Cyberark Software Ltd at Credit Suisse Technology, Media and Telecom Conference

Nov 29, 2017 PM UTC 查看原文
CYBR - Cyberark Software Ltd
Cyberark Software Ltd at Credit Suisse Technology, Media and Telecom Conference
Nov 29, 2017 / 10:30PM GMT 

==============================
Corporate Participants
==============================
   *  Joshua Siegel
      CyberArk Software Ltd. - CFO

==============================
Conference Call Participants
==============================
   *  Brad Alan Zelnick
      Crédit Suisse AG, Research Division - MD

==============================
Presentation
------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [1]
------------------------------
 I'm live. All right. Good afternoon. Welcome. I'm Brad Zelnick, part of the software team here at Crédit Suisse. Delighted to be joined by Josh Siegel, CFO of CyberArk. The presentation format over the next 20 minutes or so will be a fireside chat. And you know what, we've got a friendly looking room here. We'd love to see any hands raised, and if there are any questions from the field, I'll keep an eye out. As well, if anybody's shy and they want to ask anonymously, you can send me an email to brad.zelnick@credit-suisse.com.

 And with that, welcome. Thanks for joining us today, Josh.

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [2]
------------------------------
 Thank you, Brad, for having us here at beautiful Scottsdale.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [3]
------------------------------
 Yes. It's much better than being in New York, at least weather-wise, for sure.

==============================
Questions and Answers
------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [1]
------------------------------
 Maybe we could jump right in and talk about 3Q. So I think an obvious place to start, as we look across the board at publicly traded security companies, there seem to have been the haves and the have-nots, probably more have-nots, and CyberArk stands out as having had a good quarter relative to expectations. What do you think's happening in the market more broadly and what is it that sets you apart across the broader security landscape?

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [2]
------------------------------
 Yes. Well, as you said, I think we actually had a great -- a good third quarter. We grew about 18%. We generated 16% operating margins on the bottom line. Generated cash as well, close to $15 million. And so overall, I think we exceeded the guidance, and we had a good quarter for Q3. If we look more qualitatively into the quarter, we saw the largest number of 7-figure deals that we have had ever in that quarter. We saw -- across all verticals, we saw big growth in federal, of course, which Q3 is usually a big quarter. Also, energy, manufacturing, pharma as well. I think that we also saw some interesting deals that we talked about on the call related to doing very -- a very large-scale end-point transaction with a large transportation company related to ransomware defense. And I think, overall -- you asked about security or cybersecurity. Overall, I think, it certainly -- it may come in waves. But for privileged account security, we view this as a proactive measure to secure the inside of your network, to ensure that when breaches do occur in your network, and I think, in today's environment, it's pretty much accepted that breaches will occur, the perimeters are up for us. And when they do permeate into the network, we -- their main form of attack is to escalate privileges higher and higher and higher in order to get to basically a place where they can do them damage that they were sent to do, either stealing personal identifiable information or credit card information or just embarrassing the company or owning the network of the company. So from CyberArk's perspective, we've seen a continuous healthy demand environment for our products because it's a proactive measure that isn't necessarily a reaction to being breached. We really sell that you should be setting up good hygiene in your organization on an ongoing basis. I can't -- it's harder for me to speak about the cybersecurity in general. Everybody's got their issues or their -- and their waves, but I will say that the attackers are getting smarter. With the migration to the cloud, the IT infrastructures of most organizations is getting more complex because most enterprises are now working in a hybrid environment. And when you have a more complex environment, you typically have more vulnerabilities, and then there are more vulnerabilities to secure. So I think that, from our perspective, at least, one of the things that we really go after and try to embrace is that migration to the cloud and ensure that we're part of that conversation. Overall, Q3, I think, was a good starting point into the back half of the year, which for us is seasonally the stronger half, and we feel good about the rest of the year.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [3]
------------------------------
 Very helpful context. And Josh, if we think about what brings the customer to your front door, or maybe conversely, what brings your sales rep or channel partner to their front door, does the conversation more often begin with a regulatory requirement where they need to check a box? Or is it a more strategic cloud dialogue with a CISO identity being the new perimeter, and we're going to be your strategic partner in helping to provide better security?

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [4]
------------------------------
 So Brad, I think that's changed over time. Certainly, if you would have asked that question 3, 4 years ago, it was -- the lion's share was coming more from a compliance perspective or a governance perspective or maybe they've been breached already. I think, as we look at it now, and today, and I think a lot of the success that we've been able to have over the last 3 years is because we've been able to really try to develop a risk-based approach to our selling. I think it's taken a really strong foothold in the Americas, in U.S.A., where really it's around your -- the latter conversation. It's about what can the organization do to secure the inside of the network when a breach occurs? And it's basically CyberArk becoming a trusted adviser to the enterprise. And really, what's powerful about that is that not only do you get the first order, but then it's much easier to nurture that order down the road and turn that into a much, much bigger order, more upsell, more cross-sell into other products and full deployment into the organization. I will say that, that conversation is a bit different when we look at the different regions. So in the -- I think, in the U.S., we've been extremely successful in trying to create that type of level of discussion with the enterprise to have that risk-based discussion. I would say, in EMEA, it's not as strong there. And there's more discussion around the compliance and the governance side. And that's one of the things, actually, in some of the organizational change that we brought in, in Q3 was making our VP Americas now Chief Revenue Officer, is for him to kind of start instituting that type of a global approach to risk-based selling, not only in the U.S. but also in Europe and in APJ because we think that it's really the same story. It's no different. It's the same vulnerabilities, it's the same attackers, it's the same risks for them. And it creates a much healthier demand environment for us, not only for the immediate sale but for going down the road and nurturing those customers down the road.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [5]
------------------------------
 You're referring to Ron Zoran that you've elevated to Chief Revenue Officer?

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [6]
------------------------------
 Exactly.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [7]
------------------------------
 Interestingly, we just -- 45 minutes or so ago, I was on stage with another company in the broader security space that isn't performing as well most recently and retrospectively relates that back to elevating a new head of sales a year ago. I don't -- I hesitate, I guess, to make that comparison, but if I'm going to form that as a question, is there a risk in change that we should be concerned about that, now that Ron is running global, where there might be some investment period that may result in some disruption?

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [8]
------------------------------
 Yes. I think it's a great question. And obviously, before making this change, we evaluated all the potential risks from the change. Just as background, CyberArk has always been a company that has organized its sales regionally in 3 regions: Americas, EMEA and APJ; 3 heads of the each -- head of each of the regions reporting up to -- up through the CEO, and it really worked very well. We enjoyed a 40% CAGR up through 2016 for a 5-year CAGR. Even if you look at it from a 10-year CAGR, it's also the same. I think one of the things that we saw when we kind of started to unpeel the onion, so to speak, in Q2, when we saw -- started to see some decline in the license revenue, and that is that we weren't getting the same bang for the buck, so to speak, in terms of the sale and the sales process in EMEA, and partially because we weren't as much in control of the account and we -- and the sale wasn't around risk-based and it was more around point solution and compliance. And so we felt like we were losing out on some of the upside opportunity there. The good news about what we did in terms of ultimately determining that we should make Ron in charge of the global sales is he was a known quantity within the company. So he is somebody who's been with the organization for almost the beginning. He's been in many departments within the organization and has succeeded in moving up and also doing change management. So while there is risk always in change and certainly change management, it helps when the organization who is involved in that change already knows the leader in place who's going to be doing it and the success that, that person has had in the past, so -- and you can't argue with success. And so I think that, in our case, while there's definitely -- certainly creates some noise and some change in the personnel, and Ron is trying to also create change in the culture, but I think it's nothing that's going to be too dramatically different than what they've seen already, at least, within the organization in the Americas. So it won't be too much of a shock to the system.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [9]
------------------------------
 Helpful context as well. We actually, earlier today, had one of your competitors on stage and they spoke about the success that they're seeing in the category. And I stay in touch with various private companies as well in your space, and it seems like the category overall has been performing well, broadly speaking, over the last several years. If you're to characterize your success competitively today versus yesterday and as you project looking out tomorrow, can you maybe talk a little bit about the differentiation and where you stand out, why you win in competitive situations? And then, finally, on pricing, is -- does this end up being a price-competitive market?

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [10]
------------------------------
 Yes. So I think, for starters, our success, I think, to date has been that we've really established ourselves as the leader in privileged account security. We IPO-ed on creating the layer of -- this new layer of securing the inside of the network related to privileged account credentials. And I think, from a technology perspective, we're de facto the leader in this space. I mean, that's really helped us gain pretty much a foothold and control over many of the large and extra large enterprises where they're looking for scalable, robust solutions that not only meet just locking down those credentials but are able to take them through a process of vaulting their credentials, monitoring them, analytics identifying rogue inside behavior or anomalous behavior of those credentials being used, and not only for DNA, people-based credentials, but also be as robust and as scalable for application identity, critical identities. And as we've now taken that forward with our acquisition of Conjur, which brings us into DevOps environment. So the enterprise market has said, "Okay, not only have you been a leader to date in kind of the vanilla, we see that you know the importance of the migration to the cloud. You understand that I -- as an enterprise, I'm in the process of migrating to the cloud and that you'll help answer my needs down the road, not only on Application Identity Management today, but as DevOps is creating more and more of a security risk for us," with the secrets that they're creating and the credentials that they're creating. And so I think that's been kind of being the technology leader and the one who can provide the solution for, really, the large enterprise, for all of its needs as it -- and it can't grow out of it has helped really position ourselves as a leader in this space. I think when we talk about pricing, so that actually now goes to, okay, so we're -- we've cornered the market on the large enterprise, we have 50% of the Fortune 100, we have 25% -- over 25% of the Global 2000. But -- and we have 3,500 customers, but we only have 3,500 customers, which means that there's another 30,000, 40,000, 50,000 in the wings that are certainly in reach over time. And many of those, though, will start to be more large- or medium-sized or smaller enterprise. And I think, as you get to the medium market, price becomes a lot more sensitive. And so there, I think we obviously have more competition, particularly from our smaller friends out there who are -- might be more -- or have some more flexibility on their pricing regimes and are also providing a product that is maybe not at the same scalable potential as the CyberArk product. But there, we're also -- now we understand that we need to be price competitive. And we, this year, introduced a new pricing around bundling certain of our products together, and we'll see some more of that as we go into 2018. I think, in the end of the day, though, CyberArk is really still focused on increasing its gap from a technology perspective and still focused on the -- our sweet spot, which is kind of medium, large and extra large enterprises.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [11]
------------------------------
 Got it. Are there any questions from the room? Okay, and I just checked my email, I don't have any there yet. Let me move on to another one, if I may, Josh. You mentioned Conjur. When you announced that deal, I think it seemed to catch a lot of attention. Can you talk a bit more about the challenges in securing a modern DevOps software process? And perhaps a bit more about the opportunity you see, and how does the go-to-market differ?

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [12]
------------------------------
 Yes. So when you think about DevOps, I mean, DevOps now has really -- has been spurned by the fact that the cloud environment is so available now to organizations where it's very quick and very able to spin off new servers, new containers and new virtual resources.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [13]
------------------------------
 Okay, it was me. Sorry about that.

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [14]
------------------------------
 Okay. And what happens with DevOps is that now you have developers who are racing at very quick speeds to develop, deploy and deliver new applications. And in doing so, they're creating lots of new application credentials within their DevOps environment, they're called secrets. And organizations do not want to slow them down. They want to say, "Keep developing this," because many of these applications that they're developing is -- turns into -- that DevOps pipeline turns into a potential revenue for the organization, and so they don't want them to slow down. The organization is waiting for them to continue to develop it. So the developers, though, are creating these new backdoors. And so what Conjur is able to do and what -- is now be able to help organizations manage these secrets and secure these secrets in a very powerful way. And we -- what is also interesting for what we're doing is it's really kind of a dual go-to-market strategy. Because in one respect, we actually, in Q3, released an open-source version, which allows the developers to, as they need it, use it. But again at the same time, as the CISOs understand that this is becoming a bigger and bigger play within the organization, they could then see, okay, which -- what are we doing to secure these? They're already using CyberArk's open source. CyberArk is a well-known security vendor, so now we can -- there will be an easy step to go to the enterprise version with CyberArk itself.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [15]
------------------------------
 Got it. Helpful. Can you perhaps frame the opportunity for CyberArk? You have multiple products. You talked about your penetration, 50% of the Fortune 100, 25% of the G2K and 3,500 customers today and tens of thousands more in reach. Is there a way to contextualize what does -- how do we quantify that white space?

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [16]
------------------------------
 Yes. So I mean, the way we look at that white space or our current customer base is, typically, a new order will be $150,000, where it includes the infrastructure, it'll include the first Enterprise Password Vault users and the first couple of hundred Privileged Session Managers monitoring what those users are doing. And what we'll do over time is be able to grow that installed base, also on the existing products that they're buying and then crossing over into additional products. We see that we can get an enterprise over the course of products would be into the 7 figures. So when we look at customers, we look at the first order. But then, as we move along, 60% of our business in the last 12 months has been from existing customers. And that's a big part of our business. Land them, expand them, nurture them over time, and that's been very successful for CyberArk.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [17]
------------------------------
 Helpful. Just maybe one more in the operating model. And full disclosure, I don't currently cover the stock. But if I just look empirically, sales and marketing, it's 47% of revenue. Benchmarked relative to peers, it seems high, but in the context of your growth, maybe not so much. Can you maybe talk about the leverage in your model and how you think about profitability over time?

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [18]
------------------------------
 Yes. I think, in the most recent quarter and for this year, we were about 47%. And for the year, I think it's about -- 9 months, I think it's about 46%. But at the same time, we're still generating about -- in Q3, it was a 16% operating margin, and for the year, I think it's about 18% operating margin. And at our scale, I think we're in a reasonable place for sales and marketing. In terms of looking at leverage going forward, we see on R&D, which is today roughly 14% to 15%, there's a little bit that can go there, another maybe 1% to 2%. G&A, we're roughly at good efficiency there, we're at the 7% to 8% level, which I think is where even at a large organization would be. But the sales and marketing is something that, certainly over time -- and we've actually, I think in 2016 and in 2015, we were at below-45% sales and marketing levels, closer to the lower 40s. And I would believe that, over time, we view that the sales and marketing line can definitely go to the 40%, and then the next level is getting it below to 40%. And I think, as we think about our channel management, we think about the education at the channel level and how much more they can do for us, certainly, in -- as we become more mature and larger, I think then there is room to lever that sales and marketing even below the 40% level.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [19]
------------------------------
 Excellent. If there are no questions in the room, I think we are just about out of time. And with that, Josh, always good to see you. Really appreciate your participation.

------------------------------
 Joshua Siegel,  CyberArk Software Ltd. - CFO   [20]
------------------------------
 Great. Thank you very much.

------------------------------
 Brad Alan Zelnick,  Crédit Suisse AG, Research Division - MD   [21]
------------------------------
 Thank you.




------------------------------
Definitions
------------------------------
PRELIMINARY TRANSCRIPT: "Preliminary Transcript" indicates that the 
Transcript has been published in near real-time by an experienced 
professional transcriber.  While the Preliminary Transcript is highly 
accurate, it has not been edited to ensure the entire transcription 
represents a verbatim report of the call.

EDITED TRANSCRIPT: "Edited Transcript" indicates that a team of professional 
editors have listened to the event a second time to confirm that the 
content of the call has been transcribed accurately and in full.

------------------------------
Disclaimer
------------------------------
Thomson Reuters reserves the right to make changes to documents, content, or other 
information on this web site without obligation to notify any person of 
such changes.

In the conference calls upon which Event Transcripts are based, companies 
may make projections or other forward-looking statements regarding a variety 
of items. Such forward-looking statements are based upon current 
expectations and involve risks and uncertainties. Actual results may differ 
materially from those stated in any forward-looking statement based on a 
number of important factors and risks, which are more specifically 
identified in the companies' most recent SEC filings. Although the companies 
may indicate and believe that the assumptions underlying the forward-looking 
statements are reasonable, any of the assumptions could prove inaccurate or 
incorrect and, therefore, there can be no assurance that the results 
contemplated in the forward-looking statements will be realized.

THE INFORMATION CONTAINED IN EVENT TRANSCRIPTS IS A TEXTUAL REPRESENTATION
OF THE APPLICABLE COMPANY'S CONFERENCE CALL AND WHILE EFFORTS ARE MADE TO
PROVIDE AN ACCURATE TRANSCRIPTION, THERE MAY BE MATERIAL ERRORS, OMISSIONS,
OR INACCURACIES IN THE REPORTING OF THE SUBSTANCE OF THE CONFERENCE CALLS.
IN NO WAY DOES THOMSON REUTERS OR THE APPLICABLE COMPANY ASSUME ANY RESPONSIBILITY FOR ANY INVESTMENT OR OTHER
DECISIONS MADE BASED UPON THE INFORMATION PROVIDED ON THIS WEB SITE OR IN
ANY EVENT TRANSCRIPT. USERS ARE ADVISED TO REVIEW THE APPLICABLE COMPANY'S
CONFERENCE CALL ITSELF AND THE APPLICABLE COMPANY'S SEC FILINGS BEFORE
MAKING ANY INVESTMENT OR OTHER DECISIONS.
------------------------------
Copyright 2018 Thomson Reuters. All Rights Reserved.
------------------------------