Okta (NASDAQ:NASDAQ:OKTA) is one of my top long-term stock picks in the cybersecurity industry because it's the leader in identity management. This is a fast-growing space that I believe carries less risk than most other parts of the cybersecurity industry.
In order to justify this thesis, I start with my overview of the cybersecurity industry, then zoom in on identity management and Okta.
Cybersecurity is an increasingly important field in today's world. Among other trends, the shifts toward the public cloud, work from home, and internet of things have all widened the attack surfaces available to cyber criminals. As such, corporations are more vulnerable than ever, leading to multiple high-profile cybersecurity incidents this year. For example, the Colonial Pipeline hack saw hackers demand nearly $5 million in ransom and had east coasters panic buying gas.
If cybercrime were a country, it would already have a GDP of about $6 trillion; higher than the GDP of all countries besides the USA and China. And this figure is expected to grow at 15% per year through 2025, when it would reach $10.5 trillion.
Despite these huge crime numbers, the cybersecurity industry itself is only worth $167 billion today... less than 3% of cybercrime's valuation. And its forecast CAGR is only 10.9%, implying that it will grow more slowly than the cybercrime industry will.
This low valuation is because cybersecurity currently accounts for only 5.7% of IT spending. However, most experts recommend that this number be in the 10-15% range, considering the financial and reputational harm that is usually inflicted upon companies that are victims of cyber-attacks. A company's stock typically falls 5% after it announces that it's been hacked, and virtually every company lists cyber-attacks as a risk factor in its SEC filings. This implies at least 100% upside from the current spending levels.
As such, I believe it is very likely that cybersecurity spending will grow faster than the already respectable 10.9% CAGR that analysts are predicting. Historically, it's certainly been the case that analysts have underestimated this industry. For example, Statistica projected a 10.3% growth rate between 2017 and 2020, but the actual growth rate was 18.7% during this period. Similarly, in 2017 Gartner projected that spend would reach $170.4B in 2022, but this number was almost hit in 2020 ($167B). And during the 13 year period from 2004 to 2017, the industry grew at a rapid 31% per year; well above 10-11%.
One potential catalyst for a faster growth rate comes from the federal government, which recently announced an executive order to improve the USA's cybersecurity. Among other initiatives, it will modernize the federal government's cybersecurity infrastructure and improve detection of cybersecurity incidents on federal networks. The federal government currently spends only 2.5% of its defense budget on cybersecurity.
A recent survey by Okta points at another potential catalyst. It found that 74% of CIOs think that security represents the most crucial decision in modernizing their IT infrastructure.
Cybersecurity is clearly an important and fast-growing industry. As such, it's likely that cybersecurity will make a good investment, especially if its growth potential has been underestimated.
Why Identity Management?
Although cybersecurity is an extremely fast growing and important field which seems to be consistently underestimated by analysts, it can still be a difficult sector to invest in... especially if you want to sleep well at night.
I took masters level cybersecurity courses less than five years ago and occasionally deal with cybersecurity issues in my day job, but the industry moves so quickly that I still don't view myself as having enough knowledge to pick winners and losers out of most parts of the industry on a technical basis. For example, my classes taught how to deal with buffer overflows but didn't even mention zero trust. The former is no longer a noteworthy threat with modern programming languages, while the latter is one of the hottest topics today.
Some of the top cybersecurity companies just a few years ago were Palo Alto Networks (NYSE:PANW) and Fortinet (NASDAQ:FTNT). But today, they already find themselves in an awkward position where they are forced to disrupt their own on-premises solutions in order to stay relevant in a cloud first, work-from-home, zero trust world. Today's hot stocks are the likes of CrowdStrike (NASDAQ:CRWD) and Zscaler (NASDAQ:ZS), but it's possible that they'll eventually find themselves in a similar position as their older competitors since the industry moves so quickly. For example, SentinelOne (NYSE:S) is already trying to disrupt CrowdStrike, based on the idea that using a manual threat monitoring team is outdated when AI can be used instead.
One reason why most of the industry evolves quickly is that its focus is exclusionary - that is, it deals with the undefined. For example, CrowdStrike's mission is "to stop breaches." It's a simple concept, but it's very complex to implement. New types of breaches are constantly being created, so CrowdStrike can never fully define what it is trying to stop, much less guarantee that it will actually stop it. As new breach types are discovered, CrowdStrike must modify its solutions.
And if CrowdStrike were ever to fail to stop a breach, competitors like SentinelOne might start to look a lot more reputable and attractive to potential customers. While every investment could be negatively affected by a breach, cybersecurity companies are triply at risk, since they are often high priority targets, suffer outsized reputational damage from hacks, and may need to compensate their clients if they are responsible for a breach.
While most cybersecurity companies operate with a narrow moat derived from switching costs (and sometimes network effects), none can claim a moat wide enough to prevent their clients from leaving if their solutions are perceived as ineffective or outdated after a breach.
By focusing on identity, the one constant in an ever-changing technology and threat landscape, the Okta Identity Cloud provides our customers with a solution to solve their IT and security challenges. - Okta
That brings us to identity management. This is a unique niche in cybersecurity that focuses on enabling people to securely connect to the right technologies and services at the right time.
It's extremely noteworthy that unlike most of cybersecurity - whose mission is exclusionary - identity management's mission is inclusionary. Its goal is to keep a known set of people in, not to keep an unknown set of attacks out. This means that it is disrupted less frequently than the rest of the industry, and is arguably less prone to cyberattacks.
Identity management is one of the most predictable and reliable areas of cybersecurity because of its simple and inclusionary focus. As such, investors in this space are more likely to sleep well at night compared to investors in other areas of cybersecurity. And this increased certainty doesn't come at the cost of slower growth; identity management has a projected CAGR of 13.2% through 2027, as opposed to 10.9% for the overall industry.
Okta is my preferred investment in the identity management space for a few reasons. For one, as the first mover in the space, it's the only public company focused exclusively on identity management besides the much smaller and slower growing Ping Identity.
Okta has also been named a leader in the Gartner magic quadrant for access management for four years in a row. Although there are more leaders listed in Gartner's most recent magic quadrant, historically Okta and Microsoft (MSFT) were the only leaders. For their part, Okta still lists Microsoft as their only main competitor in their annual report.
This makes sense because Okta dwarfs Ping Identity, OneLogin, and ForgeRock in size; Okta has a 32.5B market cap while none of the others are even worth 5B, and Okta has over 10,000 customers compared to 1,411 for Ping Identity (the other competitors don't publish specific numbers). Okta also has the most reviews and the highest rating (91% recommended) on Gartner peer insights for access management.
Aside from its first-mover and size advantages, Okta also has an advantage when it comes to integrations. They offer over 7,000 integrations, compared to 2,300 for Microsoft's Azure Active Directory, 1,800 for Ping Identity, 6,000 for OneLogin, and 250 for ForgeRock. Integrations are key in this space since access management works best if it can control access to a lot of tools. Okta offers integrations for well-known apps like CrowdStrike, AWS, Google Cloud, Microsoft Azure, Salesforce, etc., notably partnering with other cybersecurity companies rather than competing with them.
Okta also partners with many organizations to drive sales, noting that "nearly all of the leading cloud application providers are our partners, and many of them drive further customer acquisition for us through co-selling arrangements, building our offerings directly into their products, and product demonstrations running on the Okta Identity Cloud."
Those who have used identity management solutions like Okta will know that their usefulness is largely derived from partnerships and simplified UI that improves productivity, but the actual logic for services like SSO is relatively simple compared to the logic for endpoint protection and other cybersecurity. This reduces risk for identity management companies, but also increases the importance of brand ethos since the barrier to entry within the industry is low. In this perspective, Okta does well considering that its first-mover advantage, size, and partnerships all serve to strengthen its brand.
In a crowded space like this, I like to look at the results to determine which company is the best investment and whether competition is a big risk. In Okta's case, it's the clear leader based on size, first-mover advantage, management track record, and partnerships. Okta would also claim that its neutrality gives it an advantage over Microsoft, which operates its solution within the larger Azure ecosystem. Ultimately, we can see these advantages paying off with Okta sustaining a revenue growth rate over 40% for years despite already dwarfing its non-Microsoft competitors in size.
Although there's a lot to like about Okta, it's not without its issues. For one, the company has never achieved profitability. While I generally don't care about profitability when a company is growing quickly like Okta is, not all unprofitability is created equal. Okta does poorly on the "Rule of 40" considering its -26% operating margin against revenue growth around 40%. Ideally, Okta would be (barely) profitable by now, but it's still quite far away from that point. However, Okta has done well on the Rule of 40 historically, so I'm willing to give them some time to catch up to their current spending, especially considering the disruptive effect of their recent Auth0 acquisition.
Also offsetting the lack of profitability is that investors get to purchase the stock at a relative discount to other cybersecurity options. For example, Zscaler and SentinelOne do about as poorly as Okta on the Rule of 40 but trade at P/S ratios over 50 (92 for SentinelOne!) compared to Okta's 35. CrowdStrike does quite well on the Rule of 40 but also trades at a very high 57 P/S ratio. Okta certainly isn't cheap, and some regression to its historical mean valuation is certainly a risk, but in this heated space it's currently one of the less expensive options.
Investors also have to consider other risks typical of cybersecurity companies like a talent shortage in the industry, competition (especially from vertically integrated tech giants like Microsoft), frequent patent wars, unpredictable acquisitions, and sky-high valuations.
Even so, Okta's position in the industry reduces some of these risks. For example, it relies on only 20 patents, compared to 65 for CrowdStrike and 716 for Fortinet. Perhaps, as a result, Okta is the only one of these companies not currently being sued. It is also less acquisitive than the average cybersecurity company; Okta was carefully considering its recent acquisition of Auth0 for an unheard of 8 years.
There are certainly a lot of things that could go wrong with Okta, but that's the price of investing in cybersecurity and growth stocks more generally. In my view, Okta comes with less risk than the average cybersecurity company.
Cybersecurity is a lucrative industry that I believe will outperform the broader market over the next 10 years. However, investors should think carefully about which stocks they choose considering the many risks and uncertainties associated with this space. They should consider profitability and valuation to some extent, but also need to consider whether the company's growth story checks out in an increasingly distributed world.
Identity management - and Okta specifically - offers a good balance between high growth and some semblance of stability in a rapidly shifting industry. Sure, there are higher quality companies from a purely financial perspective - such as CrowdStrike, which I also own, and Fortinet - but they operate in more competitive and unpredictable parts of the industry.
Although it's possible that other cybersecurity companies will generate better returns than Okta, and it may be worth throwing some darts at those, I sleep well at night knowing that the need for Okta's identity management solutions won't be going away any time soon.