Cyberark Software Ltd at Barclays Global Technology, Media and Telecommunications Conference
Dec 05, 2018 PM UTC
查看原文
CYBR - Cyberark Software Ltd
Cyberark Software Ltd at Barclays Global Technology, Media and Telecommunications Conference
Dec 05, 2018 / 05:00PM GMT
==============================
Corporate Participants
==============================
* Ehud Mokady
CyberArk Software Ltd. - Founder, Chairman of the Board & CEO
==============================
Presentation
------------------------------
Unidentified Analyst, [1]
------------------------------
We've got about 25 minutes together. Let's take the first 15 or 20 minutes to do some fire-side chat with Udi, and then let's make this interactive. We'll have the mic go around with any questions you might have in the audience. So with that, thank you so much for being with us today, Udi.
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [2]
------------------------------
Pleasure. Thank you.
==============================
Questions and Answers
------------------------------
Unidentified Analyst, [1]
------------------------------
There's plenty to talk about here, right, especially since the last quarter, and we'll definitely touch on that in a second. But just to level set all of us, can you just talk a little bit about the market for privileged account security a little bit? I think we know what it entails, but I'm curious about how you've seen the market evolve since the IPO in the last few years. And I think we might even have some news out of the press as well from a market perspective.
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [2]
------------------------------
Yes, great. So I think the IPO is a great measure because we went public 4 years ago. So first of all, as a company, we more than doubled in revenue and more than doubled in customer base and our footprint in the Fortune 100. Now we have half of the Fortune 500, but in the market, awareness has been a dramatic, I would say, change over the last couple of years. I think the most evident -- you can see this morning just at 9:00 a.m. here local time -- 8 a.m. here local, it was announced the first-ever Gartner Magic Quadrant on this space. So this space received a Magic Quadrant, and CyberArk is at the top with the strongest ability to execute and completeness of vision. So we're very pleased as the pioneer of this space to also lead the space. We worked very hard to be the most innovative in this space and to be very focused on really securing customers and get there. Privileged access is all about protecting the keys to the kingdom, really, the foundation of what IT runs on. And in the last couple of years, the awareness has shot up that you're not going to be able to control everything in the ever-growing attack surface. And the attack surface has grown a lot even even in just these couple of years with the adoption of cloud and DevOps processes that the -- it's really a race to the top. It's one of the things that can really make an impact in the security of customers. And again, we're seeing that both in the demand, but also in third-party attention to this from an analysts perspective.
------------------------------
Unidentified Analyst, [3]
------------------------------
That's great, Udi. I'm going to dig into the solutions a little bit because that's always been my favorite area. Enterprise Password Vault, or EPV, has always felt like the land product, in my mind. Are you still seeing this as an area of greenfield around sort of securing privileged credentials? How do you think about that land-and-expand story, if you will, for CyberArk?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [4]
------------------------------
Yes, absolutely. I think one of the things we highlighted in our strong Q3 and our strong first 9 months is that the core business of CyberArk is really driving the growth because it's pretty much greenfield out there. So we're proud to have 4,200 customers, but we're going after, really, the next 30,000, 40,000 customers out there, and they do not have these controls. So we still see very much the solution for putting controls over credentials and rotating credentials and really keeping -- giving access to those who are allowed to access, and preventing access from rogue insiders and outsiders is really the landing point in our solution, but we've also -- and we may touch it -- we simplified it so that the customer actually lands with a combination of products, and that's something we've done over the last year.
------------------------------
Unidentified Analyst, [5]
------------------------------
So I definitely want to touch on that a little bit in terms of the bundle pricing strategy. To stay on product just for a second, one of the latest things that we've started to talk about a little bit is -- has been the privilege cloud. And frankly, it's a way to really future-proof CyberArk's leadership in this market. Can you just talk a little bit about what the privilege cloud is and how it kind of compares to traditional EPV?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [6]
------------------------------
Yes. So privilege cloud is our foray into giving customers the ability to really consume privileged access as a service delivered from the cloud. It's an early solution from CyberArk, but as you said, very much future-proofing because what we've seen is that most customers want to own and control, as I call, the keys to the IT kingdom. So even if it's -- whether they're installing them on-premise or installing CyberArk in one of the cloud providers, they still tend to do that. But we wanted to give them also the option to consume this as a service. And it really goes with a variety of ways where we like to land with the customer, no matter where they are on their cloud journey. And most of the enterprise we deal with are very much hybrid, but with this service, we believe we'll be able to go further down market to customers where their strategy is to go cloud first in any new consumption.
------------------------------
Unidentified Analyst, [7]
------------------------------
Got it, got it. I want to touch on the idea of machine credentials as well and loop-in products like Application Identity Manager, or AIM, and Conjur, which has been very successful since the acquisition. First and foremost, maybe from your perspective, why does it make sense to talk about these products together? We've talked about this in the past, one of machine identities. How do you sort of think about that as almost like a bundle, if you will?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [8]
------------------------------
Yes, you're completely right. We more and more talk about them together and kind of talk about our business in 2 lenses: managing human access -- or managing human privilege access and managing applications that also need to have this strong access to databases to other applications. They also need keys in order to function. And again, the keys in the wrong hands mean takeover. And so the way we look at our business is, we need to deliver the privileged access security for humans and for applications all the way from mainframe to DevOps and the cloud. So that's how we slice it up, so you're right. The historic reason is that we first came out and self-developed a solution for more legacy static applications. And through the acquisition of Conjur in May 2017, we expanded to DevOps and really machine identities where you have instances there also -- running fast and running on containers can be also only up or down for a minimum amount of time, and they still need credentials and secrets in order to function. So it's an extension of our legacy solution for legacy applications to the modern architecture and modern applications. So we do see a sales motion that's very often as one. A customer can say, well, I want to deal with my most critical on-premise or legacy applications first, or, you know what, I want this to be the blueprint for all of my -- as I move and migrate and adopt digital transformation to the cloud or do both. And so it is more and more becoming a unified product line with the flavors depending on the infrastructure that the customer has.
------------------------------
Unidentified Analyst, [9]
------------------------------
Yes. One of the things that we said at the acquisition time for Conjur is, Conjur really works with DevOps teams and you mentioned this here as well. And it feels like from a couple RSAs ago, it feels like this buzzword around DevOps security is really starting to come and take hold a little bit more and, frankly, CyberArk is one of the first to really kind of double down on it with Conjur. I guess, can you talk about why DevOps teams are becoming more important to security vendors and how Conjur is sort of attacking that market?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [10]
------------------------------
Yes, absolutely. I think it will be exciting for everyone also as consumers. The thing about DevOps is that it really -- as consumers and as investors. DevOps really makes a difference on the top line of customers. So if you're in airline, it makes a difference to you if you launch your applications fast, and people prefer this airline over the other because of the booking system and I can fasten and I can update and I can upgrade. We all know how often we update applications on our phone. Behind the scenes, somebody develop that release for the airline or the shoe company or the manufacturer or whatever it is that is rolling out applications. And that's become a competitive differentiator for companies how they adopt digital transformation, how fast can they move into this modern way of developing applications, not Waterfall, which takes 6 to 12 months or 18 months to launch a version, but rather DevOps, which is a continuous integration, continuous development and allows companies to roll out new applications in weeks, sometimes days. And so that's a big motion in every company out there regardless of vertical. What happens is, they're running so fast, security is finding it very hard to keep up with them. The most critical or one of the most critical aspects that are given to these pieces of codes is privileged access. They're given secrets. They need to communicate back into the database. That application has to write to the database, that application has to talk to another application. And if the power is completely in the hands of the developers, security loses control. With Conjur, it's a win-win. We give developers a way to, from the get-go, develop application security so that these secrets can be managed and rotated and not be known to a human or to a developer. And we give security a way to not, hey, halt what -- stop what you're doing, and you have to work Waterfall with me, but rather, okay, we're giving you a way to keep on working as you're working in transparency behind the scenes. There is a system to rotate and secure credentials in this whole pipeline. That's why it's so strategic and that's why we now embrace 2 notions, where CyberArk is really protecting the enterprise, but is also enabling digital transformation.
------------------------------
Unidentified Analyst, [11]
------------------------------
Sure. I'm going to go back to Core PAS a little bit and talk about the go-to-market and really hammer on this idea of a bundle pricing strategy. First of all, just to level set for all of us, can you talk about what it is and when we started it?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [12]
------------------------------
Yes. We formally launched it January of this year, January '18. But in Q4 of '17, we began to see that customers are asking for a more simplified way to procure CyberArk, reduce the phase of scoping of -- that different products were required different scoping to understand the environment. And when we saw in Q4 and that experienced that it's working well, we launched it across the board in January, where basically Enterprise Password Vault, our
Privileged Session Manager, our Privileged Threat Analytics and also our SSH key management are bundled into one core privileged access security solution, which is -- instead of trying to figure out how many servers the customers have and how many users, we only count users, and these are privileged users. So they can be IT employees, they can be developers, they can be third-party vendors, third-party suppliers. And it's much easier for the customer to scope, especially in the never-moving infrastructure environment and allows them, and there's also -- it allows them also to land in the right way for their security. If -- when we gave them the Enterprise Password Vault credentials, privileged session management controls sessions. Threat analytics is finding anomalous behavior. When you gave them the full ability ala carte, they would often start with a way where it's hard for them to then scale and protect the most critical infrastructure. Here, they're starting up with everything they need to protect humans. And they don't have to -- the only thing needed to scope is users and then they can grow with the user account without the need to change anything from the (inaudible). The add-on business that follows is our motion on securing applications that we talked about, and our solution for the endpoint privilege management where many of the attacks begin, which is, again, easier to scope because it has to do with how many endpoints you have. And we just saw -- I think Q3 was a 90-something-percent of -- new deals were already on the new price list because we were working through our pipeline. And throughout the year, we saw that, and we really saw that it enabled us to handle more deals. It didn't necessarily show on the sales cycle, but it allowed us to handle more deals we had. In the first 9 months of the year, we added 37% more new logos than in 9 months of last year.
------------------------------
Unidentified Analyst, [13]
------------------------------
Let's talk about that idea of the sales cycle. And any other benefits that we can see from this bundled pricing strategy? I think, as you said, right, it hasn't really impacted sales cycles as much, but also, as you said, the scoping has become a little easier. Could we see some follow-on benefits from this bundled pricing going forward? And if so, what could they be?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [14]
------------------------------
Yes. I think the combination of the pricing with a simplified solution is -- and the other things we've invested, like the globalization of the sales force and others, are really a big explanation of the great growth we had in the first 9 months and the success of the year. If we go back into the sales cycle, it's still 6 to 9 months, I would say, on average, but we're able to handle more. And we're -- and the scoping phase of the engagement is really reduced. You can -- we can work with a customer much more on planning out the future state, talk about not project, but program, okay, let's start here, we'll secure credentials for your most critical applications, we'll secure domain controllers, let's paint the path for your Unix environment, for your Windows environment, for your cloud environment. So it allows us to really paint the future and for us to partner and come back later with add-on business and, like I said, handle parallel sales process without that confusion point and really helps on win rates.
------------------------------
Unidentified Analyst, [15]
------------------------------
Interesting. So we talked about products and pricing. I want to pivot the competition, but maybe in the 10 minutes that we've got left, maybe we just open it up to the audience in case there are any questions. Okay, so let's pivot the competition a little bit, Udi. And I'm going to take 2 situations separately because, I think, they're important. So first, Computer Associates, CA, which, of course, acquired Xceedium a couple of years ago, is now part of the big umbrella with Broadcom. The question is, can you talk about whether we've seen any changes in the competitive environment with that change -- with one of your biggest competitors?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [16]
------------------------------
Yes. So definitely, they were our biggest competitor. They would also show up in the lineage quadrants that I just mentioned in the Gartner Magic Quadrant, but we do see this as a major disruption to them. The first (technical difficulty) public out there, and we're seeing revenues comp by many security groups within CA. And that comes back also to the customer getting -- existing customers getting worried about the future of the ability to invest and innovate in the space where it's so critical. So we see that the initial trends are still early. There are more in team disruption that we see out there. But we view that as another tailwind in the changes in our competitive landscape.
------------------------------
Unidentified Analyst, [17]
------------------------------
Absolutely. So the other situation to talk about here, obviously, is BeyondTrust and Lieberman, too much smaller competitors compared to Xceedium, but nonetheless, they were acquired as well. We may have talked about at least one of them as an ankle-biter in the past, for example. Can you talk about why this disruption may be an opportunity as well? How do you think about them?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [18]
------------------------------
Yes. Maybe for the crowd here, basically, 2 or 3 competitors were all doubled up backed by Francisco Partners. So it's a PE-backed company that's now BeyondTrust, Bomgar, Lieberman plus Avecto. So from our perspective and from what we're seeing out there in the market, it really means that there's going to be a big drill of trying to choose between 4 bases of code. The PE-type investment means that there's going to be a major cutting in innovation. And so the first signs out there are similar to what I said about CA resumes out there because you have a big group or small companies and some larger companies coming together in various places around the world and in a PE model. And from customers we're hearing confusion about road map, what code base is going to be out there. And again, CyberArk is a pioneer in this space. So we really -- in our sales motion, we really focus on security, on what the customer needs and protecting against the attacker. But we definitely put this as tailwind in terms of -- again, disruption and competition is tailwind for market leader, and we'll continue to innovate for the right reasons and continue to break away.
------------------------------
Unidentified Analyst, [19]
------------------------------
Got it, got it. So it's funny, the last couple of conferences that we've had, I've had Josh in the seat and I asked...
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [20]
------------------------------
Our CFO.
------------------------------
Unidentified Analyst, [21]
------------------------------
I asked this poor CFO a bunch of tech questions, and he does a great job at at. So when I have Josh here, I ask him product questions. Now that I have got you here, I'm going to ask you some financial questions, if that's okay, high level, of course. I guess, generally speaking, Udi, how do you think about the long-term growth in the PAS market?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [22]
------------------------------
Bullish about it, for sure. I think analysts have it growing as a 20-plus -- industry analysts have it growing at 20-plus percent. I think anecdotally and we presented it in our Investor Day in March, we just see a lot of greenfield. And the greenfield is for right reasons. CyberArk and -- or PAS is not a next generation in front of something that existed for 20 years, it's a relatively new market that is taking off. So we see a very big opportunity to go and (technical difficulty) also head towers the mid-market opportunity when the time is right. The parameters that are helping it, of course, are the growing awareness that security is a team game, security is a team sport, you need multiple layers, and I'm good friends with many of the other companies that present here. But it's been proven that privileged access really makes a difference between a minor cold and a major takeover. And whether the incident response fronts that highlighted it that the attacker came through phishing, but how they took over was privileged access to a database, so privileged access to domain controllers. And so the growing awareness is there, and that's why we're bullish about the opportunity. We continue to make sure we handle the ever-changing IT landscape from our customers' perspective, the adoption of cloud and SaaS and all of these and just be a perfect fit, no matter where they are on their journey to the cloud.
------------------------------
Unidentified Analyst, [23]
------------------------------
Absolutely. Another strategic finance question for you, Udi, maybe without getting kind of specific into numbers, but as you look at 2019, where do you want to invest more in over the next year or so?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [24]
------------------------------
Josh, where are you? I need you. Okay. I would say, it very much connects to the previous question, [Mike]. The more -- as long as we see this kind of opportunity, we want to step on the gas in a CyberArk way, and we've been profitable since -- before we went public. So it's always important for us to invest in a prudent way, but we want to -- but we see this as a growth opportunity. And so definitely access to and reach to the customer base that's out there, going after the greenfield with investment in sales and marketing, going after our add-on business opportunity with customers, investing in the customer success teams that go around and enable and take the customers on the journey. But then I think to remain and to protect this leadership position and to protect our customers, we invest in innovation. So R&D will continue to be an investment point. So I would say, sales and marketing, R&D and innovation.
------------------------------
Unidentified Analyst, [25]
------------------------------
Absolutely. Last few minutes that we've got here left. Udi, I imagine you pound the pavement with customers day in and day out and so I want to take advantage of this for our clients here. Beyond privileged account security, when you topped the CISOs? What areas of security do they want to invest more in, in 2019 versus perhaps investing less in?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [26]
------------------------------
So I would say that the general theme I'm hearing is the credible vendors are the ones that come in and don't say, you don't need anything else, pick me and you'll be secured. And surprisingly, you still find vendors that say that. And the modern and sophisticated CISO just understands that it's a team sport. And sometimes, it's different areas. There's no way you can be innovative and being a firewall company and on the other hand be innovative in identity management or understand the crux of humans and how they interact with systems, to just give 2 examples. So I think they look to not deal with thousands of vendors, but they want to work with best of breed in the different areas, and they really respect solutions that integrate with each other and that respect investments that they make. So they've already invested in (inaudible) for the security operations center, feed information into that, integrate with that, that works. They also look to -- because of -- because it's a complex space, they look more and more at advisers. So we're seeing the advisories make a big impact on security decisions for the chief security officer and for the CIO.
------------------------------
Unidentified Analyst, [27]
------------------------------
Interesting. Maybe last question, because we still have about 1.5 minute left, is just on sort of tuck-in acquisitions, right. We've seen CyberArk, frankly, do several tuck-in acquisitions in the past and has been very successful. As you look forward, without getting specific, how do you think about areas that you'd like to add -- add to from a product perspective with, frankly, growing cash balances?
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [28]
------------------------------
Yes. I think we've been very creative in the sense of -- there are assets that we picked up, and I can give some examples where the trajectory of that company would not -- you wouldn't have predicted there would have been a CyberArk, and we'd like to keep it this way. But to just give an example, Vaultive that we acquired in March of this year, stand-alone would have been a CASB company, a cloud access security broker. We picked them up and integrated them back into the privileged aspect to secure the administration of SaaS and cloud platforms. And so we -- from a technology standpoint, we really look at these win-wins that will enhance and either continue to cloud-proof CyberArk, but also enhance us to where the customers are going, like, DevOps -- are jumping to DevOps with acquisition. That was super strategic. We could have developed into it. We did a build versus buy and decided that, okay, we want a company that grew up in DevOps, for DevOps and go after it. So we'll continue to look at these sort of opportunities. We feel like we've built a good discipline of how to do it and integrate them. And again, there's always the build option in anything we do, but we'll continue to be very prudent.
------------------------------
Unidentified Analyst, [29]
------------------------------
Absolutely. With that, Udi, Erica, thank you so much for being with us today, really, and for taking the time.
------------------------------
Ehud Mokady, CyberArk Software Ltd. - Founder, Chairman of the Board & CEO [30]
------------------------------
Thank you.
------------------------------
Definitions
------------------------------
PRELIMINARY TRANSCRIPT: "Preliminary Transcript" indicates that the
Transcript has been published in near real-time by an experienced
professional transcriber. While the Preliminary Transcript is highly
accurate, it has not been edited to ensure the entire transcription
represents a verbatim report of the call.
EDITED TRANSCRIPT: "Edited Transcript" indicates that a team of professional
editors have listened to the event a second time to confirm that the
content of the call has been transcribed accurately and in full.
------------------------------
Disclaimer
------------------------------
Thomson Reuters reserves the right to make changes to documents, content, or other
information on this web site without obligation to notify any person of
such changes.
In the conference calls upon which Event Transcripts are based, companies
may make projections or other forward-looking statements regarding a variety
of items. Such forward-looking statements are based upon current
expectations and involve risks and uncertainties. Actual results may differ
materially from those stated in any forward-looking statement based on a
number of important factors and risks, which are more specifically
identified in the companies' most recent SEC filings. Although the companies
may indicate and believe that the assumptions underlying the forward-looking
statements are reasonable, any of the assumptions could prove inaccurate or
incorrect and, therefore, there can be no assurance that the results
contemplated in the forward-looking statements will be realized.
THE INFORMATION CONTAINED IN EVENT TRANSCRIPTS IS A TEXTUAL REPRESENTATION
OF THE APPLICABLE COMPANY'S CONFERENCE CALL AND WHILE EFFORTS ARE MADE TO
PROVIDE AN ACCURATE TRANSCRIPTION, THERE MAY BE MATERIAL ERRORS, OMISSIONS,
OR INACCURACIES IN THE REPORTING OF THE SUBSTANCE OF THE CONFERENCE CALLS.
IN NO WAY DOES THOMSON REUTERS OR THE APPLICABLE COMPANY ASSUME ANY RESPONSIBILITY FOR ANY INVESTMENT OR OTHER
DECISIONS MADE BASED UPON THE INFORMATION PROVIDED ON THIS WEB SITE OR IN
ANY EVENT TRANSCRIPT. USERS ARE ADVISED TO REVIEW THE APPLICABLE COMPANY'S
CONFERENCE CALL ITSELF AND THE APPLICABLE COMPANY'S SEC FILINGS BEFORE
MAKING ANY INVESTMENT OR OTHER DECISIONS.
------------------------------
Copyright 2018 Thomson Reuters. All Rights Reserved.
------------------------------