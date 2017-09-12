CyberArk Software Ltd (NASDAQ:CYBR)

Okay, well, good morning. I am Karl Keirstead on the DB Software team. Josh Siegel of CyberArk. Thank you for coming. Josh tells me just last night off of a Tel Aviv to Vegas flight that is a long one. So, he begged you all to keep your questions super easy as we wakes up, but you've had a couple of coffees you are good to go Josh.

Josh Siegel

Absolutely, good to go. And thank you very much for having us here.

Karl Keirstead

Yes, my pleasure. I know one subject that’s on everybody's mind are always when there is a very preannounced public breach, it's always nice to hear from the security companies as to what the customer reaction was. And certainly this we've had WannaCry, we've had Petya. This Equifax breach seems like it could be a big deal now. So let me ask you a couple of questions about that. I know that when stuff like that happens, it's not like everybody goes out and buy privilege for access management solution because in the case of Equifax, I don’t think that was where the issue was. But do you find that even on indirect level that it gets easier to engage clients? Or how does it affect your business all when there is breaches like this, you probably have had at least a few customer conversations since right?

Josh Siegel

Yes, absolutely, it’s a very volatile environment, the whole CyberArk environment, at the end of June and the last couple of weeks of June, we saw the WannaCry and the Notpetya ransomware attacks and there probably hasn’t been a quarter in the last several years where there hasn’t been one significant event that occurred. I think with the Equifax event again, it is and I think you put it nicely, I mean CyberArk is really around the proactive measure, it's around risk based solution for creating a new layer inside of your network, assuming that the bad guys are able to get into your network. And that there be a breach and we are actually a bit less concerned about how that breach actually occurred. But we do know that it occurs and once it occurs that eventually they are going to want to compromise the privileges and escalate privileges.

So from the standpoint of CyberArk, it's not going to necessarily generate POs overnight, but what we will generate is certainly awareness. It certainly contributes to our pipeline development, certainly it contributes to our inbound calls, and hits on our websites, and things like that. And I think overall as we have seen this develop overtime, and not just in this quarter, I mean it really creates an ongoing basis of showing how various the attack how variant the attackers are and also the industries that they are attacking and it's not just banks, and now Equifax is kind of offshoot of the bank. And if you also had last week, you had -- I think those called the Dragonfly attackers for energy, for the energy sector. So it's really variant of a type of attackers and the organizations that they are attacking is also very various, which is really goes to strength of how the market is for across all verticals.

Karl Keirstead

And do you think the way that large enterprises react to high profile breaches like this will be different in a way they reacted back in 2013, '14. Back then, it felt like it truly did create rising tide for almost every security then though. I am not saying it was easy to sell deals back then, no deal is that easy, but it did feel a little bit like they were unlimited budget, but maybe the different in it you know far better than I maybe. Back then companies had underinvested and so there is almost an accelerated refresh. Now it feels like enterprises are a little bit more hardened to the breach risk, they have spent the lot three or four years investing. So do you think the reaction would be vastly different now versus '14 probably little more muted, right?

A - Josh Siegel

Yes, well I think again it's -- the reaction is not so much. Okay, let's -- as you said a few years ago, let's put in orders immediately across the Board and fire a lot of shots in order to cover ourselves across many areas. Now I think over the last few years, the seesaws are now more up to speed, first of all there are seesaw in margin and prices where, if you look back three, four or five years ago wasn't as common. Board attention to this issue now is across the board suddenly on medium and large enterprises at all the committee levels as well.

So I think what you are seeing now is that companies are a lot smarter, first of all they are being lot more deliberate on what type of spending they are doing, and they already understand that they need to do things around trying to continue around the parameter but then assume that there is a post-breach environment and what are the different things that need to happen in a post-breach environment. And this is not new to them, this is already things they've known for the last couple of years, and they are slowly now developing that type of the strategy and implementing -- acquiring those types of assets and implementing them overtime regardless of whether or not there is a big breach in the parameter.

Karl Keirstead

I think that's an important point you've made because certainly the way that the stock market reacted after Equifax pretty well all the security stock was up on that news, but maybe the message you were delivering is that around this particular events 2017 the reaction might be a little bit more targeted a little bit more focused as opposed to sort of everything including the network parameter firewalls getting a lift from an event like this.

Josh Siegel

Sure and there is no question and now seesaws are really being very deliberate about why they want to spend money on because they first of all understand now a bigger step of the risks across the entire network and also as it plays into the cloud.

Karl Keirstead

On a different sort of macro question, the industry did whether it was -- because of these breaches are not go through a very flush period through let's say a mid-16 after which it felt like most of the security vendors were still outgrowing the rest of their tax, probably outgrowing their rest of software. But there was just a broad deceleration back to a more normal environment it felt like I think to me and a lot of investors. Some characterize that as the bit of the digesting phase after buying so much. Josh where do you think we are in term of big enterprises digesting everything they're required integrating it and how closely do you think we might be to sort of a new up cycle? How does it feel out there to you?

A - Josh Siegel

I think that overall there is still -- I'll answer it kind of in two ways. With the companies that have really started to digest and acquire -- their IT infrastructure is still also very much changing and now there is of course the whole migration to the cloud which is offering new vulnerabilities and new things that they need to address. So I still think that there is still very much a big opportunity within the existing customers have already taken a very strong approach on their cyber security strategy, but in the event of what's most relevant to CyberArk is the fact.

Again as we are internal layer around privilege accounts clearly we still see that the very much of the greenfield opportunity. And we have 3,300 customers, but we think that we're still a long way of hitting the mass for our products specifically and for our solution. So we we're not necessarily looking at it as that's kind of the real change in the demand environment in fact we see -- we still see the demand environment kind of the same way we looked at it over the last few years.

Karl Keirstead

Got it. So, yes, let's assume a little bit more on your market rather than the macro, and that's as you said the privilege of access management space so. You mentioned you've got 3,000 plus customers, so realistically what -- where are we in the temp penetration, Josh, not so much based on customers, but sort of wallet share within large organization. How -- among your very largest customers are you fully deployed? Is there a still wallet share gain there?

Josh Siegel

Yes, so of our 3,300 customers on average, they have two products of our seven products. And on those two products, the vast majority of them are still not fully deployed on those products. So they may have started with their windows environment by having moved down to their units environment or they have only gone in their most sensitive assets and overtime are moving out to there to the next stage of assets. So I would say that first of all we are only on average a third deployed within our products mix, and if you look at the access point, I would say the vast majority of our enterprises are still under 50% deployed.

Karl Keirstead

I want to break up a point that Udi made, you see on the recent call where he talked about compliance based selling versus risk based selling. And I think what you meant by that is that for some organizations probably banks and other regulated industries, there are compliance regulatory reasons to need to use CyberArk, where those banks might have willingly acquired you or in some cases we would have been encouraged by our compliance department to use CyberArk. So what I'm curious about is where CyberArk can penetrate that type of sale? And is at the case that, that sale is I wouldn’t say matched out, but it's the penetration getting high. And now the sales approach needs to change a little bit where you need to pitch something different than fulfilling compliance obligations.

Josh Siegel

I think that’s exactly right. I mean if we look at the evolution of CyberArk and we kind of go back and date ourselves back to prior to 2010 or 2011, it would be probably 80% to 90% of our sales where compliance are regulatory based. And the other piece would because there was actual breach which nobody ever knew about because they didn’t really disclose back then or maybe an audit failure that happened. I think what happened as we saw certainly cyber threat become a much bigger stories certainly in America since 2011 where there has been a lot more knows attackers, there is zero-day threat, advanced threat, nation state attacks.

And so forth, that’s really where the adage of -- the bad guys were in your network it almost 100% probability so that to happen. And that is where -- certainly in Americas which picked up on it much quicker is looking at, okay this isn’t about just compliance, this is first of all every organization whether it's got regulatory requirements or not. It has personal identifiable information. It has credit card information. It has IP, has a reason for attackers to attack them, and therefore we need to hide into inside of the network.

I think in EMEAs we see that bit slower, and if I would have quantify it, I would say today more than half of the deals and half of the business that we do in Americas is what we call risk-based approach where they are really looking at it as trying to solve proactively, hardening the inside of their network to ensure that if they are breached, they cannot get to the jewels within the network and do -- and own the network and do the damage, where I would still say it's not yet above the 50% level in the EMEAs.

Karl Keirstead

And Josh, does that require different sales effort on the part of CyberArk?

Josh Siegel

Yes.

Karl Keirstead

Is it simply the same sales process but a different use case? Or do your reps and channel partners need to pitch it differently? And does that require CyberArk to all through it sales model a little bit?

Josh Siegel

Yes, I think actually we did see that what we have developed over the last two years is really kind of sales perspective of things like an attacker to the enterprise. The enterprise needs to now go through a process where their thinking like what in an attack we will do, if they are inside your network. And that kind of thing like an attacker approach is really going to give the seesaw that risk based strategy of what to do because they say okay, well, how they're are going to get inside the network.

And they determine those assumptions and once inside the network, what are they going to do in order to get to their goal? And once they isolate and they think like the attacker which we believe in most of the case is going to be around escalating our privileges and credentials and credential theft in order to be able to get to that credential that knows how to get to the information, they're getting to then it becomes a much more -- okay, what we need -- we need now a solution that deals with blocking that credential theft elevation.

Karl Keirstead

And Josh among the customers that are still buying due largely to some kind of compliance need. Are there any regulatory or compliance changes that are sort of being discussed that might come between now and year-end or next year that could actually accelerate that compliance driven sale process?

Josh Siegel

Well, they are talking on the news about Equifax whether or not they should be under certain regulation, but certainly GDPR…

Karl Keirstead

Yes, talk about that. How does that impact your business?

Josh Siegel

Certainly, GDPR in Europe is something that again is -- we don’t see it as something that is necessarily generating immediate demand, but it certainly had CyberArk. It's not prescriptive to privilege account security, but in one of its article as it requires the used secure the data. And the highway of the data is the data base administrator or the administrative credentials that get to the data base. So if those are lock down and secured and you can show that that's clearly a major step towards having a case where for complying with GDPR.

I think the second theory around GDPR, I think its article 35 is really around, what you do about and disclosing the breach afterwards? And when you are monitoring, when you are securing those administrators and you are locking down? And you are monitoring, what they are doing and you are doing analytics about what they are doing all the time then clearly the after -- if there is an event, you clearly know certainly what didn’t happen because you know where it will stay and then also helps you to determine where it may have or something bad if happened. So that type of monitoring and just good hygiene within the IT security -- within the security and IT network is going to be very useful for being able to -- I think it's within four days or 72 hours to be able to respond about what happened with that with the data.

Karl Keirstead

Okay got it. Let's talk a little bit perhaps about the sale changes that CyberArk has made. I suspect it's been in ongoing, but I think you've made some changes and reaction maybe to your 2Q results that are talking about. So I think you promoted your Americas Sales Head to Chief Revenue Officer, there was some issues in the Europe that you are addressing maybe you could talk a little bit about what prompted that? And some specifics about what CyberArk is changing? And what the time line to that fixes?

Josh Siegel

Sure. So, one of the things that's been special about CyberArk really from the get go even from when. Udi founded the Company is that we've really focused on very global sales campaign, but we are also focused very locally within the sales campaign. We had Americas run by Americas leadership. We have EMEA run by EMEA leadership. And Asia Pacific, Japan run by locally placed leadership there, all reporting up into the CEO office up to Udi Mokady. I think as company has progressed overtime and is evolved in a scale to company that certainly has really worked well for us. CyberArk to the Company that sales roughly 40% of its business outside of Americas and has even when it was much smaller, even a half or a quarter of its size, which is really played well for a CyberArk through many economic environments when EMEA was soften, when America was soften so forth.

But I think really, I would say that Q2 was not the trigger for pulling that, but it was certainly something that we have been evaluating overtime that’s -- and then probably would have happened sometime over the next certainly 12 to 24 months just because of the scale of the Company. And I think it goes back to one of your questions earlier about, okay so, is it -- is the sales process evolving at CyberArk? Are we moving now from compliance to risk base? And in fact we are and in fact Americas is really leading that charge because what's going on and how Americas is ahead there, so that certainly now we want to ensure that that type of approach now is also going to be penetrated well in the rest of world as it also starts to catch up. So it runs and run our VP of Americas and now our Chief Revenue Officer is doing with the Company from day one.

He circled the entire company through I think starting in R&D and almost in every department and has everything he has done, he's really excelled that and has developed and scaled with him. And one of his successes and strengths is really building very strong processes that are measurable along the way. And I think as we scale the Company and we move and evolve the Company forward, we think that those types of things that he has done in all these roles and certainly in the Americas role will be very beneficial as we continue to scale the rest of the world. And so essentially we now the Chief Revenue Officer and regions will be reporting up to him, but other than that the go-to-market is relatively the same. The Americas is still running very much a hybrid. EMEA will still be very much channel based as well as APJ region.

Karl Keirstead

So if there is any slowdown in Europe, how do you address it in the sense if it is channel based, the Cyber change your direct customer touch role at all? It is -- are you still planning to have a channel led? Or you are going to all through that mix of channel plus direct touch?

Josh Siegel

Well, It will still be very much channel led, but one of the things that we will do more of is again the kind of the pitch and the story for why and the education for why the enterprise and the channels by the way should -- why the enterprise should be purchasing and why the channel should be selling. And that really goes around to the thing like the attack approach, a risk based selling approach. And that doesn’t mean just at the channel level also means our C-level and our kind of executive. I mean the truth of the matter is that there is still a lot of even in Americas when it sells through channel, but certainly in EMEA, there is certainly -- there is a lot of end user touch already today by the account executive.

And they will continue to be sold but what will be more unified is the story and the sale process that’s going on there will be more unified with how we are doing it in America, also as it relates to customer success for what happens once the customer has deployed it first purchase. However, we are nurturing that customer and that is something that we think will get a lot of leverage from by unifying it more in a global way. Will it happen overnight? No, it takes time it's people that we are working with and channels which are essentially people. So -- but overall we know now and I think Ron will be able to really institute the processes for how we can continue to measure the success of how this is evolved.

Karl Keirstead

Okay, we talked a little bit about the geographic issues, but what about on the industry vertical side? Josh, I know from the time that we work with you going public that the banking sector, financial services was always a big one for CyberArk. So, how does the vertical mix look now couple of years after you've gone public? And I want to ask you specifically about the government space. How big is that? And the reason I'm asking you is, there have been the few public technology companies that have sort of warned folks in this audience about the potentially weak September quarter and the federal government is giving a lot of administrative uncertainty and change. And I'm just curious if you can give us an update on your federal government exposure?

Josh Siegel

Yes, so I think in terms of verticals, one of the things about CyberArk regardless of which geography we play in were very diverse across the verticals. We have eight verticals which are 5% or more of our pie. Financials has always been the leading vertical as you pointed out. I think it's still roughly the same 30%, it does fluctuate between the high 20s and 35% on a quarter-by-quarter basis but still it is by far our largest customer base. It's our largest installed base. We continue to in dollar amounts at least to have the largest number -- the largest dollars of business going on there in terms of up sell, but we were still gathering new very large financial institutions as we speak.

But I would say in terms of the other verticals, we're seeing more of verticals across manufacturing Telco, professional services, tech companies coming into realizing that they need to have privilege account security. Specifically with the government, we seed as a 10% or more type vertical for CyberArk last we do see Q3 as the strongest quarter. But we will wait and see kind of if there is a -- I suddenly can't what even strive to begin to forecast what's going in the federal government specifically. But in terms of pipeline and demand and where we are to be able to meet that demand in the context of having the right certificates in place, approvals in place and across enough of that bodies in the government to have buy in now across the other bodies of the government. We feel very strong about where we are in the government.

Karl Keirstead

Okay, it's good to hear. On something your newer products, Josh, you've obviously like a lot of security companies, they started with your core sort of ball products, but you've move beyond that now. So you have this Endpoint Privilege Manager products, straight analytics, talk a little bit about some of the newer products that are getting particularly good attraction that could if not already start accelerating your growth. Which one or two have the best attached the best growth prospects near-term?

A - Josh Siegel

So I think when we think about our growth engines, we really think about three of them. It's the end points. It’s the Endpoint Privilege Manager which is the acquisition we did through Viewfinity a couple of years -- already over a year ago. And what's interesting there is that it's not just unattached, we are now seeing many new customers coming in and what they are buying. And then we now hope to attach them to rest of our privilege account security.

Karl Keirstead

So, there is standalone.

Josh Siegel

There is standalone, now there are smaller deals because its Endpoint Privilege Manager is a smaller sale, and plus half those deals were happening on the set where they are actually buying it as a service. So then it's also even the smaller deal and typical perpetual deal that we do. So that’s kind of been very -- that’s been a growth engine and certainly growing faster than the business. I would say the other area is a privileged to analytics which continues to be very frequently at third product when they are buying Enterprise Password Vault and Session Manager, the third product in many cases will be privileged to analytics. And I think one of the reasons there is that we have also spent a lot of time in the last 12 months really integrating that privilege to analytics to across the platform and across with our other products.

For example with our privilege Session Manager now, it is a very valuable tool for that together with our privilege Session Manager to really, very quickly know exactly what was happening when, where and why, and be able to not have people run through rims of recording from the Session Manager of determining what people are doing. But because we are constantly analyzing what they are doing, we are able to very quickly put them into buckets of different criteria. And also the privilege for analytics how it's integrated with Endpoint Privilege Manager as well for really analyzing what's going on there, and also as a response tool because if the analytics determines something it's able to then generate a powerful response of rotate password or block traffic or what obvious.

And I would say the third areas which we are obviously very excited about is the round our Application Identity Manager, but it would be addition of the DevOps security product that we bought from Conjur. And Application Identity Manager by itself, certainly last year it was I think our biggest our highest growth product after of those at that group. And now was related to securing credentials within applications. But it became a high growth product last year because it started to be able to answer some of the need of the migration to the cloud being able to when enterprises were spending lots of applications to the cloud using our application Identity Manager to help them do that in a very secure fashion.

Now with Conjur and with its product, we are now really able to run very cleanly for enterprises that are doing the whole development pipeline using cloud assets. And it’s a very elastic product that can -- is very much suited for a pure cloud play for application security. And while today it's still in its infant stages of selling, we do believe that over -- and it's not yet a contributor to the revenue model, but we do see it as a major growth engine next year and the year beyond.

Karl Keirstead

Josh, you talk a little bit some of these new products having a SAAS model rather than the traditional perpetual model. So where is CyberArk in terms of your mix today? What's your perpetual subscription mix look like? And how important is shifting the mix to subscriptions for you guys? I know everyone in the audience is security companies' talk about desire to shift, are you aggressively moving in that direction? Are you differing completely the customers? What's the strategy around that mix shift?

Josh Siegel

So today probably 95% of our license sales are still perpetual and 5% are mix of subscription and SaaS does of the Conjur well as the EPM endpoint through those managers are SaaS if they buy that way instead of perpetual and so we provide it as a service, but sometimes we show our standard products our Enterprise Password Vault as subscription typically a host providers or to MSSPs. And the Conjur would also be a subscription based product on premise. And so, I think in terms of the how aggressively we are moving the model. It's more of a customer demand and issue and how they want to consume it.

We are being aggressive on the developments side and in the sense of Conjur, we are going to move that as a subscription as subscription product certainly on Endpoint Privilege Manager where aggressively marketing as a SaaS solution just like very easy to POC in 10 minutes. They can POC the Endpoint Privilege Manager because it's just off the cloud. And one of the things that also is around our how we are selling to MSSPs for our Enterprise Password Vault and Privilege Session Manager that will be rolled out as pricing for on a subscription basis as well. So I would say incremental products, it will be more aggressive towards the subscription or to a potential SaaS offering. And on existing products, it's really were not aggressive via making that model.

Karl Keirstead

So everyone in the audience shouldn't expect 2018 to be sort of a fairly dramatic model shift for CyberArk.

Josh Siegel

Well, let's keep 2017 in our preview that what were we put our guidance for until now and we will talk about 2018.

Karl Keirstead

Okay, I'll take a short break I've got a couple of more but let's see if anyone in the audience have the question for Josh?

Q - Unidentified Analyst

Can you talk more about your Endpoint Privilege Manger products I think I was one of the positive highlights in the Q2 report. Obviously, there is a lot of endpoint solutions in the marketplace and there is a lot of confusion among investors to just how is your solution different from other endpoint technologies. Where do you kind of fit into the landscape and then how can CyberArk customer spend against the ransomware?

Josh Siegel

Yes, so great. When we Endpoint Privilege Manager is really around two things, it's around access control. So least privileges of what the administrator at the endpoint can do and it's around great listing applications that could be brought onto the on to the endpoints. And then a third piece is really around credential around credential theft in the administrative controls. So, we are really not around preventing necessarily the attack to the endpoint, we are really concerned about if the attack is on the endpoint, how do you make sure that data packers not able to take control of the administrative access to your endpoints or the answer that the back half to your question on ransomware.

It actually would have been very effective or it really completely effective against the ransomware attacks because, it would not allow for the ransomware to be downloaded on to the endpoint and take over the network because that's exactly what it does under the great listing is that -- it would have a black list that wouldn't allows on and great list is basically even if it does allow it. It will be contained about what is allowed to do on that endpoint. What's interesting about the ransomware attack happen in June instead our WannaCry was pretty much of standard of ransomware attack of downloading and taking over -- and taking and downloading the ransomware and basically freezing your computer. The NotPetya was kind of a double attack. It was okay, let's downloading the ransomware and then moving forward with trying to do credential step and elevating privilege and elevating and stealing the credentials around the administrative passwords and so forth. And so that, our Endpoint Privilege Manager also would have been very effective against, presenting damage.

Karl Keirstead

Anything else? in the back yes.

Unidentified Analyst

The supermarket security software selling through the seesaw, what's the biggest challenge to get the attention?

Josh Siegel

The seesaw.

Unidentified Analyst

Yes and its budget.

Josh Siegel

Yes, I think the biggest -- I mean the biggest challenge is -- and it's less for us now as we have become bigger is really getting is -- having them getting the executive level relationship. And that’s something that actually Ron Zoran, who is outside of Americas has been extremely well, has done extremely well in doing the Americas is bringing the think like the attacker sales methodology to the seesaw level because that gets their attention.

Now they understand, okay let me show you all the different things that are going to happen, if they are inside your network and how are they going to attack. That speaking the language of the seesaw and by the way, how am I now going to help you prevent ownership of your network by the attacker? And that type of discussion gets the seesaw attention. As oppose to saying, we are just going to solve -- you need to manage these credentials and you need to lock down these privilege users and rotate their passwords. That I would agree it's very difficult to get the seesaw attention if that’s the solution that you are selling. But once you are showing them that if you don’t do that then the attackers able to move through the network and continue to get to within game then it becomes a very powerful story.

Karl Keirstead

I think we are out of time. So I'm going to host a session with Fortinet next, if you want to stick to the security theme. But Josh and Erica, thanks for coming to the event and have a great day.

Josh Siegel

Thank you, Karl.

