing going forward is that visual sale. This is not an antivirus that people buy without kind of seeing what it does. We have to get to our customers. We have to do that installation and show them how vulnerable they are. We need to have that conversation with people within the organization that understand what the risk -- how big the risk is when they have millions of files open to everyone and when they have sensitive files that everyone can access. So that's something that we've always been focused on. We have increased our hiring. We're definitely adding people. We were trying to do it in the right spots that would generate the efficiencies that we were talking about.

And what are these right spots?

Right now, I'd say the biggest focus is R&D and sales and marketing. Those are the 2 areas that we're hiring the most, but on the same time, we're also increasing our customer success team, and we're increasing our MDDR team because it's working. And so we're kind of thinking of all the pieces together, but when you look at kind of the progression from an ARR contribution perspective, it's still progressing the right way. So that's kind of how we're thinking about it. We're definitely going to think about it going forward the same way. But sitting here today and I said this earlier on, we are -- we have a tremendous opportunity ahead of us. We're going to try and capitalize on this larger opportunity with additional investments, but doing it in the right way.

Fantastic. I think that's a good place to put a bow in our discussion. Thank you so, so much for all of the insights. I appreciate them. Thank you.

Thanks very much.