Okta: The Best Risk-Reward Tradeoff In Cybersecurity

Summary

• Okta is an industry leader with a long runway for growth, and I believe that it comes with less risk than the average cybersecurity company.
• I provide a top-down overview of the cybersecurity industry to show how I arrived at Okta as one of my preferred stock picks in this sector.
• Like any high-growth company, Okta has some risks. For example, it performs poorly on the Rule of 40.

Sundry Photography/iStock Editorial via Getty Images

Thesis

Okta (NASDAQ:NASDAQ:OKTA) is one of my top long-term stock picks in the cybersecurity industry because it's the leader in identity management. This is a fast-growing space that I believe carries less risk than most other parts of the cybersecurity industry.

In order to justify this thesis, I start with my overview of the cybersecurity industry, then zoom in on identity management and Okta.

Why Cybersecurity?

Source: Grand View Research

Cybersecurity is an increasingly important field in today's world. Among other trends, the shifts toward the public cloud, work from home, and internet of things have all widened the attack surfaces available to cyber criminals. As such, corporations are more vulnerable than ever, leading to multiple high-profile cybersecurity incidents this year. For example, the Colonial Pipeline hack saw hackers demand nearly $5 million in ransom and had east coasters panic buying gas.

If cybercrime were a country, it would already have a GDP of about $6 trillion; higher than the GDP of all countries besides the USA and China. And this figure is expected to grow at 15% per year through 2025, when it would reach $10.5 trillion.

Despite these huge crime numbers, the cybersecurity industry itself is only worth $167 billion today... less than 3% of cybercrime's valuation. And its forecast CAGR is only 10.9%, implying that it will grow more slowly than the cybercrime industry will.

This low valuation is because cybersecurity currently accounts for only 5.7% of IT spending. However, most experts recommend that this number be in the 10-15% range, considering the financial and reputational harm that is usually inflicted upon companies that are victims of cyber-attacks. A company's stock typically falls 5% after it announces that it's been hacked, and virtually every company lists cyber-attacks as a risk factor in its SEC filings. This implies at least 100% upside from the current spending levels.

As such, I believe it is very likely that cybersecurity spending will grow faster than the already respectable 10.9% CAGR that analysts are predicting. Historically, it's certainly been the case that analysts have underestimated this industry. For example, Statistica projected a 10.3% growth rate between 2017 and 2020, but the actual growth rate was 18.7% during this period. Similarly, in 2017 Gartner projected that spend would reach $170.4B in 2022, but this number was almost hit in 2020 ($167B). And during the 13 year period from 2004 to 2017, the industry grew at a rapid 31% per year; well above 10-11%.

One potential catalyst for a faster growth rate comes from the federal government, which recently announced an executive order to improve the USA's cybersecurity. Among other initiatives, it will modernize the federal government's cybersecurity infrastructure and improve detection of cybersecurity incidents on federal networks. The federal government currently spends only 2.5% of its defense budget on cybersecurity.

A recent survey by Okta points at another potential catalyst. It found that 74% of CIOs think that security represents the most crucial decision in modernizing their IT infrastructure.

Cybersecurity is clearly an important and fast-growing industry. As such, it's likely that cybersecurity will make a good investment, especially if its growth potential has been underestimated.

Why Identity Management?

Although cybersecurity is an extremely fast growing and important field which seems to be consistently underestimated by analysts, it can still be a difficult sector to invest in... especially if you want to sleep well at night.

I took masters level cybersecurity courses less than five years ago and occasionally deal with cybersecurity issues in my day job, but the industry moves so quickly that I still don't view myself as having enough knowledge to pick winners and losers out of most parts of the industry on a technical basis. For example, my classes taught how to deal with buffer overflows but didn't even mention zero trust. The former is no longer a noteworthy threat with modern programming languages, while the latter is one of the hottest topics today.

Some of the top cybersecurity companies just a few years ago were Palo Alto Networks (NYSE:PANW) and Fortinet (NASDAQ:FTNT). But today, they already find themselves in an awkward position where they are forced to disrupt their own on-premises solutions in order to stay relevant in a cloud first, work-from-home, zero trust world. Today's hot stocks are the likes of CrowdStrike (NASDAQ:CRWD) and Zscaler (NASDAQ:ZS), but it's possible that they'll eventually find themselves in a similar position as their older competitors since the industry moves so quickly. For example, SentinelOne (NYSE:S) is already trying to disrupt CrowdStrike, based on the idea that using a manual threat monitoring team is outdated when AI can be used instead.

One reason why most of the industry evolves quickly is that its focus is exclusionary - that is, it deals with the undefined. For example, CrowdStrike's mission is "to stop breaches." It's a simple concept, but it's very complex to implement. New types of breaches are constantly being created, so CrowdStrike can never fully define what it is trying to stop, much less guarantee that it will actually stop it. As new breach types are discovered, CrowdStrike must modify its solutions.

And if CrowdStrike were ever to fail to stop a breach, competitors like SentinelOne might start to look a lot more reputable and attractive to potential customers. While every investment could be negatively affected by a breach, cybersecurity companies are triply at risk, since they are often high priority targets, suffer outsized reputational damage from hacks, and may need to compensate their clients if they are responsible for a breach.

While most cybersecurity companies operate with a narrow moat derived from switching costs (and sometimes network effects), none can claim a moat wide enough to prevent their clients from leaving if their solutions are perceived as ineffective or outdated after a breach.

By focusing on identity, the one constant in an ever-changing technology and threat landscape, the Okta Identity Cloud provides our customers with a solution to solve their IT and security challenges. - Okta

That brings us to identity management. This is a unique niche in cybersecurity that focuses on enabling people to securely connect to the right technologies and services at the right time.

It's extremely noteworthy that unlike most of cybersecurity - whose mission is exclusionary - identity management's mission is inclusionary. Its goal is to keep a known set of people in, not to keep an unknown set of attacks out. This means that it is disrupted less frequently than the rest of the industry, and is arguably less prone to cyberattacks.

Identity management is one of the most predictable and reliable areas of cybersecurity because of its simple and inclusionary focus. As such, investors in this space are more likely to sleep well at night compared to investors in other areas of cybersecurity. And this increased certainty doesn't come at the cost of slower growth; identity management has a projected CAGR of 13.2% through 2027, as opposed to 10.9% for the overall industry.

Why Okta?

Source: Gartner

Okta is my preferred investment in the identity management space for a few reasons. For one, as the first mover in the space, it's the only public company focused exclusively on identity management besides the much smaller and slower growing Ping Identity.

Okta has also been named a leader in the Gartner magic quadrant for access management for four years in a row. Although there are more leaders listed in Gartner's most recent magic quadrant, historically Okta and Microsoft (MSFT) were the only leaders. For their part, Okta still lists Microsoft as their only main competitor in their annual report.

This makes sense because Okta dwarfs Ping Identity, OneLogin, and ForgeRock in size; Okta has a 32.5B market cap while none of the others are even worth 5B, and Okta has over 10,000 customers compared to 1,411 for Ping Identity (the other competitors don't publish specific numbers). Okta also has the most reviews and the highest rating (91% recommended) on Gartner peer insights for access management.

Aside from its first-mover and size advantages, Okta also has an advantage when it comes to integrations. They offer over 7,000 integrations, compared to 2,300 for Microsoft's Azure Active Directory, 1,800 for Ping Identity, 6,000 for OneLogin, and 250 for ForgeRock. Integrations are key in this space since access management works best if it can control access to a lot of tools. Okta offers integrations for well-known apps like CrowdStrike, AWS, Google Cloud, Microsoft Azure, Salesforce, etc., notably partnering with other cybersecurity companies rather than competing with them.

Okta also partners with many organizations to drive sales, noting that "nearly all of the leading cloud application providers are our partners, and many of them drive further customer acquisition for us through co-selling arrangements, building our offerings directly into their products, and product demonstrations running on the Okta Identity Cloud."

Those who have used identity management solutions like Okta will know that their usefulness is largely derived from partnerships and simplified UI that improves productivity, but the actual logic for services like SSO is relatively simple compared to the logic for endpoint protection and other cybersecurity. This reduces risk for identity management companies, but also increases the importance of brand ethos since the barrier to entry within the industry is low. In this perspective, Okta does well considering that its first-mover advantage, size, and partnerships all serve to strengthen its brand.

In a crowded space like this, I like to look at the results to determine which company is the best investment and whether competition is a big risk. In Okta's case, it's the clear leader based on size, first-mover advantage, management track record, and partnerships. Okta would also claim that its neutrality gives it an advantage over Microsoft, which operates its solution within the larger Azure ecosystem. Ultimately, we can see these advantages paying off with Okta sustaining a revenue growth rate over 40% for years despite already dwarfing its non-Microsoft competitors in size.

Risks

Although there's a lot to like about Okta, it's not without its issues. For one, the company has never achieved profitability. While I generally don't care about profitability when a company is growing quickly like Okta is, not all unprofitability is created equal. Okta does poorly on the "Rule of 40" considering its -26% operating margin against revenue growth around 40%. Ideally, Okta would be (barely) profitable by now, but it's still quite far away from that point. However, Okta has done well on the Rule of 40 historically, so I'm willing to give them some time to catch up to their current spending, especially considering the disruptive effect of their recent Auth0 acquisition.

Also offsetting the lack of profitability is that investors get to purchase the stock at a relative discount to other cybersecurity options. For example, Zscaler and SentinelOne do about as poorly as Okta on the Rule of 40 but trade at P/S ratios over 50 (92 for SentinelOne!) compared to Okta's 35. CrowdStrike does quite well on the Rule of 40 but also trades at a very high 57 P/S ratio. Okta certainly isn't cheap, and some regression to its historical mean valuation is certainly a risk, but in this heated space it's currently one of the less expensive options.

Investors also have to consider other risks typical of cybersecurity companies like a talent shortage in the industry, competition (especially from vertically integrated tech giants like Microsoft), frequent patent wars, unpredictable acquisitions, and sky-high valuations.

Even so, Okta's position in the industry reduces some of these risks. For example, it relies on only 20 patents, compared to 65 for CrowdStrike and 716 for Fortinet. Perhaps, as a result, Okta is the only one of these companies not currently being sued. It is also less acquisitive than the average cybersecurity company; Okta was carefully considering its recent acquisition of Auth0 for an unheard of 8 years.

There are certainly a lot of things that could go wrong with Okta, but that's the price of investing in cybersecurity and growth stocks more generally. In my view, Okta comes with less risk than the average cybersecurity company.

Conclusion

Cybersecurity is a lucrative industry that I believe will outperform the broader market over the next 10 years. However, investors should think carefully about which stocks they choose considering the many risks and uncertainties associated with this space. They should consider profitability and valuation to some extent, but also need to consider whether the company's growth story checks out in an increasingly distributed world.

Identity management - and Okta specifically - offers a good balance between high growth and some semblance of stability in a rapidly shifting industry. Sure, there are higher quality companies from a purely financial perspective - such as CrowdStrike, which I also own, and Fortinet - but they operate in more competitive and unpredictable parts of the industry.

Although it's possible that other cybersecurity companies will generate better returns than Okta, and it may be worth throwing some darts at those, I sleep well at night knowing that the need for Okta's identity management solutions won't be going away any time soon.

Analyst’s Disclosure: I/we have a beneficial long position in the shares of OKTA either through stock ownership, options, or other derivatives. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Comments

[Kann352]

"Okta is not profitable" and not buying it. simple as that.

[JPHudson]

Thanks for helping me to put this stock into perspective. Your familiarity with security technologies helped along with your financial analysis, a unique and welcomed perspective.

I invested in OKTA at slightly lower levels for the following reasons:

- OKTA owns the category. ADS is the default directory for MSFT and it is a good one. OKTA is as good in the MSFT eco-system as ADS and is the master identity management systems across all other operating systems,
- Identity Management is not only for authentication, its also for non-repudiation which diversifies its use into all security paradigms (surfaces). AI identified policy or technology potential disallowed ingress will map straight back to the directory which is the basic root framework of identity management. I will be very surprised if OKTA-Auth0 aren't developing these types of integration partnerships with security technology and switching companies today, which includes the names in your article. The addressable market for this technology is not limited to its classical role as user management and the associated dimensions such as SSO but rather it should form the basis for weakness identification, mitigation and remediation of network and node potential vulnerability and actual breaches in the future.
- Traditionally companies implemented the identity management solution that arrived with their ERP, OS, cloud service, hybrid, telephony, router-switching (read CSCO) etc. In the security world I see OKTA extending the discipline into the world of PANW, NET, CHKP, S, CRWD, and BB into autonomous vehicles (IoT) for identity recognition and behavior-user resolution which are event initiated as opposed to user, task, or procedure (external, i.e. scanning, sniffing, hacking versus internal). OKTA should develop these relationships and announce them which will satisfy this investor that they have a coherent plan and justify my ongoing risk taking.

OKTA is below their highs, burnished through their acquisition of Auth0, and ready to displace the mistaken belief that directories from different suppliers can be unified in-house. OKTA can control price better and buy the market share they need to prove their domination. Partnerships with other security technologies will improve their partner's offerings and provide, ironically, a trojan horse for OKTA sales.

While I agree with you that buffer overflows are not nearly as effective a vector as they used to be, application and operating system resets in the age of IoT and autonomy whether or not there is an injection of malcode are going to be a huge paved highway into new risk exposures. Resets are bad.

I'll hold OKTA for now pending partnership announcements and roadmap updates. I won't be purchasing any additional given market volatility and the difficulty most technology investors have in understanding infosec.

[applyberry]

Thanks can’t believe nobody sees that okta is the most overvalued stock in its category. Loses more money every quarter with little chance to ever be profitable. They even guide more losses. Their business model is un profitable. Anyone who buys at these rediculous prices is just a fool who will lose their money.

[canyon]

@applyberry
Yeah, large enterprise spend (let alone SMB) in IT security solutions has no positive trend, we've seen "peak hacking/breaches"... no need for a diversified portfolio of security solutions like observability, vulnerability, IDM, endpoint and zero-trust solutions since none of them are sufficiently profitable (actually most lose money)... history in losing stocks like TSLA or AMZN or Google has no relevance.

[applyberry]

@canyon they all made money and okta loses 100s of million a year losses growing and growth rate slowing. Not a company I want to touch at 40 times unprofitable sales

[Let The Led Out]

I wouldn’t be surprised to see them hit on revenue but miss on eps due to auth0 acquisition. With softer guidance proposed by management in last quarter. Personally I would say the risk is higher than the reward until after earnings as I’d bet the stock drops. Just my two cents and I personally hope it does so I can buy more and make it me 3/4 largest position

[mike in montana]

Agree with the other commenters, very useful intel. I've been thinking about starting a position, I believe you may have convinced me.....

[Rational Investment Advice Please]

Thank you for the informative article with some interesting insight.

Your take on lower risk for identity mgmt is especially interesting to me.
I've cashed in on OKTA before, and it's been high on my watchlist for a few years since.
I think you've convince me to slowly buy into this stock again for long-term.
Will follow you and look forward to more. Thanks again.

[Kennan Mell]

@Rational Investment Advice Please Thanks for the nice comment and for following!

[alla_al]

Best article about OKTA so far. I am a software engineer too and agree with your reasons for selecting OKTA in cybersecurity world. I bought some shares recently first time to hold them long-term. Long time ago bought PANW (a network engineer recommended) and nothing else i own from cybersecurity world. Will follow you from now to see other tech stocks recommendations. I don't have time to analyze them. At which price would you add more shares of OKTA? Thanks.

[Kennan Mell]

@alla_al I typically just DCA at (almost) any price in order to build a full position over the course of months. I added to Okta a couple weeks ago. For high growth companies, even if their valuation compresses 50%, they can offset that with their growth in just a couple years. So I don’t worry too much about valuation/market timing, as much as I worry about choosing companies that aren’t likely to experience a slowdown in growth. But it also depends on your time horizon and ability to DCA. Glad you liked the article and thanks for following!

[Kennan Mell]

@alla_al I’ll also add that I usually defer to analysts on valuation since I don’t have formal financial training. Morningstar has a 3 star rating on Okta with a FVE of $250 while the average analyst price target is $276 per Finviz. I also look at the historical valuation which is the only point of concern for me, but the whole market is elevated right now. I’ll add to my positions as long as the analyst price targets are reasonably close to the current price, and for my highest conviction holdings I’d add either way

[alla_al]

@Kennan Mell me either and i don't have even time to gain the finance knowledge, so I'll appreciate if you add on your next article some analyst's fair value / target price.

[canyon]

Nice job OP

[Kennan Mell]

@canyon Thank you!

[EconAnalyst]

Well done, I have been interested in Okta for a while but even the 35x P/S scared me quite a bit. This is a fantastic article that actually describes the business in detail - far from common on SeekingAlpha... Earned a follow from me!

[Kennan Mell]

@EconAnalyst Yeah, the 35x P/S is still very high. Something closer to 20 might be more sustainable long term. But whether it crashes to a lower level this year or slowly reverts to that level over multiple years while growing revenue at a market beating rate is anyone’s guess. For me, I prefer to dollar cost average and build my position slowly instead of waiting for a great price and going all in. But each person’s strategy will be different since they might not have an income stream to DCA with, for example. Anyway, happy to hear you liked the article and thanks for the follow!

[Peled111]

smart article

[Kennan Mell]

@Peled111 Glad you liked it!