Digital Identity , Governance & Risk Management , Identity & Access Management

Okta CEO: Hack Didn't Have Quantifiable Impact on Business

Okta's Competitive Win Rates and Renewal Rates Weren't Affected by the Lapsus$ Hack
Okta CEO: Hack Didn't Have Quantifiable Impact on Business
Okta co-founder and CEO Todd McKinnon (Image: Okta)

Okta's competitive win rates and renewal rates weren't measurably affected by the Lapsus$ cyberattack that came to light in March, according to CEO Todd McKinnon.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

McKinnon says he looked individually through hundreds of customers and prospect opportunities in Salesforce to see if any of the potential sales had been delayed or canceled due to the breach, which was only revealed when Lapsus$ posted screenshots to its Telegram channel of Okta customer data. But the deep dive into customer data didn't yield any tangible impacts, according to McKinnon (see: Okta's Data Breach Debacle After Lapsus$ Attack: Postmortem).

"We've looked, and we can't see any quantifiable impact," McKinnon tells investors during an earnings conference call Thursday. "I was really surprised as to the lack of anything [in Salesforce] about Lapsus$ impacting the business."

Okta Chief Financial Officer Brett Tighe says the San Francisco-based identity and access management giant is at all-time highs for gross retention in its current fiscal year, which began Feb. 1. In addition, the linearity of Okta's business in the fiscal quarter ended April 30 was identical to previous fiscal years. Lapsus$ revealed the attack on March 22, two months after Okta became aware of the compromise.

"There was no degradation from the incident," Tighe tells investors Thursday. "Believe us, we've looked. And obviously, we're going to continue to look."

Okta said in late March that data for as many as 366 of its customers might have been "acted upon" following the Lapsus$ cyberattack. But a month later, the company determined that Lapsus$ had accessed tenants and viewed applications such as Slack and Jira for just two Okta customers during the January cyberattack.

Having the Difficult Conversations

Once news of the attack became public, Okta's management team talked to more than 1,000 customers and McKinnon says he personally spoke with more than 400 clients to describe what happened, listen to customer concerns and answer questions. Going forward, he says, Okta will require robust security measures from third-party service providers and implement better processes for communications.

"The level of conversations and the people we engaged with in these customers and prospective customers was incredibly senior," McKinnon says. "And the conversations, after some initial communication and feedback, became very strategic."

Okta has traditionally excelled at having high-level conversations with IT and security stakeholders in customer organizations, McKinnon says. But following the breach, he says, Okta ended up having management and board-level conversations with customers on topics the company hasn't traditionally talked about as much, such as risk and compliance.

"I think we did a good job of instilling confidence because customers do want to partner, and they want a long-term partner, and I think we were able to show them that we were that partner," McKinnon says.

Okta on Wednesday hosted in its offices the global chief information officer and the entire executive team from one of the major branches of the U.S. armed forces for the entire day to discuss what the future of identity is going to look like, according to Chief Operating Officer Frederic Kerrest. Identity has become a priority for C-level executives as the volume of software continues to proliferate.

"A lot of these large organizations are literally saying, 'I'm looking for a foundational partner around identity to build out my infrastructure,'" Kerrest tells investors Thursday. "These are just the kinds of conversations that frankly - regardless of what happened in Q1 with the security event - we were not having six or 12 months ago."

Identity Governance, Privileged Access on the Horizon

McKinnon says Okta is getting closer to launching its first-ever identity governance product that will bring the company into direct competition with the likes of SailPoint. The company saw great success with its early access program, which proved to McKinnon that customers want to buy and find value in Okta's new governance product. The company plans to initially launch Okta Identity Governance in North America.

"What the customers want is one integrated platform that will provide access management across all of their services and products and also do governance and reporting," McKinnon says. "So that's the platform we're building."

Okta's decision to add a few more features to its server access management product has delayed the launch of the company's inaugural privileged access management product by a couple of quarters, he says. The company announced in spring 2021 that it would debut identity governance and privileged access products in early 2022, and the latter will bring Okta into competition with CyberArk and BeyondTrust.

"We're excited about both areas," McKinnon says. "The whole converged platform story is really coming together, and we're excited about that."

McKinnon claims there aren't currently a lot of good solutions in either IGA or PAM, and many customers only adopt IGA in pockets or find that it doesn't cover all the resources and workloads they want to cover. Similarly, McKinnon says, the incumbent PAM offerings work in a legacy on-premises environment but struggle to address the cloud-based technology needs of modern organizations.

"What it's going to take to get those customers to be buyers [of Okta] is to build a great product," McKinnon says. "We're focused on the next generation, the new projects, the new initiatives, and we're going to need a better product for that."

Rising Sales and Losses

Okta Quarter Ended April 30, 2022 Quarter Ended April 30, 2021 Change
Total Revenue $415M $251M 65.3%
Subscription Revenue $397.9M $240.1M 65.8%
Professional Services Revenue $17M $10.9M 55.3%
Net Loss $242.7M $109.2M -122.3%
Loss Per Share $1.56 $0.83 -88%
Non-GAAP Net Loss $42.6M $13M -228.1%
Non-GAAP Loss Per Share $0.27 $0.10 -170%
Source: Okta

Okta continues to enjoy some of the strongest growth rates of any publicly traded security vendor. But that growth has come at a cost, with Okta's losses climbing sharply as compared with this time last year. And like many other security vendors, it isn't turning a GAAP profit yet.

Okta's revenue of $415 million in the quarter ended April 30 crushed Seeking Alpha's sales estimate of $388.8 million. And the company's non-GAAP loss of $0.27 per share beat Seeking Alpha's non-GAAP loss estimate of $0.34 per share.

The company's stock is up $14.11 - 15.06% - to $107.79 per share in after-hours trading Thursday. That's the highest Okta's stock has traded since May 5.

For the quarter ending July 31, Okta expects non-GAAP net loss of $0.31 to $0.32 per share on revenue of between $428 million and $430 million, representing a year-over-year growth rate of 36%. Analysts had been expecting non-GAAP net loss of $0.34 per share on sales of $422.8 million.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.