or no?
Tone.
Tone, tone, tone. Yeah, yeah, yeah. That's what you were saying earlier, yeah.
I think we can go ahead and kick it off. Thanks for joining us this afternoon at the Okta session at the GS Communacopia + Technology Conference. I'm Gabriela Borges. I cover security here at Goldman, and delighted to have on stage with me, Todd McKinnon, CEO, Chairperson of the Board, and Co-founder of Okta. Thanks for your time.
Yeah, thanks for having me. I'm excited to be here. Hi, everyone.
So Todd, when we met for the first time a couple of years ago now, you talked about wanting to reprioritize and upgrade the level of innovation in the R&D organization at Okta. And I fast-forward then to Oktane this time last year, and the number of product announcements that the company talked about was significantly higher than at least what I could recall in prior. So talk to us a little bit about the evolution of the R&D organization and how that fits into your evolution of Okta as an identity platform today, versus perhaps at the time of the IPO or at the time of its founding.
The space we're in is very. It's a critical space, identity, and it's critical for security and does a lot of things for companies. It's also a space that I think the industry, identity speaking, and particularly the security industry, we haven't done a good enough job making it super easy to snap everything together and get really positive outcomes for fast, high ROI, positive outcomes for customers. I'm speaking broadly of the industry over the history of it, not specifically of Okta in the recent period, which I'll get to in a second. So all of that, the point of all that is, I think that R&D and innovation is incredibly important, and one of the things I'm most proud of over the last few years is the progress and the velocity and innovation we've had at Okta.
I think one of our main priorities for this year is re-accelerating growth, and you know, the job is not, you know, we can't say we have great R&D and not re-accelerate growth. The job of re-accelerating growth is the most important, and R&D is an input of that, but we still have to deliver that outcome, but that being said, I am very proud of the innovation. I think that there's a couple of things that are behind that. One is that I think we had some growth and some maturity, and we got our processes in R&D better, and you know, in terms of investing in tools and technologies and capabilities to have an R&D organization of scale, we've done a good job there.
But I think one of the biggest things we did was when we bought Auth0 a few years ago. It actually, we added a ton of capacity into the company. And so, particularly the team that was working on Okta could really instead of having to focus so much on customer identity, they could really double down on privileged, and governance, and some of the new areas we've recently launched or are having traction with. So it's just sometimes things are simple, and in that simple case, or sometimes part of the reason is simple, and the simple reason there is that we just got more capacity, and we could focus some of those teams on those new product areas.
I think that things in the R&D pipeline are good. They're in the market now, and now it's about us executing and actually using that foundation to drive re-accelerated growth.
As you think about what the longer-term roadmap for Okta looks like, what's the next technical challenge that you're excited to solve for your customers, given that you now have all of these different products: identity governance, privileged access, identity threat protection, et cetera? What's next on the roadmap?
We can, broadly speaking, there's specifics, but broadly speaking, we can make it a lot simpler for customers to get value out of identity and get value out of everything else in the security ecosystem and everything else in their technology ecosystem. So a simple example I'll give you is, right now, it's very hard for a company to comprehensively, across all of their SaaS applications and on-premise applications, and cloud infrastructure, and on-premise infrastructure, actually guarantee that every user interaction and every machine-to-machine interaction is coming from a known and trusted network. Internally at Okta, over the last year, we've gone through a comprehensive assessment of this and completely locked down all access to known IP addresses, and it's actually quite challenging to do, and very, very few companies actually do it.
I think the reason why is because there's not good standards for how this should work. Every SaaS application, every piece of infrastructure implements IP range restrictions differently in a non-standard way. Some of them don't support it, some support it at limited support, some of them do it a different way. And so it's really non-standardized. So when you get a company that's trying to lock down their whole infrastructure environment to be one of the most secure organizations in the world, it's quite challenging.
So one of the innovations I'm excited about is thinking about how we can help the industry standardize that and get this flat, consistent ecosystem so that customers, when they wanna adopt modern identity, when they wanna go to zero trust, when they wanna have these things we all talk about, they know that they're gonna get complete value and tons of control and visibility right out of the box, which isn't the case today. So that's a broad... There's various different ways on how we do that, but it's an area I'm excited about.
Are you talking about essentially going to more of a whitelisting approach to IP identities? And if so, how is that technically different from what you currently do with SaaS identities or user identities?
Well, so user, I think it's the right approach for a security architecture is multiple layers. You want strong person identity, biometrically authenticated in a phishing-resistant way, and you want whitelisted, you want managed and secure devices. Access is only permitted from managed and secure devices. You want the ability to flexibly have a policy, so that in the case that you do have to relax those restrictions, you can do it only for the applications that are high risk and the workloads that are high risk. So it's like multiple layers and a policy engine that can make it all possible.
And one of the layers beyond just biometric, phishing-resistant, authenticated users and a trusted device that's managed and known and you know, secured by endpoint security, you also, at the network layer, you wanna have a controlled network perimeter and trusted, validated network, and that's where the IP whitelisting comes in. The challenge is that the thing I just talked about are kind of well known in zero trust conversations about the things you need to do for a zero-trust user identity and zero-trust security. The challenging thing is when you try to go to this.
You try as a company, you're trying to not only secure the users, but also every API integration and every machine-to-machine integration, then there's really not the equivalent of standards for phishing-resistant MFA for inbound API calls. It's not specified very clearly. You know, you kinda store some token in a certain way. It's really hard to get all of your network of the web of machine-to-machine interactions all come from your trusted corporate network. Because half of them are other SaaS providers that aren't on your corporate network.
Not only are your own applications not on your own network because they're in a SaaS provider's data center, but the things that are calling them, agents or other SaaS apps or your forecasting tool calling Salesforce, is not on your corporate network. So then, how do you do it? It gets really, really hard, and this is the - this is an example of a complexity that people aren't able to deal with seamlessly out of the box. That if we - I think if we standardize things more and made it really clear to SaaS providers how this should work, made it really clear in terms of the, you know, protocols for how machines should integrate with each other, we could simplify it all, have customers get much quicker time to value by installing all these products and make it better for everyone.
How do you think about where some of this functionality naturally falls between what some of your competitors in network security are doing versus what your core competencies are on the identity side?
I don't actually think about that, but only in a second-order type of thinking. The first order is: how do you solve the problem for the customer? And the second, and solving that, you get down to what's the best approach, and what should each party do, and what should the network people do, and what should the identity people do, and what the endpoint people do, and what the overlap should be. And then you kind of think about, all right, if this is the right complete solution for the customer, then what do we have the right to win? How does identity fit into that? And I think it's kind of when you take it from that approach, it becomes pretty clear who should do what.
That doesn't mean that all the vendors are kind of sticking to that. There's a lot of people trying to poke into other people's lanes. But when you actually look at what people are doing and how they're, how they should be integrated, interacting, it's fairly clear, at least from a customer perspective, what they want each player to focus on.
That makes sense.
Yeah.
One of the dynamics where I think you do have a right to win, that you've consistently talked about, is the level of integrations that you have, especially versus someone like a Microsoft. Talk a little bit about how your integration network is architected, and how do you think about maintaining and extending that ecosystem over?
Yeah. It's related to the... You know, I think, and if you really zoom out, I think this, what I've been talking about here on how we're, our goal is to standardize more things, and we want it to seamlessly plug together, and get good security outcomes and good, you know, productivity outcomes and technology usage outcomes for customers. That's really an extension of what we've been about from the beginning. It's just taken to the next level. So in the very early days of Okta, we were the first to market with this concept of... There were some identity standards out there, this thing called SAML and this thing called WS-Federation, and there was various other things people trying to standardize.
We were the first company that said, "We're gonna, like, guarantee you, customer, that we're gonna build you a single sign-on system that worked with everything. And we're not gonna bother you at all with different protocols or different standards. We're gonna guarantee you that it works, and we're gonna take care of, like, managing the complexity of different standards." By the way, 90% of the applications didn't support any standard, so we had to do really, kind of down-and-dirty things about screen scraping and how we could make these applications look like they supported single sign-on when they didn't. That's what we did.
The way the company grew and got momentum is that customers really liked that, the fact that we had so many customers, and just the fact that more and more apps built support for these standards. We had this kind of system where we could, as they brought new standard interfaces online, swap out our maybe not ideal screen scraping integration and go for the standards. Then the standard evolved, and we evolved, and you know, it kind of it grew from there. So the dimensions of how integrated, there are really two of them. There's the breadth, how many applications, and we talk about this number, seven thousand, eight thousand, which is quite wide at this point.
But, probably as important is the depth dimension, which is, there's one thing for an application to be integrated to Identity from a single sign-on perspective, meaning, like, you click the button, and you actually can sign you in. There's all these other capabilities that make an integration deep. Namely, not only can it sign you in, but actually, it can actually replicate the user accounts, so IT doesn't have to manually do it. Or another one is, can it, if it's an HR system, can it do like, you know, employee onboarding? Can it take that business process and copy it, not only from HR into your single sign-on system, but copy that account into all the other systems downstream that might need that account? And, you know, so there's this depth of integration as well.
And so when you talk about standards and standardizing machine-to-machine integration, or when we talk about standardizing how we're talking about standardizing like how log files can be collected and how companies can get centralized visibility about identity threats. Or we talk about a product we have called Identity Threat Protection, which is all about, okay, you log in, but Okta keeps monitoring your device management, your endpoint security system, your network security system, and anything that's detected during your login session, any kind of malware, any kind of network intrusion, we automatically shut down your login session, and we log you out of everything else. That's not single sign-on. That's like some kind of continuous session monitoring, plus integration with CrowdStrike and Zscaler and Netskope and Palo Alto Networks. That's a very deep integration.
Our competitive differentiation has always been the breadth of integration and depth of integration, and we're pushing that forward on all fronts, even to the extreme, where we want to create new kinds of standards, enhance the existing standards, so that it all just works together. And so companies say, "All right, I'm gonna pick this endpoint and this network and this identity and this application, this HR system, and it just works. And I don't have to worry about how do I secure the machine-to-machine interactions, the APIs that are going to call this?
How do I, you know, worry about the difference between my employee users and my contractor users and my partner users?" It's just too complicated, and the more standardized and systematic we can make it, the bigger the pie is gonna be for everyone.
Absolutely. I wanna come back-
We'd love it, by the way, if... This maybe sounds counterintuitive. We'd love it if all of our competitors and every, all the zero trust people and all the security people had the same idea and wanted to rush to standardize everything. Even if maybe, you know, maybe that, that meant that our identity competitors could do some of the stuff we could do. Maybe in the short term, that wouldn't, you know, wouldn't sound like a good thing for Okta. But I think for, for customers, if they knew that it would be standardized, that's gonna accelerate the velocity and the purchasing so much. We have the best product, so that's gonna... The bigger pie is gonna make us much more successful.
That makes sense. I wanna come back to where we started this conversation, which is your point on R&D. Ultimately, the goal is to re-accelerate revenue growth.
Yes. Yeah, yeah.
If I think through
Or R&D is a means to that end, yeah. Yeah.
If I think through the bull case for the stock, which we subscribe to, it's Okta being a 15% plus, 20% plus revenue grower. I compare that to the 9% growth in CRPO that you're guiding to for 3Q. Help us understand how to separate out some of the macro headwinds that may be impacting the business today versus some of the secular growth opportunities that we've spent the last 15 minutes talking about.
I think big picture, our conversation with customers, our interactions in the market, our competitive position, they're all very positive, consistent, very similar to what we've heard in the past. When we talk about macro headwinds, we're really, in my conversations with investors, I reiterate this over and over, is that macro headwinds, we're talking about an environment that's been consistent for over a year now. It's not getting worse, it's not getting better. It just kind of is what it is. In fact, at some point, we're gonna have to stop calling it macro headwinds and just call it the new normal. And so I think that being said, there are realities in what we're seeing in the business.
We think that, you know, big deals, particularly if, you know, a couple of years ago, they would have taken two approvals, now it takes four. You know, there's extra scrutiny in the purchase. The deals get done, the projects are as big, they are as strategic, and it's just a little harder, a little slower. And so that is a thing, I think, which makes sense, right? Because Okta, as a company, is doing the same thing. We're being more careful about what we buy. We're making sure that we don't have redundant capabilities. We're making sure that we pick a solution in an area and use it and get value out of it before we buy some more.
So I think a bunch of companies are doing the same thing, and when we're working in the field and in sales cycles, you know, we're working with them and accommodating that. In terms of, like, the base of business we have, that shows up in the numbers, particularly. It impacts the net retention rate. Because a couple of years ago, we would have seen if a company needed, you know, had a, you know, a thousand seats or a thousand, you know, a bucket of a thousand monthly active users on the customer identity side, they were very optimistic, and they'd be like: "Yeah, we'll probably buy fifteen hundred, and we'll grow into it."...
And now it's like, they, if they need a thousand, they say: "Oh, we're gonna buy seven fifty, and we'll make sure we get to a thousand before we buy a thousand at the next renewal." So I think you're seeing in the net retention rate, you're seeing where in the past it was, there was like a tail end to that. Now you're seeing that tail end is gone, and it's like the, you know, the net retention is kinda more instead of maybe people overbuying, it's like they're actually buying maybe even a little less than what they need. But we think that over, you know, that will, you know, over time, as cohorts have been doing that for now, you know, over a year.
So ultimately, eventually, that's gonna normalize out, and that'll be more of a normal thing that we won't be comparing against the past period. I think we're gonna have to. In terms of the guidance, I think the Q3 CRPO guide is, there's, you know, the normal kind of guidance process in how we think about, you know, an achievable guidance and a guidance we're confident in. There's also, in that number, some conservative for any kind of security incident hangover, that we're gonna come up on the anniversary of the security incident we had in October, and I think it's probably the last quarter that we're gonna have that conservative built in. We haven't seen big quantifiable impact. We haven't seen any quantifiable impact.
So that'll probably be an appropriate time to reconsider factoring that into the guidance. And then the other thing about, you know, the guidance for Q3 is that the second half of our year is, you know, the majority of our bookings. And so we're gonna get a much... I think we're gonna do it in Q3, and we're gonna do a revenue guide for next year. We're gonna have a much better kind of view on how the second half of this year is gonna go, and we'll be in a position to update the guidance then.
I'll ask the follow-up here. You mentioned eventually you get to stabilization in the cohorts.
Mm-hmm.
Is that a way to think about perhaps your typical deals length relative to the excess buying of the 2021, maybe 2022 cohort?
Yeah
As to when more tangibly you would see a normalization in the cohorts?
Like what? Yeah, when is I think it's a gradual thing, meaning, and I haven't done the analysis, we haven't done the analysis to like know exactly when it peaks and when the trend is and all that stuff. I will say that the buying behavior, and everyone saw this, not only in our results, but in the overall market, in you know the second half of 2022, calendar 2022, so second half fiscal 2023. So that means we're you know eight quarters or five quarters in, six quarters in. So I think it's getting to a point where you know somewhere near the peak of it right now, and or or the we're starting to get to the time where some of those people that didn't overbuy are representing more and more of the cohort.
I think that's a, you know, positive trend for the future.
Do you look at internal data on customer utilization of their-
Yeah
Okta footprints, and any comments on how that utilization
Yeah, we've definitely seen it. We've definitely seen the utilization compared to what they bought. The utilization is a higher rate over the last, you know, six quarters as the overbuying has slowed down, and so that's a good sign as well.
Absolutely, I agree. So let's assume that-
For a long time, it's interesting. For a long time, it was... And I think in retrospect, it's obvious it was because of this overbuying. For a long time, it was we were surprised about the, you know, relatively speaking, the utilization rates looked low, and I think this is because people were overbuying. It was like, "Yeah, we're gonna grow. We're growing. yeah, bull case-
PowerPoint slide.
Fifteen hundred. Yeah, yeah. Fifteen hundred, you know, we'll buy... Well, we need a thousand, we'll buy fifteen hundred.
So, let's assume that the macro environment is unchanged to your earlier-
Mm
comment on the new normal, and you have incremental stability in the cohort sizes, or in the cohort expansion rates. What else do you need to see or do you need to underwrite that's within your control?
Yeah
to be able to bridge up to a faster normalized growth rate?
I think there's a few, a couple key things that we're really focused on, and so, really, three things. One is that just we are seeing a lot of progress in large enterprise, and there's a lot of potential there for us. So it's one of the things that when people ask me, like, what do investors not understand about Okta? I think people overestimate how penetrated we are in the large enterprise, and I would say that we're we have a lot of potential there. We talk about 40% of the... We have some kind of footprint in 40% of the Global 2000, but even that 40%, there's a lot of room to expand that, the usage in terms of number of seats and number of products.
So, I think of Okta as a company that was successful in mid-enterprise with tons of potential growth and some traction, but tons more potential in the large enterprise. And I think the reason, like, how do we... Okay, so in your control, like, how do we make that happen? Part of it is, part of it is the products. Some of this R&D innovation gets better, and we're able to particularly with things like connecting to on-prem resources, doing governance, Identity Governance with on-prem resources, that product's getting better, and we have more capabilities to do that. So there's definitely a product component. Some of these new products that we have that are more directly contribute to immediate security outcomes, like Identity Threat Protection with Okta AI or Identity Security Posture Management.
You could see those being really, in the short term, valuable from a security's perspective to a large enterprise. Identity Security Posture Management scans your entire identity ecosystem and tells you where the problems are... very actionable, very quickly. Different than a identity provider, which you have to implement and integrate and, you know, customers, especially in a large enterprise, can look at that and say, "That's great, but, you know, it might take me, you know, six to 12 months to get value out of it." Different equation when you say, "Identity Security Posture Management can give me value very quickly." So products, innovation. The other thing about the large enterprise, too, is that there's an amount... People have the idea that, oh, the large enterprise has, like, adopted cloud, and their cloud transformation is done.
Ironically, some of the largest enterprise had the most IT investment, so they had the most on-premise infrastructure, so there's some of the things with the largest amount of cloud transformation to go. And that just is what it is, and as the technology forces of better cloud infrastructure, AI, how do you run your AI workloads, do they do that in a cloud infrastructure versus on-prem? A lot of this change and evolution is driving them to modernize and upgrade, and I think that's a positive trend for Okta and the large enterprise. We've always seen from the company's early days, there's a strong correlation with change in the technology stack with a company's proclivity to wanna adopt Okta. So that's a positive impact there.
You know, the example, I think a good example of a recent deal I was involved in, you know, just to make it very concrete for everyone. This company is a very large company, and this is a significant transaction for Okta. The reason why it was happening is very simple. The Broadcom Computer Associates identity products, they were, Broadcom was raising the price of them. The company that I was working with, that just catalyzed, you know, we're gonna... This thing is an old thing. You know, we, you know, instead of paying so much more money, we wanna look at modern alternatives. It wasn't just that. They also wanna have more diversity in their ecosystem, away from relying so much on Microsoft. They wanted to move to some cloud infrastructure.
And so all of these changes together, it was like, we really should look at a modern identity platform. So thus, we have this opportunity for this big deal. That's the kind of thing, the more that happens, the more people look at modernizing their identity. And when they're moving off of legacy identity, for a lot of reasons we talk about all the time, we're the pretty clear choice, and that's a good thing. So that's one thing. The other, you talked about things that are in our control. I think we have to continue to do a good job of selling value from a security perspective, and these new security products help. Security posture management, identity and protection, privileged access.
You know, traditionally, Okta was thought of as IT enablement, and we can help companies have a great end user experience. Yeah, of course, there's a security benefit with multi-factor, but it's really kinda convenient, and we can help you get new projects rolled out, and we can... If you're going to get the SaaS app adopted, it'll be better. But now we're, in terms of value prop and immediate, helping these companies with security issues, we have a better set of products, and we have to be, continue to be good at selling that value and positioning the company that way. That's something we're working very hard on.
Then the third thing I'll say is that in the customer identity realm, we have to continue to get better and have success selling customer identity, not to just the CIO or the CISO, but also to the digital officer, marketing, product officer, technical officer. The idea is that identity can help all of these departments. We've traditionally been good with companies that are very. The IT group controls a lot of the technology or a lot of the decisions around customer identity. A good example is a great customer of ours called JetBlue, and IT there owns the employee identity, but also the TrueBlue loyalty app, and so we have a great deployment there of Okta customer identity. It's a great customer for us.
If it's like a tech company, it's likely that the, you know, that the product organization or the engineering organization makes the customer identity decision. And we have to continue to be able to do that at scale because it's harder for us. You know, we grew up selling to IT and security, and there's, I think, like, a big part of the market is those people building it themselves, and we are offering a better way. We have to continue to do that. So those three things, large enterprise, selling security, and non-IT buyers are three things that are important for us.
All those things connect with the go-to-market.
Mm-hmm.
I think you've commented on this year being a better year for sales productivity versus last year. We've seen time and time again in SaaS that sometimes SaaS companies that do really well with the mid-market, coming upmarket ends up taking longer than they expect. Talk to us about how you're investing in the move upmarket and the move to build more sponsors at the customer, et cetera. What are some of the key milestones we should be looking at?
Like, we do all the things that are, I would call, that you would expect, like, the kind of people we hire in the sales team, the relationships with. This is a really important one, really working on the relationships and the alignment with the global systems integrators. Because one thing about large enterprise is that the global systems integrators are very important to help them make decisions and execute on things. You know, you call them quote, unquote, "basic things," like making sure that the marketing and the advertising is dedicated at that, those influential buyers in these organizations. The thing that might not be as obvious is, that's very important, is that you have to have really successful customer references, and we work really hard to make these.
accounts that are large enterprise accounts incredibly successful, and then so they'll be advocates for us. A good example of this is FedEx, right? We have 350,000 users at FedEx, and, you know, the CISO there is, I work with him very frequently and talk to him all the time, and we've really worked hard to prove that, make sure that they're incredibly successful with Okta. And that word gets around, and a lot of this is it's not just the technical environment and the evolution and the ability to upgrade, it's also when those people look around at other large enterprises. Because they don't, you know, it makes sense, right? It's like, when they look for inspiration, they don't look for the small companies.
And so the more, you know, examples like FedEx or, you know. And we're getting a pretty good roster of these kind of referenceable customers, so that portends well for the future.
Absolutely. I wanna end here with a question on Okta AI. Give us a couple of examples of some of the most impactful applications today-
Mm-hmm.
either on the product side or for your own internal organization.
Yeah.
And then what do you think is most promising in the next three to five years? Perhaps something that isn't quite ready for prime time today, but maybe in the future.
So the one that we've shipped is this. I talked about it already, but at the core of Identity Threat Protection is Okta AI, and it's a little bit of machine learning, a little bit of Gen AI algorithms to really. At the core of what it's trying to do is it's trying to figure out what pattern of signals from. Remember, this product has way more signals, 'cause I talked about how deeply integrated it is. It has way more signals than we've ever had before. It not only has the context from your login, but it also has the context from other layers of the security stack. It has risk scores from endpoint, it has the network security risk being fed into it. It has mobile device management status being fed into it.
So it really gets a lot more data, and then it can do a lot, it can, you know. It does have more sophistication on the kind of patterns it looks for that detects anomalous activity. And, you know, it takes a lot of refinement, because a lot of customers in early beta, it's like, you know, typical thing, right? It's like too many notifications, too many false positives. So we had to tune it to make sure that it didn't have too many false positives and get it right, and now that it's GA, it's like, hits the mark there. So that's an important one. That's kinda like maybe what you'd expect, right? If you would've been at this conference three or four years ago, someone would've said a similar thing about machine learning and pattern recognition and threat detection, right?
So that's, that's good that we're doing that. And, probably, you know, more novel one and more from a like, "Oh, that's different," perspective, more interesting, is, we're working on, something called, Governance Analyzer with Okta AI, and it's pretty cool. It's basically training the model on the anonymous, policy setups and configurations of thousands of Okta customers and generating a suggested setup for a company. So it's like, you have these apps, you have these resources, you have these users, so this is how you should set it all up. This should be your security policy. This should be how you lock things down. This is what companies do, this is what companies don't do. And it's pretty amazing. It's like, it's like, "Wait, what?
It's all set up for me?" Of course, they gotta check it and like, you know, make sure it's right and... But it's not something customers expect from a tool like this. And it's, that kind of stuff is pretty exciting, just as a, from a technology perspective, like for a technologist, it's like, that's pretty cool.
I agree. Absolutely. Please join me in thanking Todd for his time. Todd, thank you.
Thanks. Thanks for having me.