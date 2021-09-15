Okta, Inc. (NASDAQ:OKTA) Citi Global Technology Virtual Conference September 15, 2021 1:50 PM ET

Todd McKinnon - Co-Founder, Chairman & CEO

Fatima Boolani - Citigroup

Fatima Boolani

Good afternoon, and good day to everyone tuning in. We're at the tail end of Citi's Global Tech Conference, day 3. And I am very thrilled to have with me on this session, the CEO and founder of Okta, Todd McKinnon. Hey, Todd.

Todd McKinnon

Hey, great to be here. I'm excited for the conference. Hopefully, it's going well.

Fatima Boolani

It sure has a lot of virtual buzz, if you will. Before we dive...

Todd McKinnon

I'll try not to break the streak.

Question-and-Answer Session

Q - Fatima Boolani

Before we dive into what I promise to be a very meaty discussion, I just wanted to remind the audience that if you do have any questions, I'd be happy to help address them and present them to Todd towards the end of the session. [Operator Instructions].

So with that, I want to dig right in. Todd, I'm going to start at the 30,000-foot level here. A lot has changed in the threat landscape and the way enterprises work in the last 18 months. And these big-picture trends have actually really accentuated what Okta does best. So as investors anticipate your forward momentum from here, what are some of your specific observations as it relates to the confidence you have in forward demand trends and buying behavior from here?

Todd McKinnon

We're -- yes, we're very excited and have a lot of confidence. And I think reflecting on your question why that is, is because we've been helping customers solve these problems that are really -- the problems really arise or the opportunities really arise from the big macro shifts in technology. So for us, that's cloud computing, more people using more apps in the cloud, building more things in infrastructure as a service, essentially getting things outside of their own data centers. That's one big trend.

The second big trend is related and probably maybe even more powerful, which is every company and every organization is trying to build new digital products, get closer to their customers, disintermediate their supply chain or their value chain and get closer to the customer, make sure they're not being disrupted and go out and disrupt industries themselves. So that's a -- I guess, a simple way to say that is they're using technology to drive their business.

And then the third thing is, as you mentioned, it's all got to be done securely. So I think when we look at the world, this is -- we've been doing this for over 12 years now. And our success is always correlated with that -- those macro trends accelerating. And we've seen, over the last couple of years, that the pandemic and remote work have really pushed those forward. But it's not like it was a onetime bump. It was kind of like a long-term trend that was kind of shifted or accelerated for a couple of years. But the long-term trend is unassailable. And we think we're in a really good position to capitalize on this for many, many years in the future.

Fatima Boolani

Todd, to that end, how would you respond to investors who maybe have a concern that -- again, you capitalized on the perfect storm of events. You had a lot of organizations last year that were entirely ill-prepared or unprepared for a workforce that was maybe 90% in-house, working from home overnight, to 100%. And so how do you respond to investors who sort of pick up this notion that most of that digital transformation with the fire under people's belly as a result of those trends have sort of been accelerated? How do you sort of counter that perception?

Todd McKinnon

Yes. Like the work was all -- they did all the work in a year, and now the work is done. I just -- I think it doesn't jive at all with what we're seeing, and both just, quantitatively, if you look at the results and the growth. But also, I think on this kind of thing, it's like qualitatively, too, because you got to talk to customers and you have to look at surveys and you have to think about -- or collect anecdotes and then think about what is their experience.

And I think back to a conversation I had recently with a big government agency and -- this is a massive agency. It's one of the big 3-letter agencies. And for them, they were using Okta in pockets of the agency. And the conversations recently have really escalated at this level of -- they need to do something across the entire agency. And it's pretty transformative. And what's driving the transformation, it's not COVID. It's not one thing. It's like they have all of this technology that it's very clear that they need to make it all accessible in all these different ways from home, from office, et cetera, et cetera. And they need to figure it all out in a way that can be secured for the long term, and they're really leaning into this investment.

And that's -- it's not a onetime investment. This is a recurring, ongoing investment. That's really a fundamental change in their technology and their security landscape. So it's -- I guess, that's what I would say. Just thinking about the trends, thinking about more cloud is not going away. The requirements for organizations to transform their businesses with better technology, better customer interactions is not going away. And as long as there's information and as long as there's value in information, the security challenges aren't going to go away either.

Fatima Boolani

To your point about sort of debunking this idea, sort of 1 year and done, pull forward and done, I'm curious, anything you're seeing from a vertical/end market or geographical standpoint that sort of gets you excited that, "Wow, there's this very long tail here."? You just brought up the public sector as a potential area or a potential vertical that's sort of behind the 8 ball on cloud transformation, digital transformation. But curious if there's any patterns that have emerged now that we're in the post-pandemic normal in terms of industries that are still lagging behind.

Todd McKinnon

You mentioned one of them. Public sector has been strong for us, particularly federal can be -- federal, we have a lot of potential there. And if you look back at our results over the last couple of years, we did very well with states and local governments and federal with some of our -- the recent certifications we've achieved, FedRAMP moderate, IL4, a couple of specific certifications. And then ones we have on the road map to be FedRAMP high and then eventually IL5 and beyond. These are going to be really good for the federal market.

And I think federal is not just certifications and us having great customer success there; it's also what's happening in the federal guidelines coming down from the Biden administration on cybersecurity, Zero Trust, multifactor authentication. So that's -- I'm pretty excited about that.

I think geographically, we're -- we've been very strong in North America, and we're investing and making sure we have the commensurate success outside of North America as well. We're making progress there. It's -- in our last earnings, it's -- that's up over 20% of our revenue now. I think it can get a lot bigger, which we're really excited about. It's -- these problems of digital transformation in cloud and the opportunities from cloud and then security -- the issues of security are very global. And a big part of the world economy is not North America, as everyone knows. So we're going to be there as well.

We're benefiting a lot on that from our -- we have the acquisition of Auth0, we completed back in May. We're really getting into the integration now. One of the most exciting things about it is Auth0 is very strong internationally. And we're going to make sure we leverage that to further accelerate Okta's overall position internationally. Because if you look out 4, 5 years, we've talked about in fiscal '25 being at $4 billion of revenue, a big part of that is going to be from international, more of a percentage than it is now about 20%. So we're excited about that as well.

Fatima Boolani

Todd, I would -- I want to come back to Auth0 because that was a pretty sort of seminal transaction for you. So I'll absolutely come back to that. But just because you brought up the Biden administration's imperatives around Zero Trust and cybersecurity, look, I think there's a lot of large numbers being thrown around in terms of what the size of this opportunity could look like. Can you maybe put some finer points on what's actionable for Okta in terms of budgetary grab within the public sector and specifically within federal agencies?

Todd McKinnon

Well, I think it's -- if you just look at an aggregate level of IT spend and think about -- as we've seen the whole industry adopt more cloud and really, as that adoption has led to an identity-first security approach, the opportunity is quite sizable. So we're investing behind that opportunity because we think it's going to be an important part of the company going forward.

And the cool thing about it is there are some certifications that are different, but a lot of it -- a lot of the work, a lot of the product features, the capabilities are very horizontally applicable. And that they're going to benefit the -- every organization in the world. So that's -- it's a pretty good position to be in where you can invest in what's going to benefit a specific vertical and also have that benefit a bunch of other verticals as well.

Fatima Boolani

Right. So shifting gears back to product strategy. You've cornered the workforce identity management and access market and then that pain point. And you've just made a pretty bold bet to really corner the customer identity access management market. So maybe give us a little bit of a refresher of sort of how you got from Point A to Point B and where you see yourselves within that customer identity discipline in the next 12 months, 24 months.

Todd McKinnon

Well, we don't -- it's funny. We're very -- we don't think of anything as cornered. We've got -- I mean, we're going after an $80 billion market opportunity. And our revenue is not $80 billion. So we have a lot of work to do.

And the big -- I think the big -- I'll talk a little bit in specifics about the market segments you talked about. But I think big picture, the world -- a lot of the world still thinks about identity and access management as a feature of other platforms. So it's like something you get when you buy your database or your email apps or your infrastructure, you get it, maybe your data center provider provides it or something.

And that's -- our message to the world is that there is nothing that's further from the truth. Identity is its own platform. And it's so important with so many people connecting to all this information, with so much information, so many applications, all these use cases from workforce to customer identity, it's such a critical part of your overall technology strategy. It can't -- you can't just beat it by default from another platform because if you don't have an independent and neutral identity platform like Okta, then you're going to be limited in other choices of technology you can make.

So it's this independent and neutral platform that's incredibly strategic for the technology decisions you're making as an organization. And by extension, it's the foundation of your entire strategy of your organization. So when we're talking to customers and when we're getting excited about these conversations, it's when that message comes through. And so when we think about what we're trying to do as a company, that's very important, first of all.

So back to the specific workforce identity and then customer identity, the -- on the workforce side, there has been an existing -- a lot of existing products there in the past. As I mentioned, a lot of them are features of other platforms, whether -- when you got the Oracle database, you've got some Oracle identity; or you've got IBM, you got some IBM identity. And we -- I think because that's an established category, we have a good start on like bringing this message to the market that this is different this time. There's independence, and neutrality is important. And you're seeing that drive our success there. About -- combined with Auth0, it's about 2/3 of our business is the workforce identity side.

The customer identity side is interesting because it's more of a nascent category. And it's really about, as companies invest in these projects, to build better websites and mobile apps. How much of it do they build themselves versus how much do they use a vendor like Okta. And that's -- that build versus buy is we've made good progress on over the last couple of years. And I think with Auth0, we really take a big step forward.

Because when you're talking about build versus buy, it's one thing to have a platform like Okta traditionally has had, which really appeals to the Chief Security Officers, Chief Information Officers, lets them handle super complex customer access requirements, helps them have multiple systems maybe behind, maybe some legacy contact center systems, some legacy portal applications and put those together with one unified access control. That's what the Okta SIEM product traditionally appealed to.

There's another big part of this market, which is just developers and companies building things and grabbing something off the shelf early in that project's life cycle. And that's what Auth0 is amazing at. So you put these 2 together, we really start to have this clear, compelling, complete solution for all these customer identity use cases, which is really exciting for us.

Fatima Boolani

There's some distinction between the workforce pain point and the customer pain point. But I'm curious, what synergies do you see in owning both of them? Because fundamentally, it's sort of solving a different issue. So why do they belong -- all of these use cases belong on the Okta identity standard platform?

Todd McKinnon

There's a couple of different reasons. One reason is that there's an advantage to have -- there's an advantage for you to have 1 company in terms of support, in terms of the salespeople you're talking to, the consulting, professional services. A lot of this stuff is complex. And you mentioned there are differences about the different use cases. But one thing that's common about both of them is there's complexity and that there's things you have to get right. So there's just an advantage of when you look in your environment -- if you're a customer and you look in your environment, who are your strategic partners across your technology landscape? Who can be this person that understands identity, understands the complexities, has the support infrastructure, has the services infrastructure, how's the partnerships, the neutrality? Who can be that one-stop shop to solve those problems?

Because customers, they have a lot of opportunity with technology and a lot of problems to solve. And they're not going to look to -- they're not going to look -- they're going to have thousands of pieces of technology, but they're not going to look to thousands of vendors equally. They're going to focus on 5 or 6 of these primary strategic vendors, and we're very focused on making sure that, that identity is 1 of those vendors. So there's the whole good customer partner part of it.

The second part of it is that -- is more on the technical side, is that there are technical components that can be shared across both platforms that really are a benefit to the customers. And a great example is capability. We -- Okta has called ThreatInsights. So ThreatInsights looks at anomalous behavior and potentially malicious IP addresses attacking any customer and blocks them for all customers. That capability is a lot more powerful combined with Auth0 because we're looking at all of the threats in their network and combining the threats potentially on our network and blocking those from all the joint customers. So that's a product-level synergy beyond the kind of company level being a better partner because we're a more substantial broader partner to our customers.

There's many more of those customer synergies, and we're going to be talking about more about these things as the acquisition integration progresses. We have an event coming up in October, our Showcase event, where we're going to talk about some of these synergies and these combination dynamics in more detail.

Fatima Boolani

Todd, translating this into the addressable market opportunity, you talked about an $80 billion TAM. Seems to me, on the workforce side, it's pretty straightforward. It's a number of information workers in your organization, and there's a very, very large pool of enterprises and organizations. But when I think about the customer identity addressable market, how should -- how are you thinking about that market? And should we, as investors, think about growth in e-commerce or digital properties or any other sort of second derivative metric to think about it as a proxy for how much the customer identity technology use case can proliferate?

Todd McKinnon

Yes. When we estimate the market, the methodology we use really comes down to how many accounts do people have. Because customer identity is really about helping people building websites and mobile apps that are providing those accounts to people doing that more efficiently and more effectively. So the more accounts people have, the more demand for customer identity access management there is for the supplier side. So there's -- that's -- when we get to the $30 billion number, that's how we estimate that. We take some heuristics about number of accounts people have and so forth.

The interesting thing about the customer identity access management market is that I think it's a market that, over the coming years, is going to -- the complete solution will be broader than it is today. Right now, it's about authentication, some authorization. But I think there's a lot of natural technologies and products that are around that space. Whether it's things like digital marketing technologies that help identify users before they're in your sales funnel or before they're converted to a known user, there's a lot of interesting expansion opportunities there. That's an area that's very dynamic now, especially with cookies and what's happening with the OS platforms in terms of ability to track. So that's a very interesting area.

Again, these aren't specific product directions for Okta. They're just interesting areas where I think that the complete solution of customer identity access management will expand and look different or broader than it is today.

Another interesting area is more real-world identity verification. So it's one thing to authenticate a customer and have confidence that they are who they say they are. It's another thing and there's a lot of interesting partners we're working with and a lot of innovation going around like how do you really validate that that's the person who they say they are? For example, something like a vaccine passport. How do you -- it's not about just logging someone on to a vaccine passport website; it's about how do you actually go into the database and figure out that Fatima got her vaccine on a certain date.

So I think those are 2 examples. There's probably 7 of these that I could list out, but it's interesting areas where, in 5 years from now, people are going to look at this customer -- what now is called customer identity access management and it's going to be much broader and it's going to be much more valuable than even, I think, the $30 billion number portrays today.

Fatima Boolani

Todd, I'm just sort of thinking outside of the box here. As a consumer, me interfacing with a lot of digital properties, typically, I see Facebook or Google or even Apple as a conduit for application access, right? So in that realm, how do you see your role in terms of an enabler, competitor, co-Oktater? I mean is that the right way to think about the long-term SIEM landscape?

Todd McKinnon

Well, I think today, we're -- we help customers in really easy way, accept those identity providers. So in that example, it's log in with Facebook, sign in with Apple. I think that if you log in with Google -- I think if you -- we can really help our customers accept the different options there super simply. So instead of having to implement the different APIs for all those social log-in providers, we can just -- they can use our SIEM solutions and that just -- they get that for free. And then their customers can create an account in our customers' sites and services just super easily.

I think longer term, the -- I think -- forget about just the social log-in providers. Longer term, there's -- the identity experience for consumers is too complex. It's -- there's no good options. All the options are -- it's like what's the least worst option in terms of usability and security. And I think there is an opportunity over time to work with not just Okta but the whole industry to push forward a better experience for consumers. And the way we're going to get started on that is we're going to make sure that we do a great job building the best customer identity access management service and having a lot of sites and a lot of apps use it.

And then that -- I think that will give us enough presence in the market to then go out and help standardize some of this complexity on the customer side. It's something we're really starting to work on more and more, and I'm pretty excited about it for the future.

Fatima Boolani

Todd, how does the evolution and adoption of biometrics impact you? How do you think about that? I think it's very early days for a lot of organizations to authenticate their workforce and their information workers with that, that we're sort of limping there. So how does that impact you? And how have you thought about that in the context of the product strategy?

Todd McKinnon

I think it's -- I think of the challenge of biometrics is it used to be that it was a hardware challenge. Like we didn't have the fingerprint reader or we didn't have the ability to actually do biometrics. That's not the problem anymore. I mean we have plenty of biometrics. Most -- a lot of PCs, almost all PCs, Macs, iPhones, a lot of Android devices come with, if not more, at least a camera, a really high-def camera. So I think it's really an integration challenge now. And our approach to it is make sure that, for our customers, all this stuff is integrated.

And when I say integrated, what I mean is that if you have Okta as a business, and you're running the security policy or you're running the information technology there, you can use it as this single unified integrated control plane that you can do a policy and you say, "Hey, listen, based on specific apps that Fatima is going to access, based on where she's coming from, these are the authentication checks that are required."

Maybe for very things that aren't very sensitive, it's just -- it's no authentication check. It's just, "Hey, if it's her computer, she can come in." If it's -- or if it's something that really needs to be locked down, it's like she has to have a known computer and it has to be from a certain physical location on the planet Earth. And it has to be a face scan. I mean that's -- and that flexibility, it's -- people don't do that today because all that stuff is not integrated.

The face scanner is not integrated to the application. It's not integrated to the website. And so our product -- one way to think about it is our platform integrates that all together, so that our customers could just have this simple policy layer that can give them the easiest ease of use for their users but also the best security outcomes in terms of being diligent about what's locked down.

Fatima Boolani

So staying sort of strategic, we talked a lot about the human element of identity and access, right? So in all cases we just talked about, it's an employee and/or an end customer. But can we think about the type of sprawl we're seeing in cloud services and cloud assets that sort of have an identity of their own, so machine identities, right? So where does that aspect of identity fit in your road map and your strategy? Or just broadly how you're thinking about machine-based identities and the sprawl that's coming from there?

Todd McKinnon

Well, it definitely is. It's -- I think about it the following way. Machine identities are -- the big problem with machine security from this perspective is that the machines get treated as if they're -- if they're in a data center, often or not, or if they're in a certain server closet, they get treated like they're blessed and trusted and nothing bad can happen from that machine.

And that's -- there's a big term in the industry everyone talks about. Everyone knows about your Zero Trust comes from that. It's basically stop trusting that machine in the data center because you can't just assume that if it's in the data center or in your office that nothing malicious is going to happen.

So if you really get to this -- to get to this real Zero Trust capability, one of the things you have to do is you have to make sure that you know you have an inventory and you have an accurate representation of all the machines. So you have to have like a catalog of the machines. And then that's sometimes daunting enough. But then you have to make sure that you don't just -- you allow that machine to only do the minimum amount of things that it should be -- it should have to do.

You can't just access anything on the network. You can't just potentially be launching off point for other attacks throughout your network. It has to be locked down to exactly what it has to be able to do. And to do that, you -- 9 times out of 10, you have to know the people that can do certain things from that machine. And that's the tricky part because a lot of these machines, they have a certain role that they do just in terms of processing kind of no user-related process and information around. But then they're left -- the administration accounts or the admin or the super user accounts are left open because it's easy for the engineers to drop in there and like do some admin things and maintain some network things.

And that's why -- that specific problem. Imagine the server in the server closet. You did a good job at Zero Trust. You took an inventory of the assets. You know this machine only should be able to access this other physical area of the network. You've really locked it down. But then you can log into that with an admin count and get anywhere.

And so this -- we have a new product area we're working on, and we've had success in the past with a product called privileged access management. Privileged access management is about locking down that admin account, making sure that server admin, that database administrator, that infrastructure administrator, those accounts are really -- have the least amount of privileges possible. And the goal is to minimize the potential impact of an attack. So if that machine gets compromised, we have this issue. There's a big issue right now with -- going on with a vulnerability in Mac and iPhones, and Apple is -- they're doing a good job rolling out all these patches. But you have those environments and your -- you have those machines in your environment.

So it's about patching them as fast as possible, but it's also about making sure they're deployed in a way that if they get compromised, they can't jump off to anyone in the network. They can't jump over into that administrative account and do things that are going to perpetuate that attack or that risk more than it should be.

So it's a big topic, but I think that some of the tools we're working on and the industry is working on is going to make the whole security posture of all these machines better.

Fatima Boolani

I want to go back to the outset of our conversation when we were talking about some of the big trends that you've really been able to chop. Some of your key rivals have also been responding very aggressively to those trends and maybe taking -- similarly taking advantage of those trends. And so I want to ask you, how has Okta adopted -- or adapted, rather, their go-to-market strategy as other players in the broader identity security realm have tried to sort of emulate and capture the same opportunity and extend their platforms? And how has the strip impacted the way you go to market and engage competitively?

Todd McKinnon

Well, in terms of our go-to-market, it's really been about growing and investing. And for a long time now, we've seen this big opportunity and we've been able to sustain very strong growth, and we're continuing to invest in that growth. And so that's -- I guess, that's consistently what we've done all along.

We have not particularly in response to any competitor, but one of the trends has been we're selling more to enterprise customers. And so as you move up the size of companies and the size of agencies you can address, a couple of things get really important. One is that your -- the partner ecosystem gets -- the partner ecosystem is always important for Okta. We're the kind of the heart of it with this integration company. We play very well at others. We're neutral. But as you move higher into the market, it's -- your relationships with the strategic systems integrators, with strategic security VARs and resellers becomes even more important. So that's one evolution we've made.

And then the other thing I would say is that our own capability to build this team of -- whether it's on the customer success side or whether it's on the implementation services side, we want to have this team that can really help these organizations with this complexity.

Identity for companies is high stakes. It's a lot of potential, but it is complex. And to the degree we can have the strongest team that is that partner that can help our customers through some of these challenging projects in a fast and strategic and valuable way, it's a big part of our brand. And it's something we're -- we've made a lot of progress on, and we'll continue to be a good partner.

And then in terms of like the messaging and the positioning, the one thing that has been -- it's been very -- we've been done a good job of is making sure more and more people understand that if you buy identity from another big platform, it doesn't matter what platform it is, if it's an email platform, like Microsoft or it's an infrastructure platform like Google or Amazon or it's CRM or whatever it is, if you buy identity from that platform, you're not going to get the choice and flexibility you get from a neutral platform. There's no way that the product and the engineering people at Microsoft, working on identity are going to make it amazingly simple and easy for you to log in AWS.

This is not going to happen. They would get fired. I mean it's like, "What are you doing?" We don't want our customers logging in to AWS. We want them to log in to Azure. So that's one simple example. But that's what's at stake. And I think as we're -- a lot of our results are that we've been even more and more effective at telling that story, which is something we'll continue to do because it's true. And we're seeing the benefit of customers that make the right choice here and what they can do with this technology, and we're going to keep that going.

Fatima Boolani

Todd, you brought up Microsoft. And you have mentioned in the past that, that is one peer that you do keep very close eyes on. So maybe if you can share some anecdotes with us, how you've specifically responded to Microsoft's very aggressive foray into your -- some of your core workforce identity and access management capabilities? And maybe specifically, and to your point earlier about a lot of these platform vendors who offer a futurized version of what you do, wake up every morning and do for a living, how do you sort of combat that? So again, very specifically from the Microsoft lens because it's just one that you brought up and in the past as well.

Todd McKinnon

Yes. I think Microsoft -- I think of all the vendors, Microsoft's probably focused the most on this. They've been doing it for a while. They've -- remember, I think they launched their product 7 years ago now in 2014. And I think they've made steady progress. I think it's very clear, though, if you look at Microsoft as a whole, from -- at least from my perspective, it's -- the important things are Office 365 and Azure. And that actually -- it actually -- especially the Office 365 side is great for Okta.

The fact that they're moving all these companies to the cloud and they run straight into all the problems that we can help solve when they start to get everyone accessing things from the cloud, and we're actually a very effective partner with Microsoft on the Office 365 side.

In terms of the competitive products they offer, I think that there's a few camps of customers. There are customers and there will always be customers that they just -- they don't -- the investment in technology and the ability to have flexible technology is just not -- it's not that important to them. They're just like, "You know what, I want it like cheap as possible. We're kind of go more with a commodity approach on our technology." And that's fine. And they can use something embedded in Microsoft. But that's -- the companies that think about technology that way are getting fewer and fewer.

And I was talking to -- yesterday, I was talking to a -- it's a company that -- an amazing company based in Europe that does -- it repairs windshields, so windscreens that are broken. And it's a massive company. And they describe themselves quite humbly as blue collar and hard-working, working-class people, were keep salt of the Earth. And then went on to describe 20 minutes about their very sophisticated advanced technology strategy they're employed for this company.

So my point is that every industry, every company is more and more investing in technology. I think the number of companies that see it as more of a commodity thing, more that, "I just want to kind of get it from the easiest vendor, the cheapest vendor," is less and less. And I think that's -- we're seeing that in our results, and it's -- we're continuing to invest and not only telling them the story and making sure that more and more people understand the differentiation but also investing in the product. So you can do things like secure your privileged accounts across all cloud providers very easily, not just one.

Fatima Boolani

Your ability to drive product expansion in the base and the uptake of increasing breadth of capabilities in the base is very evident in some of the net retention numbers that you share. But I'm curious, specifically on the workforce side, again, that's where you cut your teeth. We have started to see maybe some consolidation or at least what I like to refer to as a blurring of the swim lanes between even more nuanced sleeves of identity. So curious if you can update us on the progress there in terms of sort of extending into governance, extending into privileged access. How that should sort of financially or quantitatively manifest in your business moving forward?

Todd McKinnon

I think that -- we talk about this internally as we have these big initiatives going on right now for IGA, a new product that we're going to be launching. We've announced that it's going to be launching first quarter next year. Same for privileged access, privileged access management. We talk about this internally a lot. And I think what's going on in these markets is that there's these requirements and these use cases to get governance reports and have a good sense of the access requests and so forth on the government side and then to lock down these privileged accounts.

These are requirements and things customers need to do. But these are also 2 industries in transition. These are 2 industries that are -- like every other industry, they're moving to -- tech industry, it's moving to the cloud.

I mean when I started Okta, almost 13 years ago now, it was a simple bet that everything in the IT stack was going to move to the cloud, and there's going to be a cloud version of it. And at the time, it was mostly apps and infrastructure with AWS. But the big bet for us was that everything was going to move, including the identity provider, which was strange for a lot of people, and they didn't think it would happen. But everything is going to move.

And so when I look at identity governance and privileged access, everything is moving. There are no exception. So I think the vendors in this space are legacy software vendors. And that's just the facts. I mean they were started in an area where they were software.

And like a lot of other legacy software vendors, they're going to be fine. They're going to keep growing at probably slower than average growth rates. They're going to throw off a lot of cash. They're going to be fine. They're not going to be like put out of business by anyone.

Last time I looked, the Siebel business inside of Oracle is still making money. So they're going to be fine. But if you look at where these markets are going, in 5 years from now, you're not going to install a big on-premise implementation for identity governance.

And we're going there. We're going so that you want a modern cloud-based system, simple, not overly complex, solve your business challenges, not a lot of the headaches of the solutions of the past. Same on the privileged access side. Except on there, it's even more of a profound shift because it's not just like I don't want to run the servers from my governance solution; the actual way you build applications is shifting.

CyberArk was -- they've done a great job, but they were built when everything was in a rack, and it was Oracle and Solaris. I mean the world is very different now. You have spinning up servers and dynamic workloads. Not everyone is there. Not everyone builds applications in a modern DevOps way. But more and more people are. And if you look out 5 years, I think the solution for privileged access is going to be one that needs to be attuned to that versus a different architecture from the past.

Fatima Boolani

And just my last question sort of cap off that line of conversation. Net retention has been a really important metric for you in the quartile of some of your enterprise software peers. But as you think about the vectors that drive that figure, whether that's cross-sell or upsell and frankly, even pricing increases, can you talk about what is going to be the most prominent and salient vector to drive that net retention rate higher from kind of the low 120s to much higher?

Todd McKinnon

Well, if you -- as we talked about this number with investors in the past, the gross number, we don't break it out, but it's been consistent over the last several years. So the 2 variables that are left are -- if you look at the overall results, the -- it's like how much is new business? And how much is upsells?

And as you see that number change 1 point or 2 either way quarter-over-quarter, it's really kind of like how many upsells we've done. And as you mentioned, the -- what's like you asked, what's driving the upsells? Well, I think that it's -- there's a bunch of different things. There's just more seats, a company might get more employees.

But the biggest drivers are a couple. One is they'll start with customer identity and then buy a workforce, or they'll start with workforce and then buy customer identity. So basically, new use cases. And then, of course, within each of those, they might get some seat expansion.

And then within each of those broad market categories, there's -- and by the way, with the addition of Auth0 now, we have many more potential customer identity customers to sell workforce into and vice versa. So more -- we can sell customer identity and -- so a lot more cross-sell opportunity there.

I think that the -- one of the things we broke out is there's only 300 common customers. So the company now has 13,000-plus customers, and only 300 of them are common across both Auth0, so there's a lot of cross-sell opportunity there.

The last thing I'll say is that on customer identity and workforce, there's -- you can use more of it by -- there's different modules or products you can buy. So you can start on the customer identity side and start with just a directory and then add multifactor authentication. Or on the workforce side, you can start with just a simple single sign-on. And then you can add things like life cycle management to control the life cycle of the account across from when the employees hired until they change roles, until when they leave. So the -- between those big cross-sells of customer and workforce to the seat expansion in both and the modules, there's a lot of opportunity there.

Fatima Boolani

Yes. Well, no, that does it for us. We're at the halfway -- half-hour mark here. So I want to thank you for your time. Really comprehensive discussion. And always nice to spend some time with you, Todd. Thanks a lot.

Todd McKinnon

Yes, thanks for having me. And it's -- I appreciate getting a chance to talk a little bit about the market and the opportunity. Thank you.

Fatima Boolani

Bye.