Earnings: Identity and Access Management 2021 Annual Earnings Recap

A recap of annual earnings and strategy for public Identity and Access Management (IAM) companies.
Fiscal Year 2021 Identity and Access Management earnings.

Note: I'm taking the week of March 7th (this week) off from writing. There will be no weekly article published the week of March 14th (next week). I'll be back with a new article the week of March 21st.

Four of the five public Identity and Access Management (IAM) companies reported annual earnings between February 24th and March 3rd. IAM is one of the most important segments of the cybersecurity ecosystem. This week is a great time to do a comprehensive update on all of them while earnings information is fresh.

I've covered CyberArk, ForgeRock, Okta, and SailPoint in past articles. This article is a recap and update on all four, plus additional commentary on Ping Identity.

Just an up-front warning — this is a long article. Covering five companies together in a part of the ecosystem I understand well resulted in more thoughts than I expected. I decided to publish it anyway instead of breaking it into parts since I'm not writing an article next week.

The analysis of each company can be read individually. There is some big-picture overlap that you'd only get by reading the whole article. However, there is plenty of value in reading about the companies one at a time.

One other comment before we get started — why is IAM so important to the cybersecurity ecosystem (and why is it worth almost 7,000 words to analyze it)? This quote from Okta CEO Todd McKinnon said it best:

Because identity is so prevalent in all these [digital transformation] trends and to be successful to successfully get all this cloud technology to your employees, to re-imagine your customer experience and do all securely, you have to have an identity system...

The reality of it is that not everyone knows this yet. If you talk to 10 CIOs maybe three of them would say, hey, this is the future. Identity is the central platform. Identity is one of my primary clouds. It's going to unleash all this potential for me and to keep me more competitive. Only about probably three out of 10 know this...

And the good news is that more and more people every day are learning this and people that people that are making technology decisions and they realize that if you want to do Zero Trust, if you choice and technology, you need to do it with identity, and we have the leading identity platform.

On to the updates.

CyberArk logo

From CyberArk's earnings press release:

• Record fourth quarter revenue of $151.3 million; Record full year revenue of $502.9 million

• Subscription Bookings Mix of 71% in the fourth quarter; 66% for the full year 2021

• Subscription Portion of Annual Recurring Revenue (ARR) of $183 million with Growth Accelerating to 146%

• Total ARR of $393 million with Growth Accelerating to 44%

• Subscription Transition Goals Now Expected to be Met in Second Quarter of 2022

CyberArk has continued its reign as the leader of the Privileged Access Management (PAM) market and steady performer among public cybersecurity companies. 2021 was a solid year for CyberArk in multiple ways, including hitting $500 million in annual revenue for the first time.

The themes from the call were consistent with the ones we discussed back in Q3 2021 when I wrote about CyberArk and the New Paradigm for Privileged Access. They have a few major things going on:

  • Transitioning from a license-based to a subscription-based revenue model

  • Continuing to build and migrate customers from the on-premise PAM product to the Privilege Cloud SaaS solution

  • Diversifying product offerings with cloud single sign-on, endpoint privilege management, secrets management, and more

  • Investing in research and development of new product features for the core platform, including Secure Web Sessions and Dynamic Privileged Access

Financials

From a financial standpoint, CyberArk is a company that could fool you if you're looking at surface-level numbers but not deeper into their strategy. They're a solid, reliable company that's well respected throughout the cybersecurity industry.

One of the easiest places to get fooled is growth. CyberArk was squarely within Momentum Cyber's "low growth" category of public cybersecurity companies in 2021:

CyberArk public company trading analysis.
Source: Momentum Cyber – Cybersecurity Almanac (2022), pg. 63

As much as I've harped on lower growth companies being at risk for acquisition, that's not going to be the case for CyberArk any time soon. What appears to be low growth is partially driven by the company's transition from annual licenses to a subscription-based revenue model.

Josh Siegel, CyberArk's CFO, discussed how this transition obfuscates growth in their Q4 2021 earnings call:

Normalizing for the mix shift growth in the license portion of the business, our SaaS, self-hosted subscription and perpetual would have grown about 40% and demonstrates the underlying growth in the business. Taking the calculated revenue into consideration, total revenue growth would have accelerated to 28% year-on-year.

There are a lot of accounting and revenue recognition mechanics that we're not going to dive into here. However, it's fair to say you can take the lower quarterly revenue growth percentages with a grain of salt. This needed to be done and will leave them (and customers) in a better position going forward with a modern subscription model.

The good news from the Q4 2021 earnings call is that this transition will be over sooner than expected. From CEO Udi Mokady:

We now have more than 890 customers with over $100,000 in annual recurring revenue. Given our success in 2021, we are accelerating the transition exit and expect to reach about 85% of bookings from subscription in the second quarter of 2022 or in just six quarters, which is well ahead of our initial timeline outlined in February of 2021.

The timeline and mechanics are little less clear-cut than it sounds. Over half of CyberArk's total subscription revenue is from recurring maintenance fees on annual licenses. While maintenance is technically subscription revenue, it's not the kind they want — maintenance is a relic of an annual licensing model.

CyberArk's goal is to expedite the decline of maintenance revenue and increase the percentage of true subscription-based revenue. The trend across the past two years is generally what we would want to see:

CyberArk sequential increase in subscription ARR.
Source: CyberArk Investor Relations Presentation (February 2022), Page 27

I added trend lines to their investor presentation for illustration. Maintenance revenue is holding flat (dark blue boxes under the red trend line). This will eventually start to decline as the transition to subscriptions completes.

Subscription revenue is increasing every quarter (light blue boxes under the green trend line). At the current pace, recurring revenue from pure subscriptions will overtake maintenance revenue in Q1 2022.

There was more exciting news about revenue, though. During the Q4 2021 earnings call, Josh Siegel made a relatively bold prediction about CyberArk's revenue growth:

With our strong performance in 2021, we are on our way to meet $1 billion ARR target, which we now believe we can achieve already by June of 2025.

The prediction is bold for a couple reasons. First, it's relatively rare to see revenue targets given multiple years out (3.5 years into the future, in this case). Second, CyberArk's current Annual Recurring Revenue (ARR) is $393 million. To reach $1 billion ARR, CyberArk will need to grow its ARR by 2.5x over the next 3.5 years. That seems aggressive but possible.

If CyberArk is going to reach the $1 billion ARR milestone by June 2025, what is their plan to get there? Udi Mokady outlined a few priorities on the earnings call:

Our priorities heading into 2022 include: complete our subscription transition by the second quarter, invest in our global sales organization, including our partner ecosystem to drive growth, protect our ARR by investing in customer success, support and services, and invest in research and development to enhance our data security platform and drive innovation.

We've talked about the subscription transition already. Let's quickly cover the other three priorities.

Marketplace Partnerships

Investing in the global sales organization and partnerships partially means reinforcing what CyberArk is already doing. They have had strong partnerships with Systems Integrators (SI) and other consulting firms for many years. That channel is already in good shape.

The new part is coming from marketplace partnerships — a channel that hasn't historically been used for larger enterprise purchases. Udi Mokady highlighted an example of their AWS marketplace growth during the Q4 earnings call:

On the Cloud Marketplace side, our business with AWS continued to gain traction in the fourth quarter and our pipeline quadrupled. Marketplaces are a productive, efficient, highly scalable, complementary new route to market for CyberArk.

This will be an interesting trend to watch as it develops. Marketplaces are a new, bottom-up sales approach that companies like CyberArk typically haven't participated in or benefited from. The paradigm is starting to change as enterprises become more comfortable about buying software without dedicated sales reps.

It's also interesting because direct purchases from marketplaces could potentially squeeze CyberArk's SI partners out of the picture on some deals. SIs are an important sales channel for CyberArk, so a shift towards marketplaces will need to be managed with care.

Customer Success

Investing in customer success to protect ARR is a relatively straightforward objective. CyberArk's market leadership position in PAM is so dominant that their primary goal is "don't mess it up" (my take, not theirs).

One easy way to mess it up is by not supporting customers at the level they expect. Subscription revenue (ARR) is like an annuity — recurring returns over a long period of time. The way to grow ARR (to $1 billion and beyond, in CyberArk's case) is to both sell more subscriptions and keep the ones you've got. That's what CyberArk is doing here.

Product Innovation

The final objective is the most interesting one. Investing in research and development to drive product innovation is what creates upside. Customer success keeps the bottom from falling out and creates opportunities for selling additional products outside of CyberArk's core PAM product. The plan only works, though, if the additional products are good.

There are already signs of this strategy working. CyberArk's entry into the cloud access management market via acquisition has been more successful than I would have expected. Udi Mokady also highlighted the success of CyberArk's Endpoint Privilege Manager product:

In fact, EPM was a eight of our top 10 deals in the quarter.

The combination of additional standalone products with new features like Secure Web Sessions and Dynamic Privileged Access for the core PAM product gives CyberArk multiple opportunities for revenue expansion at existing customers.

Competition and Private Equity

Udi Mokady had an interesting observation about the impact of private equity in the PAM market. From the earnings call:

And in this space, we’re seeing that the PAM players have been continuously disrupted by PE and changing hands over the last couple years and really didn’t invest in R&D, while SaaS market continued to invest in R&D and innovation...

I talked a lot about how private equity can shape markets in Themes From Momentum Cyber's 2022 Cybersecurity Almanac. PAM is a great example. Here's the most recent Gartner Magic Quadrant for Privileged Access Management:

Gartner Magic Quadrant for Privileged Access Management

Within the Leaders quadrant, BeyondTrust, Centrify, and Thycotic (red dots, emphasis mine) have all been involved in recent private equity transactions. One Identity is already owned by Quest Software. That's a lot of activity among CyberArk's direct competitors. CyberArk still needs to invest in R&D, but it has a comfortable lead over its competition.

CyberArk is in a good position right now. In 2022, expect them to keep doing what they've always done: steadily plugging away at reliable growth and maintaining their happy customer base.

ForgeRock logo

From ForgeRock's earnings press release:

• ARR accelerated to a record 35% year-over-year growth

• Fiscal year 2021 revenue totaled $176.9 million and grew 39% year-over-year

I haven't revisited ForgeRock since writing in detail about their IPO in September 2021. Even though 2021 was a partial year of publicly announced earnings for them, two quarters later is a good time to check in on their progress.

The biggest news with ForgeRock is continued growth of ARR and their planned entry into the fraud protection market in 2022.

Financials

ForgeRock's total revenue growth was outstanding — a total of $176.9 million with 39% year-over-year growth. This puts them into the territory of "high growth" companies in Momentum Cyber's 2021 report:

ForgeRock Public Company Trading Analysis
Source: Momentum Cyber – Cybersecurity Almanac (2022), pg. 61

However, the story of their growth is in somewhat of an opposite position compared to CyberArk and SailPoint. That's not to say ForgeRock's growth is deceptively high — just that underlying ARR growth might limit overall revenue growth in the future.

ForgeRock's ARR growth for 2021 was a healthy 35%. That's good — until you do the comparison to CyberArk (44%) and SailPoint (48%). ForgeRock's 35% ARR growth was well above Ping Identity's 21%. However, ARR growth for CyberArk and SailPoint could be artificially high right now given both companies' emphasis on subscriptions. ForgeRock is a newer company that has fewer customers to transition away from licenses to subscriptions.

On the earnings call, expectations are were set for "north of 30%" in 2022. It might seem reductive to be talking about 30% ARR growth as a bad thing, but ForgeRock is inevitably compared to the other companies in the market that are growing at over 40%.

Fraud Protection Market Entry

ForgeRock announced plans to release a fraud protection product into general availability during the first half of 2022. Fran Rosch alluded to this move during interviews around the time of their IPO. Now, they're making good on that promise.

Fran Rosch gave a more detailed explanation on the Q4 2021 earnings call:

We are building on the success of our existing autonomous identity product, and we'll be introducing a new AI-driven fraud protection solution in the next several months. It provides a risk signals and scores for users in order to stop bad actors and fraud in real time at the identity perimeter.

Core features will help to identify account takeover attempts, credential stuffing, suspicious IPs, possible travelers, man in the middle attacks, phishing and bots, while at the same time improving the experience of legitimate users.

The core features described here are all logical extensions for an identity and access management platform. ForgeRock already had adaptive authentication features built into its access management product. It's not a stretch to start addressing these fraud-oriented use cases.

Bigger picture, this announcement is one example of a broader convergence between segments of the cybersecurity ecosystem and fraud. As customer interactions become more digital, technology is the entry point for more fraud attempts — especially in omnichannel businesses who operate in both the physical and digital worlds. This is an interesting trend to watch as we understand what the post-pandemic world might look like.

Okta logo

From Okta's earnings press release:

• Q4 revenue grew 63% year-over-year; subscription revenue grew 64% year-over-year

• Fiscal year 2022 revenue totaled $1.30 billion and grew 56% year-over-year; subscription revenue grew 57% year-over-year

• Remaining performance obligations (RPO) grew 50% year-over-year to $2.69 billion; current remaining performance obligations (cRPO) grew 60% year-over-year to $1.35 billion

Okta's fiscal year end is 1/31, so this was technically fiscal year was FY22 for them. I'm grouping them in with the 12/31 year end companies since the earnings period is effectively the 2021 calendar year.

The investor reaction to Okta's earnings release wasn't kind (we'll get into that more later), but it was still a good year for the company. CEO Todd McKinnon highlighted several accomplishments on the earnings call:

There are so many highlights to the year. For example, we surpassed the $1 billion revenue mark, we added over 5,000 customers. We now have nearly 30% of the global 2,000 as customers.

Reaching $1 billion in revenue is a phenomenal milestone. All four of the other companies in this article are at $500 million or less. Okta is one of the fastest growing public companies in all of cybersecurity — near the top of Momentum Cyber's "high growth" category:

Okta Public Company Trading Analysis
Source: Momentum Cyber – Cybersecurity Almanac (2022), pg. 61

Okta's continued revenue growth at twice the scale of other public companies in this market speaks volumes about the company — regardless of what investors and analysts think about near term results.

The controversy around Okta's FY22 financial results and FY23 outlook stole the spotlight, so we'll spend some time on that. Other than financials, the one of the most important topics for Okta in the upcoming year is the general availability (GA) launches of their Identity Governance and Privileged Access Management (PAM) products. There's a lot to unpack with both, so we'll focus on those two areas for this update on Okta.

Financials

The story of Okta's FY22 financial results revolves around high growth and increasing losses. For better or worse, the increasing operating losses drew the ire of investors and analysts. Okta's stock was summarily punished, falling around 9% shortly after the earnings announcement.

The topic of increased operating losses was widely discussed on the earnings call. The response from Okta's leadership team was clear and unapologetic — they're going to continue investing capital in growth. From co-founder Frederic Kerrest:

First and foremost, we've always had a bias towards growth. But we always look at efficiency and always managed on a rule of 40. And so the guidance you've seen today and the commentary earlier in the call, still reflects that we are definitely managing at a rule of 40, and we believe that's the right thing to do to go capture the opportunity...because it is a massive one in front of us. So, we feel that the time is right to go and grab as much market share as possible.

The all-important "Rule of 40" came up several times as a guideline that Okta will invest within. Practically speaking, increased operating expenses means Okta will have higher expenses in both sales and marketing and research and development.

Similar to the money-making machine described by Cloudflare CEO Matthew Prince, Okta's machine is working quite well. Investing in growth to the point of operating losses is a risk, of course, but they're seeing tangible revenue growth on the other end.

Year-over-year revenue growth of 56% (to $1.3 billion) and subscription revenue growth of 57% (to $1.25 billion) is the money-making machine at work. Okta's numbers can get somewhat distorted because of Auth0's meaningful contribution, but anyone questioning the growth of Okta's core product was silenced: total revenue for Okta standalone (e.g. excluding Auth0) grew 39%.

Their growth numbers are great, and their operating losses are intentional and within reason. I understand the investor and analyst concern, especially for people who don't already own the stock. However, the long-term takeaway here is still that Okta is one of the best public cybersecurity companies there is.

Moving beyond the near-term drama, the exciting part was Okta's long-term financial outlook. Like CyberArk, Okta had a bold prediction of its own about long-term revenue goals. From Okta's new CFO, Brett Tighe:

Our long-term financial goals anchor on at least $4 billion of revenue in FY '26 with organic growth of at least 35% each year and 20% free cash flow margin in FY '26.

This kind of sustained growth would be impressive, if achieved. It also looks past inorganic growth and the potential for Okta to acquire companies to help them reach these milestones faster. We may not see another Auth0-level acquisition, but all reasonable options seem to be on the table for Okta's leadership team to reach their growth goals.

Identity Governance and Privileged Access Management Market Entry

Okta's entry into the Identity Governance (IGA) and Privileged Access Management (PAM) markets has had a relatively high level of anticipation from people in the industry. Collectively, it's a big move because Okta, SailPoint, and CyberArk essentially didn't compete with each other for most of their existence. The times they are a-changin'.

People generally have a high opinion and high expectations for Okta's products. This well-deserved goodwill is another reason why expectations are so high. Born-in-the-cloud IGA and PAM products are appealing to a lot of companies. Put me in the camp of people who think Okta is spot on with their strategy to enter these markets.

And then, there are investors who want returns. Additional revenue streams from IGA and PAM are viewed as potential market leaders in large markets. Success in one or both of these markets is justification for Okta's high valuation by the investment community.

Fair or not, some people felt the most recent earnings call rained on their parade. Okta Identity Governance is ahead of schedule but won't be available globally until the end of 2022. Okta Privileged Access Management is slightly behind schedule. Neither product is projected to contribute to Okta's revenue in FY23 (calendar year 2022).

Part of the timing considerations for both products is that Okta already has features in both spaces in their existing platform. Workflows and lifecycle management already exist within the IGA space. Server access administration already exists within the PAM space. Based on Todd McKinnon's comments, it seems like the delineation between existing features and the new IGA and PAM products requires careful consideration.

I don't view this as bad news, per se. It's more about managing expectations. No company — not even Okta — can launch a new IGA or PAM product into the ether and overtake SailPoint and CyberArk overnight. Both are strong, well-managed companies with good products.

The SaaS portion of both markets is definitely still up for grabs. That's part of the reason why Okta is investing the time and money to build IGA and PAM products — just like CyberArk and SailPoint are doing. However, Okta's market entry and overall success (or lack thereof) is going to be a multi-year process.

Todd McKinnon seems to feel the same way:

I think about this long term. It provides a broader set of capabilities. As we build out on the workforce side, the entire suite, the PAM, IGA in broader workforce capabilities, access management and the other management, it's just going to become really overwhelming the value and it's going to lead to more, I think, big new lands as well.

While the news on Okta's new products may have been disappointing for some, it's important to remember how big of an undertaking this is. Success is going to require some time and patience.

Ping Identity logo

From Yahoo! Finance:

Ping Identity (PING) came out with a quarterly loss of $0.13 per share versus the Zacks Consensus Estimate of $0.02. This compares to earnings of $0.09 per share a year ago. These figures are adjusted for non-recurring items.

This quarterly report represents an earnings surprise of -750%. A quarter ago, it was expected that this software company would post earnings of $0.04 per share when it actually produced earnings of $0.07, delivering a surprise of 75%.

Ping Identity is another company I have been looking forward to covering. As with other companies I'm writing about for the first time, annual earnings announcements are a good place to jump in.

I would characterize 2021 as a mixed bag for Ping Identity. There is some good news and signs of progress with growth and product. The bad news is their increasing losses and fierce competition.

Financials

Losses increased to $64.4 million, up significantly from $11.8 million in 2020 and $1.5 million in 2019. Losses from 2021 are 22% as a percentage of revenue. Annual Recurring Revenue (ARR) grew by 21% in 2021. Combined, this ratio is essentially at the boundary of the cherished "Rule of 40" for SaaS companies that we discussed last week.

Ping Identity's revenue growth puts the company within within Momentum Cyber's "low growth" category of public cybersecurity companies in 2021:

Ping Identity Public Company Trading Analysis
Source: Momentum Cyber – Cybersecurity Almanac (2022), pg. 63

As was the case with both CyberArk and SailPoint, traditional revenue growth is misleading because Ping Identity is also transitioning from a license-based revenue model to a subscription model. However, unlike CyberArk and SailPoint, there is more cause for concern.

The walls are starting to close in on Ping Identity as fast-growing startups gain traction. As a company, Ping Identity's valuation is currently hovering around $1.75 billion. Transmit Security, a startup in cybersecurity's IPO pipeline, was valued at $2.2 billion as of its last funding round. Stytch, a newer API-first passwordless authentication startup, was recently valued at over $1 billion after raising their Series B. The list of strong competitors goes on: ForgeRock, FusionAuth, HYPR, and more.

Okta's $6.5 billion acquisition of Auth0 is also telling. Okta theoretically could have acquired Ping Identity for less at Ping's current valuation (Note: This is purely a thought exercise. I am not aware of any speculative or actual acquisition talks.).

There are plenty of reasons why that would have made sense — gaining traction at large enterprises, eliminating a competitor, entry into large Fortune 100 accounts, etc. But Okta didn't do it, opting to pay a premium for Auth0 instead.

Why? The zeitgeist of developer-first, bottom-up adoption products is real in the identity and access management market. Companies like Auth0 and the aforementioned high growth startups all have nice, shiny, new products. Additionally, Okta is already good at the smaller enterprise accounts that Ping Identity is now entering.

The reasons why a (theoretical) acquisition didn't make sense are many of the same challenges that Ping Identity is working through as a company: Transitioning to cloud. Winning customer identity. Developing partnership channels. Selling down market to smaller enterprises. Investing in growth and product innovation.

Ping's response to all of these challenges feels...late. They're definitely not too late to address them. However, many of the challenges have been brewing for years. They have the potential to hurt Ping in the long run if they're not addressed quickly and effectively.

SaaS Transition

Like every other company in this article, save Okta (which was a cloud-first product), Ping Identity is in the middle of a product transition from their on-premise product to their cloud-based PingOne product (and hybrid cloud options). PingOne has been around for years — the transition just didn't have as much urgency since Ping's on-premise product was so successful.

Ping Identity's cloud transition is going to receive somewhat of an unfriendly welcome from existing competitors. Okta (with Auth0) is a much larger company that was born in the cloud. ForgeRock has already placed an enormous amount of effort in a cloud authentication product for the past year. CyberArk's cloud authentication product is doing well so far. In some ways, the cloud authentication market feels like it's already been won.

Customer Identity

A primary area for growth highlighted on Ping Identity's Q4 2021 earnings call was customer identity (CIAM). I discussed the difference in scale of revenue when Okta disclosed its CIAM revenue numbers immediately after acquiring Auth0:

By comparison, the total annual recurring revenue for Ping Identity and ForgeRock are $279.6 million and $155 million, respectively. Revenue for both companies includes a mix of workforce and customer identity. Okta's CIAM revenue alone is at least $50m larger than its close competitors. Okta is leading the CIAM market, but the competition in this emerging market is far from over.

Even though the numbers are out of date by a couple quarters, the observation is still accurate. Ping Identity's annual revenue for 2021 was just under $300 million — and CIAM revenue is roughly half of that. CIAM is still an emerging market. There's room for Ping Identity to grow. It looks unlikely that they will ever catch up and lead the CIAM market, though.

Partner Ecosystem

One of the focus areas highlighted by Ping Identity's leadership team was investment in developing their partner ecosystem. For enterprise-focused companies, partner ecosystems can play a huge role in their success.

When covering ForgeRock's IPO, I discussed the implications of their over-reliance on partnerships to drive sales:

An upward trend in leads originating from channel partners isn't necessarily a good thing. Yes, it drives pipeline and revenue growth. However, it also creates reliance and reduces the company's ability to drive revenue growth on its own.

Ping Identity is almost exactly the opposite case. They have built their business over the past 20 years by driving sales themselves. CEO Andre Durand acknowledged as much during the earnings call:

If you go back prior to two years ago, Ping had played half court on the channel speaking to it, but never committing to it for years.

They've done an incredible job at sales for only "playing half court" — especially with winning large enterprise accounts. From their 10-K filing:

Our customer base is comprised of over half of the Fortune 100. As of December 31, 2021, our customer base included the 9 largest U.S. banks (measured by assets), 7 of the 10 largest healthcare companies (measured by revenue), 5 of the 8 largest North American retailers (measured by revenue), 4 of the 6 largest global aerospace companies (measured by revenue) and the 4 largest European auto manufacturers (measured by revenue).

Their strategy is clearly shifting, though. Again, from Andre Durand:

And as the size and commitment and duration by large enterprises grew, there was a moment in time to which it became very clear that Ping’s ability to penetrate at the time Global 3000, much less Global 5000, that there was no way that we were going to do that alone...

Ping Identity's partner channel commitment is now clear. It will be interesting to watch and see what kind of impact this has on both their growth and the professional services market in general.

Global 5000 Accounts

There was discussion on the earnings call about Ping Identity starting to expand sales focus downstream from large Fortune 500 companies to what they called the Global 5000. These companies are still enterprises, just with revenue in the $500 million range.

Okta has had a lot of success with customers of this size. Increased focus on smaller enterprises turns up the heat even more on their competitive position with Okta.

Ping has a clear strategy for differentiation from Okta and Auth0. From Andre Durand:

So we do focus on the different segment of the market...the large enterprises with centralized board level mandates to essentially clean up and consolidate siloed identity systems across business units to create a better user experience.

Those tend to be top down led initiatives, not bottom up led initiatives. It's not meant to say that developers aren't extremely important in the decision making process, but the needs of the large enterprises to consolidate identity plays directly into our wheelhouse.

This is an interesting observation about patterns of adoption. It makes sense why Ping would focus on top down initiatives given their history of success with large enterprises.

For as much as I've beaten the drum about bottom up adoption, there are absolutely still a lot of companies who need to do exactly what Andre Durand is describing. I expect companies with top down initiatives will eventually dwindle, but it's a need Ping can capitalize on for a while.

Product Innovation

Finally, there was a lot of excitement among Ping Identity's executive team about their acquisition of Singular Key and subsequent launch/rebrand to PingOne DaVinci. From Andre Durand:

Recall in Q3, we acquired Singular Key to allow for no code integration of identity through more than 100 individual identity connectors. At our sales kickoff, I was pleased to announce the introduction and general availability of PingOne DaVinci as the embodiment of our new orchestration capability.

DaVinci provides the blank canvas from which architects and developers can now create identity solutions with simple drag and drop ease. Little to no coding required.

As a vendor agnostic tool, DaVinci allows organizations to integrate and orchestrate identity services from a wide range of vendors, not simply Ping.

Building orchestration and workflow products is a common theme among companies in this market — ForgeRock has Intelligent Access, and both Okta and SailPoint have products called Workflows.

Listening to the reaction of Andre Durand, you get the sense Ping is extra excited about this acquisition:

When we've spoken about DaVinci becoming foundational to our platform, we really mean it...

So it's extremely strong as an integration tool, not just for Ping but for customers leveraging Ping trying to integrate other legacy, or cloud technologies into an overall experience for their end users. The speed with which you can do that DaVinci is really pretty unbelievable.

I don't think that we've seen for the sales engineers here at Ping, I don't think I've seen them more excited about any one technology in the history of the company in the last 20 years.

Workflow products and features are going to be one of the major areas of innovation in this space over the next few years. It will be interesting to watch how the competition plays out now that all of the major IAM companies are in the game.

SailPoint logo

From SailPoint's earnings press release:

• Total ARR of $370.4 million, up 48% year-over-year

• Fourth quarter and full year 2021 total revenue of $135.6 million and $439.0 million, up 31% and 20% year-over-year, respectively

• Fourth quarter and full year 2021 subscription revenue of $78.8 million and $273.2 million, up 41% and 39% year-over-year, respectively

Much like its PAM peer CyberArk, SailPoint is in control of the Identity Governance and Administration (IGA) market. They are one of the most steady and reliable public cybersecurity companies. SailPoint is a long-term company playing a long-term game. This strategy absolutely shows in every part of their operation.

The two main themes are similar to when I covered SailPoint in Q3:

  • Transitioning from a license-based to a subscription-based revenue model

  • Continuing to build and migrate customers from the on-premise IdentityIQ product to the IdentityNow SaaS solution

We'll also talk a bit about long-term product strategy and pricing because there were some interesting insights from the Q4 2021 earnings call.

Financials

Like CyberArk, SailPoint is a company that could fool you based on pure revenue growth if you're not looking carefully. 2021 was an excellent year all around with $439 million in revenue, 20% revenue growth, and 48% ARR growth. These results are stellar. They're exactly what we want to see for a company transitioning to subscription revenue.

SailPoint was squarely within Momentum Cyber's "low growth" category of public cybersecurity companies in 2021:

SailPoint Public Company Trading Analysis
Source: Momentum Cyber – Cybersecurity Almanac (2022), pg. 63

They're in exactly the same place as CyberArk — traditional revenue growth is being sandbagged a bit by the transition from annual licenses to a subscription-based revenue model. The risk of SailPoint being acquired or underperforming on growth is very, very low.

Continuing the inevitable comparisons to CyberArk, SailPoint's ARR mix is almost exactly what a transition to subscriptions should look like. Here's the ARR mix chart from SailPoint's Q4 2021 Supplemental Materials presentation:

SailPoint Total ARR Detail slide

Again, I added trend lines to their investor presentation for illustration. Maintenance revenue is holding flat (dark blue boxes under the red trend line). This will eventually start to decline as the transition to subscriptions completes.

Subscription revenue is increasing every quarter (light blue boxes under the green trend line). In Q4 2021, recurring revenue from pure subscriptions overtook maintenance revenue. That gap will continue to widen going forward.

There were no bold predictions made about long-term revenue growth. However, SailPoint is on almost exactly the same trajectory as CyberArk's journey to $1 billion in ARR sometime in 2025.

Long-term Product Strategy

As I said earlier, SailPoint is a long-term company playing long-term games. One practical implication of this strategy is keeping customers happy enough to continue upgrading and investing in SailPoint's product instead of abandoning it for the next best competitor.

SailPoint has been the beneficiary of customers abandoning legacy IGA solutions. Mark McClain described this phenomenon on the earnings call:

I think in many ways, we’re seeing, as I said earlier, about the legacy displacement, kind of a steady progression. I’ve said for a number of quarters, we would love to point you to a short-term inflection there, but we just continue to see a steady progression.

In the Identity and Access Management market, keeping customers on your product is a lot harder to execute than it seems. It's almost impossibly difficult — very few companies have ever pulled it off. The historical paradigm has been customers adopting a product, becoming sour due to implementation and product difficulties, moving on to the next best product, and repeating the cycle all over again.

SailPoint's interim CFO, Cam McMartin, perfectly described their strategy for avoiding this fate on the earnings call:

We like that expansion motion with our installed base because it basically signals..that the customers are happy with IdentityIQ and are investing in it as they continue to grow their identity security programs.

...we recognize retaining those customers and keeping them actively using our solutions and growing their platforms speaks on a long-term basis to what we think will be the opportunity at some point in the future to migrate them to SaaS because they’re clearly comfortable with, confident in SailPoint as their identity security solution provider.

This is basically the key to SailPoint's continued success. Very few products in this industry segment have maintained their leadership position through major technology and platform shifts. If SailPoint is able to do it for the shift from on-premise to SaaS, it will be an incredible accomplishment.

One of the ingredients that is enabling SailPoint to maintain long-term leadership in this market is focus. Mark McClain described this focus on the earnings call when responding to a question about market demands for consolidation of products:

...the more you go down market, our contention has been that that’s where there’s more pressure for that integrated single vendor solution, where, frankly, the subcomponents may or may not be as deep and rich as the mid to large enterprise would require, and they’ll make that trade-off for a single vendor solution with maybe a little less depth and breadth of the solution.

...we aren’t feeling significant pressure there to move off of our strategy of increasing the breadth of our solution and the core issues again, we’ve highlighted this.

...at our scope and scale, they want us to integrate with their preferred vendors for those other solutions, but they aren’t necessarily pressuring us in our core markets to be consolidated to a single vendor solution.

SailPoint is surprisingly comfortable with staying in their lane. Instead of chasing after bright and shiny objects in adjacent markets (like PAM and SSO), they just keep plugging away at building their core platform. Things are going to get interesting as Okta's new IGA product starts encroaching into SailPoint's territory in 2022 and beyond.

Pricing

Finally, a quick note on pricing because it's a quick and interesting case study about market leadership. When a company is a clear market leader — like SailPoint is for IGA — they can price their products at a premium and maintain their position against competitors.

So, exactly like what Mark McClain describes here:

People recognize our strength in the market, we tend to command a premium price. We do get a lot of price pressure in the market. Honestly, we’ve talked about that before, but we’re I think able to hold that price point pretty well because of the perceived superiority of the solution.

That's good for investors and "bad" for customers hoping to negotiate. I say "bad" loosely because product selection needs to consider more factors than price alone. You get what you pay for. SailPoint is the best product in this part of the market right now.


Thanks for reading! How did you like this article?

LovedGreatGoodMehBad

Public Companies
You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.