Okta, Inc. (OKTA) Goldman Sachs Communacopia & Technology Conference (Transcript)

Okta, Inc. (NASDAQ:OKTA) Goldman Sachs Communacopia & Technology Conference Call September 5, 2023 6:45 PM ET

Company Participants

Todd McKinnon – Co-Founder and Chief Executive Officer

Conference Call Participants

Gabriela Borges – Goldman Sachs Group, Inc.

Gabriela Borges

Good afternoon. We’ll go ahead and get started. Thank you for joining us at the Okta session this afternoon. I’m Gabriela Borges. I cover security and emerging software here at Goldman. Delighted to have Todd McKinnon on stage with me, CEO and Co-Founder of Okta.

Todd McKinnon

Thanks for having me. It’s great to be here, the Palace Hotel.

Question-and-Answer Session

Q – Gabriela Borges

So Todd, I want to start on what appears to be a little bit of a paradigm shift in security, which is the idea that identity is the new perimeter. And so as we think about the traditional architectures and network security dissolving, help us understand how and when identity becomes a more strategic cornerstone of the security budget?

Todd McKinnon

I think it’s an important question, and it is the perimeter. I talk to people often – before I get to that question, I talk to people a lot about even beyond that, why it matters. And why does – first of all, what is identity. And it’s really like a system of record that stores – the people and what they can do and what they can’t do and gives you information about that in a full kind of comprehensive visibility kind of way or across customers and employees and partners.

So out of that comes a lot of things. You get – even before you get to cyber, you get simple things like can your customers log in and are your partners able to get to the applications and get the value of the – all the technology you’re deploying. Then you get to the cyber, which is are your customer accounts getting taken over, do you have fraud, are your employees getting hacked and phished and do you have visibility into who’s doing what, going where. So it’s essentially, it’s the – at the end of the day, you’re trying to get all this technology and all this information to people. And if you have a system of record that says who’s supposed to get what, when, where and how, that’s the natural point to answer all these other questions, cyber being a big set of these questions. The old way of doing it where you have the perimeter of the firewall or the perimeter of the office or it just – it wasn’t going to stand up to the complexity and the devices and the proliferation of technology that we have today.

Gabriela Borges

So there are a couple of concepts in there, which is Okta being an aggregator of identities and being able to authenticate. There’s a level above that, which is being able to use the identity data that you have for more effective breach prevention. How do you think about evolving the product mix or the product portfolio longer term into more threat detection, threat remediation, threat intelligence, et cetera?

Todd McKinnon

The – specifically on many breaches, you hear this stat a lot, like some number of breaches are all caused by passwords or forgotten passwords. And that’s definitely true. And we can talk about passwords and why I think, hopefully, we start using them less and so forth. But the other breaches, I think, are probably caused because someone had access to something that no one knew they had access to or there was overly permissive access.

And that’s a hard problem because you have these companies that have tremendous amount of complexity with the systems and the users and the groups and the roles and the permissions and there’s – it’s really hard to have comprehensive visibility into any kind of mistaken configurations or overly permissive access or accounts that aren’t shut down. That’s kind of like the boring problem, but it’s a really serious problem.

I talk to a lot of customers that are – they just want that visibility and some kind of proactive system to give them comprehensive view but also proactive alerting or warning on, hey, where am I being overly permissive here, how could I shut this down, how could I not just leave an account open. And I think that’s a challenging problem, but you can’t solve it unless you have – you got to start with a kind of a centralized system of record.

Back to the concept I started talking about before. It’s like you need a comprehensive system of record of who can do what, who are the people, where can they go to, what’s the technology, where they’re allowed to, where they’re not. And then you can start to do some of these proactive things around notifications when you have things set up too loosely. As things change, you can kind of be on top of it or at least have a chance to be on top of it.

Gabriela Borges

So I want to stay on the theme of where Okta can go longer term with adjacencies and security. And one of the more interesting observations around Microsoft’s new network products is that they’re intrinsically connecting their new network products to their identity land, to their identity product family. And so do you think it makes sense longer term for Okta to include more adjacencies, either an end point on network as you think about your longer-term product road map?

Todd McKinnon

We are – at Okta, we’re culturally – I want the company to feel like it’s the employees’ company. They’re working as a builder and owner to build this great company together. And part of that is they have to understand our strategy very clearly because if you’re an owner of something, you’re a builder of something, you have input into the strategy, the strategic vision and you’re more fired up to execute on it. So we’ve done a bunch of work to really clarify in the whole company, what our strategy is. And one of the things everyone’s – maybe not everyone at Okta, but we aspire to have everyone at Okta to be very clear on is that we are an identity company. We are – our strategy is to leverage our lead in identity by offering the best products in all the identity markets, customer workforce, privilege governance, identity markets, stay focused on identity, and it’s important strategically because it kind of tells the company where to focus, but it also enables us to better integrate with the ecosystem.

We strongly believe that, especially in security, ecosystem integration really, really matters because it’s an adversarial environment, meaning that you can think you have all the holes plugged, but the adversary is trying to find the next hole. And if you’re trying to get everything in security from one vendor, you’re inherently not well equipped to have the ecosystem plug that hole and give you that defense. So our strong belief is by focusing on identity, we’re going to have the – and building a solid technical foundation for integration, we’re going to have the strongest ecosystem of integrations and technical integrations and give that all to the customers. So we’re very clear, that’s where we’re focused. Not about end point security. It’s not about network security. It’s about identity. Now there might be some gray areas. Like what does identity mean on the margins? And what is – and yes, we’ll figure those out, but we’re very clear about where our swim lane is long-term.

Gabriela Borges

So one of the things…

Todd McKinnon

Microsoft is right about that. Sorry, I mean I’m really excited about this. There is one thing Microsoft is really correct about, that identity does need to be integrated strongly to network, and it needs to be integrated strongly to the device, and it needs to be integrated strongly to every app in your ecosystem, not just the Microsoft stuff. So they’re right, but it’s incomplete because they’re – at the end of the day, they’re focused on Microsoft, not on the entire ecosystem.

Gabriela Borges

Microsoft will oftentimes communicate to its customer base, but it does have ecosystem integrations outside of the Microsoft ecosystem. So when you have sales reps in the field, how do they counter some of those claims? What are some of the more nuanced points that investors and customers should be paying attention to when Microsoft makes that claim?

Todd McKinnon

It’s a really good question because, especially as we – at Okta, as we work really hard to enable our sales team and have really compelling messaging and everyone is clear on the strategy and the vision, but a lot of times with the customer, the vision of the company or the strategy the company doesn’t matter as much. They’re trying to solve the problem of the day and in the macroeconomic environment that has questions. They want to deliver business value, and it’s not as much about your high-level vision is like solve my problem. So this is a really important point.

So I think this point about identity being important and then the integration of identity to everything, there’s really two layers you can kind of prove the point to a customer. One is like the very specific – like you mentioned a specific examples of how Okta works better, whether it’s integrating with a diverse set of HR systems to have your joiner-mover-leaver process really comprehensively automated across your whole – there’s just specific examples where our integration is stronger. And you can do the same thing for different client operating systems or mobile phones and – or if you want to get phishing-resistant access, you can’t do it across a variety of platforms with anyone else but Okta. It’s just unequivocally, technically true.

But Microsoft can spend a lot of money and they can invest and they can do things that other vendors are doing. So then you get to kind of the high-level philosophy of the – of just – and this doesn’t always resonate. It resonates with some companies, but it’s just a philosophy of at the end of the day. If you’re a product manager at Microsoft and you come to your boss with a great innovation that really logs people and quickly and securely to Amazon Web Services, better than Azure, you’re just not going to get promoted. Just – it’s a cultural thing.

They’re – Microsoft is doing a great job selling Azure, selling collaboration apps, and they’re even making a lot of efforts in security. But at the end of the day, it’s about those three things. It’s not about identity per se. We’re different. We’re about identity. We’re connecting everything. We’re going to be within best for the customers at a philosophical and like alignment level. But again, you’ve got to prove it in the details. You got to prove it by having more integrations, which we do. You got to prove it by having deeper integrations. You got to prove it with a better ecosystem that works better out of the box. And that’s what we’re focused on doing.

Gabriela Borges

So I want to connect the dots between the longer-term vision that you’re articulating and some of what you’re seeing in the near term. Earnings call last week, talking about seeing the demand environment stabilize based on trends in duration, average deal size, new business, a lot of the metrics stable to improving. Would love to get your qualitative overlay on what you’re hearing on the ground from your customers? How is the demand environment?

Todd McKinnon

Yes. I think you mentioned the quantitative aspects anecdotally or qualitatively, I think there just seem to be fewer like random changes in the deal just being gone or slipping out. We saw that happen in Q1. I didn’t really see that happen in Q2. It was kind of like stability of forecasting and kind of like less random things happening in the cycle, which I think is a sign of this macro stability, particularly – and then inside of that, I think the SMB part of our business, people tend to be pretty – the budget’s pretty conservative and projects pretty – not as flowing through the system. Larger enterprise, it seems like they set their budgets at the beginning of the year and they’re kind of executing on. I think you saw that in our results with our 25 biggest deals were $100 million of TCV, which is a very good result for us.

And then the cohort of $1 million ACV deals was the biggest really healthy, large growth numbers there. And I think that’s just a result of identity is important, particularly for large companies, which have a lot of complexity, a lot of users, a lot of technology, a lot of critical projects on the customer identity side, things they want to do on the workforce side, around cyber and better user experience. And I think you just see those kind of seeing those budgets roll through.

Gabriela Borges

So there are a couple of different pieces to that, the customer identity piece and the workforce piece. One of the trends that we’re trying to better understand and workforce is how far along the product cycle are we? Because SaaS-based single sign-on has been around since Okta pioneered innovation in the space.

Todd McKinnon

Almost 15 years.

Gabriela Borges

Yes. And so when you have large customers that are still investing in workforce, what are they investing in?

Todd McKinnon

Yes. This is a – I think it’s a misconception people have. A lot of – especially in larger enterprises, they have a lot of – kind of a mixture of a lot of things. They haven’t really standardized on one platform for identity, not even for workforce identity, let alone workforce and customer. They’ll have – common thing you’ll see is you’ll see parts of the business will have maybe some Active Directory software, something called Active Directory Federation Services. They’ll have legacy software environments and other pockets that really grew up around certain applications or certain use cases, maybe for partners.

Then you’ll get clusters of identity around apps. Like you’ll see the Oracle stuff around the Oracle apps, IBM stuff around the IBM apps. You still see a bunch of computer associates stuff out there. And then there are companies that are – have solved it for the Microsoft apps with Azure AD. But they still have problems in that those systems don’t work together. And then particularly when they’re talking on the cyber side about visibility, if you’re a CSO, if you – congratulations, you’re hired as a Chief Security Officer of a large company. One of the first things you need to try to do is get visibility across it all. I meet with CSOs all the time. They’re like just show me everything.

And so one of the things they do is they kind of get a roll up of all these systems. So they put Okta in place and they kind of get visibility in all these systems, and then they can take some of them out over time. They can maybe do new use cases because they started with just single sign-on, and they go to a phishing-resistant multifactor authentication. Now with identity governance, we can give them more reporting and more workflow capability. So it’s a pretty complex environment. And this idea that you either have identity or you don’t, it’s really not how it works. It’s like you have pieces of it all over the place, and it’s – we’re trying to move the industry to like one unified platform specifically for identity.

Gabriela Borges

Can you give us a sense for within your large enterprise customers on workforce, what percentage penetration do you have?

Todd McKinnon

So if you just say within workforce, I think a good proof point is the upsell rates from – what we’re seeing in the value of upsells for governance because if those of you that have been following Okta, the workforce product portfolio is essentially, there are some other products, but the main ones are single sign-on, multifactor authentication and life cycle management. Simply – like simply, it’s basically like authentication, strong authentication and then automating the creation of profiles and the deletion of profiles and the synchronization of profiles. That’s life cycle management.

So with governance, we’re seeing an average – and governance is really – it’s like – it’s a piece on top of life cycle management. It kind of rounds out the solution. So with governance, we’re seeing 30% more – 30% plus increase in the ACV of our workforce customers by adding governance. And we have over 12,000-plus workforce customers and a ton of room to run in that customer base with governance. That’s not even including privilege. And so it’s – there’s a lot of room to run. And that’s not even including customer, too.

So we talk about doing well with upsells, new business being a little slower recently, I think a lot of that is because we have a lot more products to sell. And as the economy gets tougher, I think the rational thing to do is sell to your customer relationships. And when you have a product portfolio that’s really expanded over the last couple of years. I think that’s why you’re seeing some of that upsell – those upsell rates happen.

Gabriela Borges

The idea of standardized or unified identity platform and enterprise makes a ton of sense, outside of CSO turnover, what are some of the catalysts that Okta can help effect to go from, hey, customer ABC has seven different identity vendors across different pieces of their organization to we’re all in on Okta on workforce and then we’re going to upgrade to OIG, et cetera?

Todd McKinnon

There’s a couple – it’s – so a lot of the breaking through that inertia and getting – there has to be a catalyst, as you mentioned. If you’re a large enterprise and you have a lot of complexity in your technology and a lot of complexity in our identity stacks, plural, there has to be a breakthrough to catalyze that or there has to be a forcing function to catalyze that. And it’s – sometimes it’s a champion who gets hired, a progressive leader, CSO or CIO that wants to do more with less, have better cyber posture and make things easier to use. That certainly happens. Another big one is M&A, so like company will bring in a new company and they’ll have to consolidate the systems to get the M&A to reap some of the synergies that they want in the deal case.

Last couple of weeks ago or last week, we launched something called Okta for the Global 2000. It’s really an advanced capability to help companies decide – so when companies have a business strategy, they – basically a lot of business strategies deciding, which markets to be in, how to win. And so you got to decide which divisions of your company you’re going to go after which markets, which things you’re going to try to do centrally from a G&A and cost improvement perspective, which companies you’re going to buy, which companies you’re going to divest and so on. And so now there’s so much technology involved in that all those decisions are technology decisions. And because they’re technology decisions, all those decisions are identity decisions.

So Okta for Global 2000 really explains to people that you can – identity can help drive your business strategy. It gives you the flexibility to decide what you want to centralize, what you want to buy, what you want to sell, how you want to attack these markets. And these kind of things catalyze some of these enterprise-wide standardizations of Okta. And it’s an example of how we’re raising the visibility of some of these decisions because too many companies still think about identity as something tactical that’s done as a department in a fragmented way, and there’s tons of benefits they could accrue by standardizing this capability across the board. So that’s a catalyst for some of these migrations.

And I think another big one now is just cyber. The companies are – Boards of Directors and CEOs are sick of hearing about phishing attacks and ransomware, and inevitably, these things come down to some password or some phishing and that’s how they got in and they just want it to stop and by standardizing some of this across the board with a phishing-resistant product like Okta they can do that.

Gabriela Borges

I’d like to tie some of this together into the heavy lifting that you all have been doing on your go-to-market and to some extent on your R&D as well over the last two years. What are some of the incremental efforts that you’re focused on from an organization or a process standpoint with your internal sales and marketing organization? And then same question for R&D.

Todd McKinnon

We have the strategic – our plan for this year – our operating plan for this year is – it’s – we’re executing it well. We have growth is – we’re doing well on growth. We’re doing well on efficiency. And despite the improvements in efficiency, we’re actually investing a fair amount of money in efficiency for future periods. So one of the things that’s missed when people look at our results is we’re actually spending a decent amount of money making things better in terms of efficiency for the future. Like a good example of this is we don’t right now have an automated way to seamlessly bill customers for overages on the service. We – like a lot of things, we through bodies at that in the past. We said, hey, automating that is going to be hard, and they’re going to take some money. Let’s just hire more people, and they can – we can manually go after this.

But like a couple of years ago actually and really ramped up at the beginning of this year, we’re automating all that. So that’s costing money. I mean that’s like making us less efficient this year, but five, 10 years ago – five, 10 years from now, as Okta grows to be $2 billion, $4 billion, $10 billion and beyond, it’s going to be automated, and those kind of – that revenue is going to be much more efficient. So that’s one example. So we’re doing a lot of that.

There’s also just a lot of – as our vision comes together with one company selling customer and workforce and the acquisition of Auth0 really being fully integrated. There’s just a lot of things that get more efficient and effective, whether it’s sales reps learning how to sell both clouds, customer and workforce, whether that’s enablement that happens to train people, the value props that resonate in an economy that’s soft, how they sell in that environment, how we prosecute. There’s just – just – I would just say it’s like a lot of continuous improvement.

We’re trying to get better all the time. We’re not – the journey is not done. We don’t think that we have a decent couple of quarters that we can just relax. We’ve got to keep working harder and push harder, and we think that we have a big opportunity and we can grow. And we can be efficient and we can really fulfill the potential we have.

Gabriela Borges

Is there a way to think about what inning Okta is in realizing the full potential of the Auth0 acquisition?

Todd McKinnon

I think it’s like one out in the third inning.

Gabriela Borges

Okay. Sure.

Todd McKinnon

We had a rough first inning. Give up a few hits, but we’re in the third and a lot of room to run.

Gabriela Borges

Where did you’ll land on the best…

Todd McKinnon

That was your analogy, not me.

Gabriela Borges

No, I appreciate that. Where did you land on the best go-to-market approach between product-led growth, winning the hearts and minds of developers versus more of a top-down motion for customer identity in particular?

Todd McKinnon

I think the go-to-market on customer identity is really important. It’s not an either/or. I think one of the realizations before we did the Auth0 acquisition and throughout it, it’s been confirmed, which is developers in customer identity are a really important constituency but no developer signs a PO for $1 million. It’s done by a CTO or an architecture person or a product officer or a market digital officer. So you really have to have both.

And what we learned at Okta is that the product and the platform we had built was really good for CSOs and CIOs and really kind of when you wanted to put a system in top down, and it was kind of like preordained how it configured everything. Okta is really good at that, pre-integrated, kind of set the standard from the top. But Auth0 was really good at, as the product was built, as the engineers first thought about should they buy this or build this, I need an identity stack that does exactly what I need it to do and not too much very flexible, very kind of component-oriented, does exactly – which is very different than saying, hey, here’s your identity solution from the CIO or the CSO. It’s a standard way we access apps. This is how it works.

And so what we saw is that the – in many times, the marketing person or the Technology Officer, the VP of Engineering, they actually – not only was the platform a wrong fit for them, they actually didn’t want the thing that the CIO picked. It was like – I’ve worked with companies that I was trying to get them to buy Okta for customer identity before the acquisition and the VP of Engineer was like we’re not using that. That’s what the CIO picked.

But now after – with Auth0 and customer identity cloud, they’re like my developers love this. I love working with one company. It’s easier to do business with you. It’s easier. You have one support team, one services team, kind of one throat to choke, so to speak, on customer success, and my developers love this. It’s a natural extension. I’ll pay you more for that.

So it’s kind of that balance of tops-down relationship influence with the developers loving it and the bottoms up, which we think is a winning combination and why it’s so exciting to be just in the third inning. Another thing to know about this is that it informs our – so our strategy is we want to double down our lead in identity by having a product in every category and then use that neutrality to have this ecosystem advantage. It makes sense then to have one sales rep that is selling all products in the account because what that sales rep is supposed to be able to do is sell higher.

So I don’t want a sales rep that can only talk to CIOs or only talk to CSOs. I need reps that can talk to the engineering person and the marketing person and the technology person. It’s harder to do. It takes a skilled rep, someone that really wants to focus and learn how to do it. But you’re in a much more strategic position once you can land it.

Now that being said, they still have to be able to execute transactions. They can’t sit there and try to call on the CEO and the Board all day and not actually close the deal. But that’s how the go-to-market strategy aligned with our company strategy.

Gabriela Borges

You’ve made so much progress on the alignment of go-to-market. What is the limiting factor today to hiring a new sales leader?

Todd McKinnon

Finding the right person. It’s really important. And I can – I’ll expand on that. So the search started in February. And I talked to a bunch of people that had – I wanted to find someone that had done it before, taking a SaaS company from $2 billion to $4 billion to $8 billion and beyond. And there aren’t that many. There’s a handful. And those folks are either – like their jobs or they’re retired. So then we’re – then we shifted the search to more, call it, someone that hasn’t actually done it before, but has – I wouldn’t call them an up and comer because these people are amazingly accomplished. But just haven’t been the person in the driver’s seat and all go-to-market at the scale we’re getting to.

And at the same time, the – I think it’s a very important hire for the next three to five years. And we just want to get it right, and we’re doing our homework and checking references and networking a lot, and we’re going to find someone great.

Gabriela Borges

Good stuff. Okay. I’m going to pause. Questions from the audience.

Todd, we spend a fair amount of time with channel. And channel told us we would love to have an identity platform that’s easy to implement, that’s comprehensive. We think there’s a gap in the market. Okta still has progress to be made before we commit to them wholeheartedly. What do you still need to do to get the channel fully on your side and leverage some of that momentum or potential momentum?

Todd McKinnon

I think just like we talk about balanced enablement of our field with customer identity, I think we have to make sure we educate and enable the channel on customer identity. I think the channel is – there’s a lot of companies in the channel. It’s a pretty big group. But to generalize, I would say they’re more workforce centric. It’s like cyber and traditional outsourced IT type of orientation. So I think we have to enable them on customer.

And I think very few – especially the midsized channel players, very few of them have dedicated – they think about identity as a broad platform in the same way that we do. So we have some work to do there. I think on the larger – the big SIs and the biggest companies and players in the channel think we just have to make sure that we, as a product portfolio expands and as we have a set of capabilities that will give them a lot of work to do around this because I’m not sure the big Sis – the big SIs can add a lot of value to customers at scale. It’s not so much about the solution being easy. It’s about how much value can they add around it.

So I think we have work to do in educating them and partnering with the big SIs to not only in the governance opportunity, but – because governance is complex and there’s to fully automate governance end to end in a big company, they’re going to take a partner that’s going to take an SI. And then on the customer identity side, it should be really in line with what these big SIs want to do because they want to really be the digital transformation partners. And so I think we have – we made a lot of progress in the big SIs, but we can do more there.

So I think our channel program, [indiscernible] large has – over the last year, has – I would say, we are focused on fewer partners, and we want to make it very clear, the ones we’re focused on and where we direct customers and then we also commensurately want the partners to, like all these top partners do, really add a ton of value. And so it’s like a focus and it’s a really strong partnership because we don’t like to see the negative channel checks. It bums me out. So we’re focusing out – we’re focusing on fewer partners still a lot of partners, but fewer than we were before with kind of like white glove, strong partnership with the ones we’re focusing on.

Gabriela Borges

Want to end back on product, which is if you reflect upon some of your more interesting customer conversations to date, your most sophisticated customers, what are one or two things that they’re doing that are particularly interesting with how they approach identity? And what is the next big technical challenge that those customers are asking you to solve?

Todd McKinnon

Yes. I think the most the most sophisticated customers I talk to have been able to balance this – there’s like two extremes. Like one extreme is the Wild Wild West. It’s like all the groups in the different application owners and the different companies and a big company all do their own thing. This is like the scenario I was describing where you have the Oracle identity around the Oracle apps. You have CA doing some stuff around mainframes. You have Microsoft around Microsoft and you have a bunch of small players using point solutions. That’s the Wild Wild West.

The other extreme is you have a company that just basically centralizes everything and says you do it my way, locked down. It’s not a lot of flexibility. It’s kind of – they have strong visibility, strong security, but it’s kind of rigid. So I think the most sophisticated companies have figured out how to do both. They figured out how to like centralize what they want to centralize and have the standards they need at a global level while still enabling people to run and be fast at the local level.

And I think that’s – as the CEO of Okta, that’s a lot of the challenge of running the business. It’s like as you start to scale and you start to grow, how do we balance the efficiency and the scale of doing things centrally, but we don’t have the stifling lack of flexibility, innovation that keeps people from running? And when I see customers, they are able to do that in their business strategy and their technology strategy and their identity strategy, it’s pretty impressive.

Gabriela Borges

Good stuff. Thank you for your time. We’ll leave it there.

Todd McKinnon

Thank you. It’s good to be here.

Gabriela Borges

Thank you all for being here.