Cyberark Software Ltd at Barclays Global Technology, Media and Telecommunications Conference
Dec 06, 2017 AM EST
CYBR - Cyberark Software Ltd
Cyberark Software Ltd at Barclays Global Technology, Media and Telecommunications Conference
Dec 06, 2017 / 07:00PM GMT
==============================
Corporate Participants
==============================
* Joshua Siegel
CyberArk Software Ltd. - CFO
==============================
Conference Call Participants
==============================
* Saket Kalia
Barclays PLC, Research Division - Senior Analyst
==============================
Presentation
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [1]
------------------------------
So good morning. All right. Hey, good morning, everyone. My name is Saket Kalia, software analyst here at Barclays. Very happy to have with us the team from CyberArk. We've got Mr. Josh Siegel, Chief Financial Officer, we've got Erica Smith, Head of Investor Relations. We've got about 25 minutes together. Let's take the first 15 or 20 minutes and have a little bit of a fireside chat here with Josh. But let's make it interactive. So feel free to chime in. We'll get a mic over to you and pop in some questions. So with that, first and foremost, Josh, thank you so much for making the trip to be with us today.
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [2]
------------------------------
You're welcome, and it's always good to be here at Barclays.
==============================
Questions and Answers
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [1]
------------------------------
Thank you. Let's start big picture, Josh. Especially if -- somebody might say, of course, you're so tech savvy, as well in terms of speaking about the products and kind of the markets. In your conversations with customers and even in your own security spending, frankly, how do you think CISOs are reacting to sort of more breaches here in 2017? And how are they thinking about their overall spending going into 2018?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [2]
------------------------------
Yes, and this is good timing for that. Maybe you can lower the mic a little bit. Okay. Thanks. This is good timing for that, because obviously, every company is looking and planning their own business plans and investments for next year. So it is really top of mind. I think, overall, cybersecurity is still very much top of mind for enterprises across all verticals, not just banks and so forth, it still pervades all verticals, governments, anybody with a meaningful IT infrastructure, because the risks are still not just around money, but it's also around personal identifiable information, it's around IP, it's around lots of reasons for attacking. So it's very much top of mind. I think also, as we think about the risks around cybersecurity, there's -- it's no longer just about what is the risk on-premise, there's now risk for -- most organizations have a hybrid environment. So the risks now are complicated by having on-premise IT infrastructure and cloud infrastructure and as we kind of think about 2018, you're also going to start seeing organizations that have multi-cloud structures as well. So from that perspective, it's clearly something that the investment hasn't been -- the solution yet hasn't been fixed and they need to do more. And also because the IT infrastructure is changing, they need to also think about it in new ways. I would also add that, I think when organizations, particularly in the U.S., where we see it very aggressively, they're thinking about their IT -- their cybersecurity not just about, how do we avoid being breached because -- and how do we avoid the endpoint or organizations coming into the network. But they're worrying about what happens when they're in the network already. So now it's about cyber -- now it's about securing the network from being taken over. Because there's already a reasonable assumption that the breach will occur in some form or fashion, whether it's a phishing attack or somewhere or other conventional attacks. And so what do I do now to secure the inside of the network so there's not a takeover of the network? And that's a different type of an investment decision than just, how do I make the perimeter a lot firmer? And that certainly is something that the CISOs are looking at. I think we expect to see, and I can talk about it from our own budget as well, we'll see more incremental investment around cybersecurity. As it relates to what happens when, or if, the attacker is inside our network, hardening the assets inside the network. And also certainly, with GDPR around the corner, in May, obviously, we do need to think about that in the context of GDPR or there are additional things that we need to start thinking about and doing, as it relates to things around the fringes of GDPR as well.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [3]
------------------------------
Sure. Great segue into maybe -- am I on here? So -- okay, go ahead.
Great segue just into more of a regional question, right? And GDPR has, frankly, been the question that we've been asking since January 1 of '17. For all security vendors, by the way. And it's been more of -- something that's kind of starting discussions if you will, maybe not really that much for revenue driver, per se, just yet. And so now we're, like you've said, we're kind of right around the corner here in May of '18. From your conversations with your own salespeople or other industry participants and, of course, with CyberArk's pretty decent sized EMEA business, how much of a catalyst do you think GDPR will be to potential spending here in the fourth quarter? And just as we get into 2018?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [4]
------------------------------
I think that as we look at Q4 and even the first half of 2018 and we don't view it as necessarily a driving or significant catalyst for cybersecurity or for CyberArk. We're not looking at it as that's going to be an incremental catalyst already beyond the fact that there's a high-end demand for Privileged Account Security anyway. And we see Privileged Account Security as a significant pillar within GDPR, because one of the major articles around GDPR is protecting your data and the highway to the data are your administrators who have access to the data or your applications that have access to the data and so those credentials around the administrators, whether it's DNA human administrators or whether it's applications that are interfaced with that data have to be hardened and secured. So from that perspective, we see Privileged Account Security as a critical pillar within GDPR, but it's also a critical pillar within general cybersecurity philosophy or strategy anyway. So I think also where we see -- the reason why I kind of carved out and certainly in the next 6 months where it may not be a huge incremental, but it will be a tailwind for 2018 and 2019 in the sense that in the beginning there's a lot of money going to be invested in figuring out what we need to do as opposed to what -- as opposed to actually buying products that will do what they think they need to do. So I think that unlike other SOCs and other compliance protocols that have come out, it's not very prescriptive in saying we need -- you need to buy a product that does x. It's more, you need to defend and you need to ensure a, b and c. And so when you don't have something as prescriptive, then I think, to be honest, I think a lot of the people who are going to make -- be making the most money in Q4 are the advisers. And in Q1, helping companies say, where do they do see the critical investments will be and I think if you talk to a lot of those advisers today, a lot of them will talk about that Privileged Account Security will be one of the pillars in GDPR, but not because of -- partially because of GDPR, but also because of the fact that you need to have that anyway.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [5]
------------------------------
Sure, let's hear on -- even more just on the Privileged Access Management market or compound market, if you will, and sort of where it is in its adoption curve. In the very beginning, right from the IPO, this was still very much of a greenfield sale into the enterprise. And so high-level, how do you think this market grows in the next couple of years? Is it still very much of a greenfield opportunity? How do you think about the payer market on a long-term value?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [6]
------------------------------
So we're -- sorry about that. We're -- we still feel pretty much as we felt in 2014 in the sense that it is very much a greenfield opportunity. We have 3,500 customers, but we only have 3,500 customers and if you think about how many organizations that have meaningful IT infrastructures, that have multiple thousands of employees, that basically hold personal identifiable information, hold credit card information, have access to critical IT, either on-premise or in the cloud or in a combination of that. And now today, when we think about what's going on with developers, who are also now holding administrative credentials where they or something new as part of DevOps. So we believe that it's still very much a greenfield opportunity. We believe that there's no reason -- this is not something that's a Global 2000 problem. This is a problem, or something that needs to be reckoned with by every hospital, every piece of government organization, all medium -- mid- and large enterprises. And if you look at companies like in the cybersecurity space, you'll see the more mature companies that are much bigger than us in the perimeter space, for example, have 40,000 or 50,000 customers, and some of them -- and one of them even has 100,000 customers. And so there's no reason -- if they need to worry about the attacker getting inside and that's why they're doing it, then they also now need to worry about what happens when the attacker does get inside.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [7]
------------------------------
Sure. (inaudible) even more and kind of go into kind of CyberArk's performance this year in '17. You had a great bounce back quarter here in the third quarter. Maybe after a little bit more of a challenging second quarter. And so the old saying, hindsight is always 20/20. As you have more time to review some of those deals that -- which, of course, we've said have -- some of them have closed, and kind of the overall 2017 outlook. As you continue to do that postmortem, what do you think happened?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [8]
------------------------------
So I think that -- I think several -- there are a couple things that I would point out. One is that the -- kind of the dry, simple thing that happened is that several of the deals that we thought we were on target to close in Q2 didn't close. Most of them closed in Q3 and/or will be closed in Q4. None of them -- it wasn't about deals being lost to competitors or enterprises removing the budget for those deals. So from that perspective, it wasn't a statement about the demand environment, but it was a statement about us not really having a good handle on when we thought we were through the closed -- the sell process on the order. We saw this particularly in Europe, where most of the majority of those deals were there we thought would close in Q2 and close later in the year. And I think as we looked under the hood in Europe, specifically, in hindsight we also started to see that there is a bit of a -- there was a bit of a different sell spirit or sell approach. It was a bit lower down in the market in the enterprise. So it wasn't -- it was more around selling the products and not selling kind of a risk-based solution to securing the IT infrastructure once you've been breached. And one of the things that we've done really well in the U.S. is really get ourselves into high-levels within the organization, selling to the CISOs and to the CIOs and it's around not just -- okay, you need to lock down your privileged accounts, but it's actually you need to ensure that when the attacker's inside your network, you've hardened it so they can't do the damage. And what happens then when you start to sell at that type of -- with that type of a story and approach, you -- first of all, the first order will be healthier order and then maybe a larger order and it might include more products because it's about really making an impact on the security of the network and also its -- makes it a lot easier to nurture that business over time. So I think when we looked at it, if we kind of really looked under the hood -- in EMEA, we also saw, well why weren't we getting more business out of our existing customers as well? And it's not a Q2 problem, it's just in general, we saw hey, we can do this better. We think -- and part of it was globalizing some of the things that Ron Zoran, who led up our America sales, can bring now to the table for EMEA as well.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [9]
------------------------------
Sure. Maybe that's a great segue into one of the questions I actually had at the end. But just about some of those changes that you've made in the sales organization with Ron, making him kind of Chief Revenue Officer. When we sit here, a year from today, what will be the milestones or the achievements that you'd like to see come out of that movement of sales orientation? Does that make sense, the question?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [10]
------------------------------
Yes. So I think that the things that we will be looking for in the second half of 2018 to show that what we did was the right move this year is going to be around 2 things -- really around 3 things. The first thing is what I just talked about, is that when we look at how the sales leaders are working with their teams within Europe and selling, how are they selling CyberArk within the enterprise and within the channels. Have they made an impact on the channels, because in Europe most of the business is done through channels. That we're now selling CyberArk around -- they're also able to sell to the enterprise in terms of thinking like an attacker, thinking about how to really secure the enterprises' IT infrastructure and not just, "Okay, you need to buy CyberArk for locking down vault credentials, or for monitoring those vault credentials." Yes, that's what you're going to get out of it, that's the specific function. But really what you want to do is sell to the -- to the enterprise that, hey, you are now secure when -- if you have -- if your perimeter has been breached and you don't and you -- and it's going to be very, very difficult for that major occurrence of identity theft, the -- or data theft or money theft or IP theft to actually happen, because they won't -- because the attack chain always is going to the surface. It's going to bubble up around elevating credentials and getting to those administrative credentials, whether it's an application or whether it's with a user in order to access that key data. So one is that when we look and when we talk to the partners and when we talk to the enterprise, that we're going to see a much higher level of sale. We're going to see the CISO involved and we're going to see more nurturing of that business -- of the new business. I think number 2 is that we're going to see a better ratio of demand generation versus demand closing. I think one of the things that Ron really is focused on, in the Americas, is not just how many deals have you closed, but how many deals have you opened at the AE Level also. And that's something that -- one of the first things that he's doing is really kind of restating the -- what he thinks is the right balance for inside sales and lead generation versus account executive and deal closing. So if you don't open, you don't close. So I think that's going to be something that we're going to look at, at H2 in terms of has -- where is that ratio and has that made an impact for also visibility going forward as we come out of 2018. And I think the third piece is going to be around select globalized accounts, because this will be the first time, or in CyberArk, we have one person who is kind of running the whole sales organization. And therefore, he has now the ability to say, "Okay, this account, which might sit in London, is really a global account. It should be serviced as a global account." They'll enjoy it better. They'll get more service and typically, when they enjoy it then we get more business as well. So I think looking at a segment of the market -- of the global market as global accounts as opposed to regions kind of fighting over various accounts at crossover regions, I think we'll see some good benefit from that.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [11]
------------------------------
Interesting. One of the things that you said earlier just with those -- some of those deals that flip in from Q2 into Q3 and Q4 was -- it really wasn't competitive. And so naturally, any market that is attractive as PAM is will attract more competition or more strong competition, aggressive competition. And so the question is, kind of how would you summarize the competitive environment right now, right? We've got CA with Xceedium, maybe we've got [Cross Software] with -- as part of a private equity shop, maybe some smaller vendors out there. What do you see from the competitors? And how does that translate into kind of competitive win rates?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [12]
------------------------------
Yes. So the interesting thing is, is that the competitive map hasn't really changed. In other words it's still the same competitors that we've been talking about for -- since the IPO. At CA, as you mentioned, they became even a bit more focused on it with their acquisition of Xceedium which was a head-to-head small private competitor, but they made a statement that they think this is an interesting market to them. We have still the BeyondTrust and the Lieberman and the smaller companies also in the U.S. and also in Europe that are focused very much on this business. I think what has changed though is all of these companies, including us, are bigger. Because the market has grown nicely over the last 4 years since the IPO so when -- they are all much bigger. So even the smaller companies are bigger. And therefore, they're more viable. They're more viable from a -- to be invited to the party, so to speak. And so from that perspective, there is more a competition, but not because there's lots more players, but more the players are more viable to be spoken because they are invited to participate. I think when we look at win rates, when we look at large enterprises, I think we feel really good about our win rates. I think as you go -- we go down market, to medium or to small enterprises, particularly where some of these smaller players that are now becoming -- that are now viable competitors, they certainly have a -- there we feel different win rates, they're lower win rates, because first of all, many of them have products that are built for the small, medium marketplace. And -- but overall in our sweet spot of large enterprise, we feel that win rates are good.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [13]
------------------------------
Got it. I've got so many more questions to ask about the product and kind of go-to-market and about the company. But I really want to focus on a couple of questions that I'm trying to ask a lot of the software CFOs at our conference this year. The first one is, obviously going into 2018, some major accounting kind of shifts, right, with ASC 606. I guess the question is just open-ended. Can you talk through any impacts, if any, 606 would have on revenue, margin or cash flow for CyberArk?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [14]
------------------------------
So on cash flow, it won't. Shouldn't have any impact. But on the P&L, there'll be small impact on 2 -- on really 2 places. We don't think it'll be a big impact, because of our model is perpetual software model. We still are SaaS and our subscription-based revenue is still under 5% of the business. So there'll be not huge changes, but where there will be changes is on the revenue side, there'll be -- or necessarily on the expense side. On the expense side, under the new rec, you need to match your expenses with the revenue. So we have a revenue that is supporting maintenance contracts. Some small amount of subscription and SaaS licensing contracts, which today has been recognized upfront the expense on the commission expense. So that will now be spread out over time. So that will be a slight bonus to the P&L. On the flip side, the subscription business that we sell, which is either Conjur or sometimes we sell Enterprise Password Vault on a subscription basis as well, again it's only a few percent of the business, that will be -- there'll be some decrease in 2018 as a result of having to -- the deferred piece going into the end of the year will not be recognized next year. But when we do renew the subscription, we'll recognize it upfront. So there'll be more lumpiness in that subscription because those subscription contracts will be recognized entirely in the quarter that we start the contract, not pro rata over...
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [15]
------------------------------
So not as a term license, but more as a perpetual kind of more traditional view?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [16]
------------------------------
Exactly. So now over time, over years as we buildup that -- those subscription contracts, it will smooth out. And then we'll know every quarter which of those contracts will be recognized in each quarter based on the renewal. But in 2018, it will create some lumpiness for those contracts.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [17]
------------------------------
Understood. I know 2.5 minutes won't do this next question justice, but to the extent we can try. The other question we're trying to ask all our software CFOs is just the impacts of tax reform. Obviously, a moving target day-by-day, sometimes feels like hour-by-hour. But what I'm particularly interested in is CyberArk has such a strong presence in Israel. Of course, a different tax jurisdiction, I would argue more favorable, right? But how would the legislation, [how is it] -- is currently being talked about, impact taxes for CyberArk, open-ended?
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [18]
------------------------------
Yes, well it has to be open-ended because there's really a lot we don't know yet. And I'm not sure, in fact, the Senate and the House know all of the ins and outs. And what they know today may change in the course from between now and when the final vote happens. So it certainly is open-ended. In fact, we have our EY team on standby. So the day after the vote, they're in our office to explain to us what is the full impact as it relates to CyberArk. I will say that, obviously, to the extent that the U.S. -- and we pay taxes in the U.S. already today and we -- and so to the extent that they lower the tax rate, the corporate tax rate here, it's beneficial. It's beneficial to us. They are also lowering the tax rate in Israel, so we're getting a little bit of the benefit there as well. However, there are pieces of the tax reform that could relate to non-U.S. income and that's a piece that we don't know yet, exactly what the details are. So until we see the devil in the details, we won't be able to say. At this point, I do think that there could be -- that lowering the tax rate here in the U.S. will have an immediate impact, I think, not just on us, but also on many U.S. enterprises on the tax allowances that are on the balance sheet, because they'll have to be remarketed -- recalculated for the lower tax rate, so there could be kind of an immediate tax expense already this year. But it's just basically resetting the valuation of the allowance on the -- the tax allowance on the balance sheet.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [19]
------------------------------
Understood.
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [20]
------------------------------
But in terms of how it plays out for operating margin going forward, February, I think we'll know a lot more.
------------------------------
Saket Kalia, Barclays PLC, Research Division - Senior Analyst [21]
------------------------------
With that, Josh, thank you so much for being with us today. Really appreciate it.
------------------------------
Joshua Siegel, CyberArk Software Ltd. - CFO [22]
------------------------------
Thank you.
------------------------------
Definitions
------------------------------
PRELIMINARY TRANSCRIPT: "Preliminary Transcript" indicates that the
Transcript has been published in near real-time by an experienced
professional transcriber. While the Preliminary Transcript is highly
accurate, it has not been edited to ensure the entire transcription
represents a verbatim report of the call.
EDITED TRANSCRIPT: "Edited Transcript" indicates that a team of professional
editors have listened to the event a second time to confirm that the
content of the call has been transcribed accurately and in full.
------------------------------
Disclaimer
------------------------------
Thomson Reuters reserves the right to make changes to documents, content, or other
information on this web site without obligation to notify any person of
such changes.
In the conference calls upon which Event Transcripts are based, companies
may make projections or other forward-looking statements regarding a variety
of items. Such forward-looking statements are based upon current
expectations and involve risks and uncertainties. Actual results may differ
materially from those stated in any forward-looking statement based on a
number of important factors and risks, which are more specifically
identified in the companies' most recent SEC filings. Although the companies
may indicate and believe that the assumptions underlying the forward-looking
statements are reasonable, any of the assumptions could prove inaccurate or
incorrect and, therefore, there can be no assurance that the results
contemplated in the forward-looking statements will be realized.
THE INFORMATION CONTAINED IN EVENT TRANSCRIPTS IS A TEXTUAL REPRESENTATION
OF THE APPLICABLE COMPANY'S CONFERENCE CALL AND WHILE EFFORTS ARE MADE TO
PROVIDE AN ACCURATE TRANSCRIPTION, THERE MAY BE MATERIAL ERRORS, OMISSIONS,
OR INACCURACIES IN THE REPORTING OF THE SUBSTANCE OF THE CONFERENCE CALLS.
IN NO WAY DOES THOMSON REUTERS OR THE APPLICABLE COMPANY ASSUME ANY RESPONSIBILITY FOR ANY INVESTMENT OR OTHER
DECISIONS MADE BASED UPON THE INFORMATION PROVIDED ON THIS WEB SITE OR IN
ANY EVENT TRANSCRIPT. USERS ARE ADVISED TO REVIEW THE APPLICABLE COMPANY'S
CONFERENCE CALL ITSELF AND THE APPLICABLE COMPANY'S SEC FILINGS BEFORE
MAKING ANY INVESTMENT OR OTHER DECISIONS.
------------------------------
Copyright 2018 Thomson Reuters. All Rights Reserved.
------------------------------