CyberArk and the New Paradigm for Privileged Access

A deep dive into CyberArk's Q3 2021 earnings and how the company is changing the paradigm for privileged access.
CyberArk and the New Paradigm for Privileged Access

CyberArk is next up in my brief series of analyzing strategy for public cybersecurity companies during the Q3 2021 earnings period. They are another staple company among the current group of public cybersecurity companies — a model we can all learn from.

The company's revenue growth and stock price have risen steadily since their IPO in 2014. CyberArk is still led by its co-founder and CEO, Udi Mokady, who provided most of the insightful commentary on the earnings call. They have all the ingredients for continued success.

On to the updates. From Yahoo Finance:

CyberArk Announces Strong Third Quarter 2021 Results

Total Revenue of $121.6 Million

Subscription Bookings Mix Reaches 72%

Subscription Portion of Annual Recurring Revenue (ARR) of $139 Million with Growth Accelerating to 131%

Total ARR of $344 million with Growth Accelerating to 38%

CyberArk is performing well as a company, and their leadership is clearly excited about the results. Here's the excitement in words from Udi Mokady on the earnings call:

Q3 was another amazing quarter and we are thrilled with our results. If I could use only one word to characterize this quarter, it would be acceleration. Acceleration in the demand environment, and the underlying growth of the company, specifically bookings and in the metrics that demonstrate the health of the business.

They have good reasons to be excited. Financially, their Annual Recurring Revenue (ARR) growth and other key growth metrics are all around 40%. They added over 230 new customers in this quarter alone. Excellent results for a company that has been doing well for a long time.

Udi Mokady summarized the quarter like this:

Our business is accelerating on the back of record year-over-year bookings growth. SaaS is leading the way and reached a new record quarter this quarter. Privileged Cloud is pushing into the large enterprise and EPM has moved into the mainstream security discussion. Our subscription transition is making strong progress. Our industry-leading idea security platform across PAM, Access and DevSecOps has never been more relevant.

CyberArk's strategy is clearly working. Let's get into more detail on a few of the items Udi Mokady mentioned.

Changing the Privileged Access Paradigm

The biggest news of all was difficult for the untrained eye to see. CyberArk announced general availability of a new product called Secure Web Sessions. The product monitors activity and protects sessions for specific web applications.

The announcement may seem "ho-hum." The important part is bigger than the product: the paradigm for privileged access is changing.

The traditional paradigm of privileged access is rigid. It's focused on specific types of people with specific types of access — typically IT people with administrative access to infrastructure. A System Administrator (specific type of person) with sudo access to Linux servers (specific type of access) is a classic example of the traditional paradigm.

Products like Secure Web Sessions advance the paradigm of privileged access to a more flexible and context-based model. Any type of person could have privileged access some of the time — certain roles or privileges in business applications. For example, a bank branch employee who can access the company's core banking application, override approvals, and wire money from your bank account is privileged in that specific business context. The same employee checking their email or personal employee benefits is not privileged in these low risk, business-as-usual processes.

The new paradigm broadens the scope of people beyond IT. It also shifts the target of "privileged" from people to applications based on the meaning of risk in your organization. Udi Mokady explained the concept like this:

We see the proliferation of privilege that you have more and more cases where a business user is actually privileged and the organization is worried about having no control over the session.

The idea is a huge leap forward. The traditional paradigm of privileged access remains relevant in that many types of IT access are privileged and always will be. The new paradigm extends privileged access into the modern and dynamic era we live in today.

A better reflection of reality removes the fabricated barrier between business and IT and evaluates access on business risk and relevance. That's how privileged access should work. CyberArk is making it possible and practical for companies to implement.

The new paradigm has important business implications for CyberArk. Udi Mokady predicted the convergence of access management and PAM:

Secure Web Sessions merges the worlds of access and PAM. We are now the only vendor in the market that can empower customers with continuous authentication and session protection, including session recording for all types of web applications from business apps to cloud consoles.

If the worlds of access management and PAM truly do merge, CyberArk could become an important access management company. We'll talk about that next.

Identity as a Service (IDaaS) Market Entry

Unbeknownst to many, CyberArk officially entered the Identity as a Service (IDaaS) market (otherwise called cloud access management) with their acquisition of Idaptive in 2020. This category was previously an adjacent space to PAM that CyberArk left to companies like Okta, Ping Identity, and ForgeRock.

As I wrote earlier when analyzing Okta and Auth0's strategy, it's a big deal for public companies in adjacent markets within the wider Access Control ecosystem to start competing:

Okta entering the Identity Governance (IGA) and Privileged Access Management (PAM) markets is a big deal. These markets are traditionally owned by two of Okta's contemporary peers — IGA by SailPoint, and PAM by CyberArk. Along with Ping Identity, these identity-focused companies essentially grew up together and IPO'ed at roughly similar times.

A quick aside: CyberArk's acquisition of Idaptive for $70 million is a dramatically different approach than Okta's splash acquisition of Auth0 for $6.5 billion. The comparison is apples and oranges, but CyberArk's strategy is interesting to look at. They bought a relatively stable product (Idaptive was a spinoff from Centrify) at a nominal price. Putting the CyberArk brand behind the product immediately amplifies its value because of the trust CyberArk has gained in the market. They knew exactly what they were doing and what the upside would be without paying billions (or even hundreds of millions) to execute their strategy.

CyberArk's strategy for entering the cloud access management market is intentional and focused. While Okta, ForgeRock, Ping Identity, and others are off chasing Customer Identity (CIAM), CyberArk is squarely focused on workforce access management.

There are two different approaches to the product that are in play here, and both are viable. Okta, ForgeRock, Ping Identity, and others in the existing cloud access management market approach their products as an authentication platform capable of delivering both workforce and customer use cases. CyberArk's approach banks on the convergence of traditional privileged access and user access management exclusively for workforce use cases.

Udi Mokady gave this commentary on the topic during the Q3 earnings call:

I think we benefit from the two worlds right now where for a customer looking to put in that critical layer of Privileged Access Management. CyberArk is the market leader, go to us. We have the go to market, the reach and the opportunity to really capture that demand is strong and the strongest I can recall for Privileged Access Management.

Access is a new motion for us and -- but it's a huge growing market because of the need to enable digital transformation. And we can write it -- and the way we're doing it is very much centered on our customer base that trust us on PAM. So I would say they're both in strong demand.

PAM is definitely the one that resonates the most with the CISO is a layer that they must have and need to present to the Board. And I would say, even a basic pillar of their cybersecurity strategy. So PAM is more of cybersecurity driven. Our PAM customers trust us with the expansion to the rest of the portfolio, and Access gets the driver of digital transformation and enablement, which is also here to stay.

CyberArk's focus is an important thesis that could be the difference in who eventually wins the market. They could gain significant traction if companies care more about managing privileged access within their workforce instead of using the same access management platform across both workforce and customer identity. Or, they could win because enterprises trust them for Privileged Access Management, and workforce access management is a logical extension of their hard-earned trust. It's fair to say CyberArk is currently an underdog, but they have a chance. Persistence might eventually pay off.

The early results are positive. In the most recent Forrester Wave report for Identity As A Service (IDaaS) For Entrerprise, CyberArk is already ranked in the Leaders category — notably ahead of both Microsoft and Ping Identity:

At worst, CyberArk should become the third or fourth best product in the access management market. It's a large market that is adjacent to CyberArk's core business in the Privileged Access Management (PAM) market. Earning a few million dollars of "extra" ARR from an adjacent market is still a good outcome — especially since the upside of winning the entire market is clearly higher.

SaaS Transition

Like SailPoint, CyberArk is also in the middle of a product transition from on-premise to SaaS. When writing about SailPoint, I said this about the transition process:

Companies like SailPoint, who built and grew with exclusively on-premise software, often stumble when crossing the chasm from their legacy on-premise products to SaaS solutions. It appears that SailPoint is going to be an exception — one of the few companies to successfully navigate the transition and remain a market leader on the other side.

The same thought certainly applies to CyberArk as well. In fact, the degree of difficulty for CyberArk's product transition is even harder.

Privileged Access Management (PAM) is going to be one of the last cybersecurity services companies move to the cloud. Many security leaders (enterprises in particular) are reluctant to move their most sensitive credentials out of their own data centers. Privileged accounts and their credentials are the holy grail for attackers. If the vault the credentials are stored in is compromised, it's game over.

CyberArk is starting to mount some important wins for their SaaS platform. Udi Mokady highlighted a big one from Q3:

In the third quarter, a Fortune 30 company signed our largest annual contract for Privilege Cloud ever, a great win that demonstrates the increased adoption we are seeing in our enterprise customer base.

It's hard to overstate how significant it is for a Fortune 30 company to be using a cloud-based PAM platform. The process will be much slower for other companies — and some will never migrate until they're forced — but wins like this make a statement that CyberArk's SaaS platform is viable.

In yet another parallel to SailPoint's SaaS transition strategy, CyberArk is also giving its customers the space and time they need to make the transition. From Udi Mokady: move to SaaS is more gradual among the enterprise while we find ourselves pleasantly surprised like some of the examples I gave in the Fortune 30 customer that more and more enterprises are also migrating taking on Privilege Cloud. We'll see that as a pathway over the year -- in the coming years. And one of the strengths of CyberArk is really giving customers optionality on how to consume the identity security portfolio.

This approach is unsurprising, and completely the right strategy. In CyberArk's case, transitioning to SaaS is even more of a sensitive topic given the nature of their business and their flagship PAM product.

Subscription Model Transition

Like its longtime peer SailPoint, CyberArk is also undergoing a transition from perpetual licenses to a subscription model. This is an industry-wide trend for companies who started with primarily on-premises products. It's a necessary step on the journey towards SaaS, among other reasons.

Udi Mokady summarized the progress they've made with transitioning to a subscription model:

Customers are embracing the subscription model as evidenced by 72% of new license bookings coming from SaaS and subscription in the third quarter, ahead of our guidance framework.

A 72% subscription mix this quarter is good on the surface. However, the figure is slightly opaque on its own. As shown in the chart below, 44% of total subscription revenue ($54 million) came from recurring maintenance from perpetual contracts:

The strategic implication with this additional level of detail is that CyberArk still has a way to go before it reaches a true subscription model driven by SaaS. Recurring maintenance from perpetual contracts is a hangover from the exact licensing model they're trying to escape. Subscriptions for on-premises implementations are a midway point. SaaS is the gold standard for a true subscriptions company. Both of those combined are only 29% of total subscription revenue for CyberArk.

Pure SaaS revenue of $19 million is fairly encouraging for a company like CyberArk. As I discussed earlier, transitioning to SaaS is going to be an uphill climb. To generate even the revenue they currently have from SaaS should be considered a big win.

Semantics aside, CyberArk is planning to be done with their version of the subscription transition earlier than expected. From Udi Mokady:

As we expected when we began the subscription journey, customers are getting faster type of value and prioritizing our platform, which will result in higher lifetime value over time. We are thrilled with the progress of our subscription transition. And with our success year-to-date, we are confident we will exit the transition by the third quarter of 2022.

CyberArk's CFO provided additional details about the growing trend of subscription-based licenses for new customers this quarter:

We signed more than 230 new customers with 85% of them opting for subscription compared to about 59% in the third quarter of last year.

Reaching this point in the transition to subscriptions is a good financial accomplishment. Based on the current mix of subscriptions for new customers, the recurring maintenance for perpetual contracts will slowly fade away and absorb itself into regular subscriptions.

If the (admittedly nit-picky) classification of subscription revenue types is the biggest critique of CyberArk's results, they're doing an excellent job as a company. Future developments with CyberArk's move into cloud access management will be significant for the cybersecurity ecosystem and interesting to follow from a strategy perspective.

You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.