Okta Remains A Strong Buy Despite Being Breached (NASDAQ:OKTA)

Thesis

Okta’s (NASDAQ:OKTA) lack of profitability and recent stewardship issues are valid concerns, but the current valuation more than accounts for them. As long as Okta maintains its industry-leading position and long-term guidance for 20% FCF margins, I continue to view it as a solid long-term investment. I believe that now is a good time to buy shares with the stock near a 52-week low.

Introduction

I maintain a large allocation to cybersecurity in my portfolio. The reason for this was perfectly summed up in Okta’s recent earnings call by CEO Todd McKinnon:

The megatrends that are driving Okta’s business – the deployment of cloud and hybrid IT, digital transformation projects and the adoption of Zero Trust security and an environment of increasing incidents and breaches – are only gaining momentum

The first trend mentioned – cloud computing – has been growing rapidly. This is easily measured by the IaaS platforms that underpin the industry (AWS, Azure, and GCP), which all continue to grow at a 30%+ CAGR. Cloud offers many advantages over legacy systems including better security, so I expect this growth to continue for years to come.

The second trend – digital transformation – has accelerated since COVID forced everyone into remote/hybrid work. While most companies began remote work immediately in the 2020 pandemic, they were slower to update their cybersecurity strategies. Cybersecurity currently accounts for only 5.7% of IT spending. However, most experts recommend that this number be in the 10-15% range, considering the financial and reputational harm that is usually inflicted upon companies that are victims of cyber-attacks.

As shown by Check Point (NASDAQ:CHKP) above, even as many companies have begun their return to office, the number of cyberattacks has only continued to increase. This could be for many reasons, but I believe a key one is that businesses still want to digitally transform even as COVID subsides. Cloud, hybrid work, and other digital transformation initiatives all increase the surface available to hackers and thus the need for cybersecurity.

The third and final megatrend – zero trust – is a security model that is optimized to prevent trust-based breaches by assuming that everyone outside and even within an organization could be a bad actor. An example of such a breach is a supply chain attack in which a compromised SaaS is used to access its customers’ data. A recent example of this is last year’s codecov hack.

Trust is of course a key part of the zero-trust model, and a key part of trust is identity. As a leader in identity, Okta is thus also a leader in zero trust, alongside a small group of other companies highlighted in Okta’s earnings call:

There’s another, I’d call them a more advanced set of customers that they know what they want for Zero Trust and they’re coming to leaders like Okta, leaders like Zscaler (NASDAQ:ZS), leaders like CrowdStrike (NASDAQ:CRWD). And they’re saying, these three components are what’s going to give me my Zero Trust together, we’re going to buy it together. I’ve been working on big, big accounts with the teams from Zscaler and CrowdStrike. There’s other players as well, but the three have been having some success together.

Recent Performance

The megatrends driving growth in cybersecurity and Okta, in particular, compelled me to make Okta one of my top 10 stock picks for 2022. Okta is down 33% year to date, so it has not gone well so far. I would say that if I could take back one of my 10 picks, it would be Okta. Not because I’ve lost faith in it long term, but because there were other cybersecurity companies that looked better in the short term at the start of the year. I even called out Fortinet (NASDAQ:FTNT) as one such option when I published my top 10 picks, and its stock is up 2% year to date and beating the market. However, in light of Okta’s recent underperformance, I once again believe it’s a strong buy.

Overall, cybersecurity stocks have done very well this year. The Global X Cybersecurity ETF (NASDAQ:BUG) is up 1% year to date and CrowdStrike – the other cybersecurity stock I included in my top 10 picks for 2022 – is up 12% year to date. I attribute this Q1 outperformance across the industry to a combination of strong earnings and the war in Ukraine, the latter of which I didn’t expect.

So why hasn’t Okta kept up with the industry, instead falling to a new 52 week low last week? There are a few factors. Most SaaS companies aim to pass the Rule of 40, which states that profit margin plus the revenue growth rate should add up to at least 40. While a few cybersecurity leaders pass it – including Fortinet, CrowdStrike, and Check Point – Okta fails quite miserably with a score of 3, thanks to its very negative -59% operating margin.

Margins have worsened since last year thanks in part to the Auth0 acquisition. This was expected, but it’s fair to wonder whether Okta is executing well in this acquisition by finding synergies across the companies and maximizing cross-selling opportunities. It appears that the two companies have not combined their sales forces, which was unexpected.

Okta justifies their negative margins with the idea of investing ahead of demand:

So we look at the business holistically at this point. Obviously, there’s a big opportunity. That’s going to be a very nice business for us in the years ahead. You had — you can hire account executives who know how to sell enterprise IT, they know where to go find it. There’s a lot of legacy Oracle, IBM, CA, RSA that over time, we’re just going to slowly rip and replace. Obviously, our dollar-based net retention continues to be 124% up from $1.22 last quarter. And that’s because our motion of landing and expanding inside these large organizations is going very well.

Our long-term financial goals anchor on at least $4 billion of revenue in FY ’26 with organic growth of at least 35% each year and 20% free cash flow margin in FY ’26.

As described above, Okta believes that they have a very large opportunity ahead of them. And they want to hire in sales and R&D to capitalize on that opportunity. It makes sense, but at a certain point, I wonder whether it’s too much. It’s difficult for a company as large as Okta to grow at 20% per year – much less their goal of 35% – so hiring ahead of the demand may not realize near-term benefits. But it certainly will lead to operating losses that will dilute shareholders.

Beyond these widening losses, I would say that highlights from Q4 earnings were mostly positive:

• Total revenue grew 63% and subscription revenue grew 64%.
• Okta stand-alone total revenue grew 39%.
• Auth0 revenue was $56 million.
• Total base of $100,000-plus ACV customers now stands at over 3,100 and grew nearly 60% in Q4.
• Excluding the billings process improvements, calculated billings grew 71%.
• Dollar-based net retention rate for the trailing 12-month period increased to 124%.
• Total operating expenses grew 81%. The growth in expenses is primarily attributable to the inclusion of Auth0.
• Total headcount now stands at just over 5,000 employees, up 79% year-over-year.
• Q1 Guidance: Total revenue of $388 million to sellers, representing a growth rate of 55% year-over-year.
• FY23 Guidance: Total revenue of $1.78 billion to $1.79 billion, representing growth of 37% year-over-year.

We can see that growth remains strong and comfortably above Okta’s 35% growth target, even considering only organic growth. Guidance is for continued growth above 35%, assuming that they continue to modestly raise their full year guidance throughout the year as they have in the past. The elite retention rate makes this growth look sustainable. The widening losses are attributed to headcount increasing faster than revenue and the inclusion of Auth0, which makes sense.

Okta fell 8% after announcing earnings, presumably because it guided for widening losses. But the stock continued to sell off since then after news broke that Okta itself was hacked. Most companies’ stocks sell off after they announce a breach, but it’s a particularly bad look for Okta since its own software was used for the very type of supply chain attack that its customers pay it to prevent. Moreover, Okta’s response to the attack was not ideal, since they weren’t aware of the issue until after it was announced by the hackers and they initially denied the hack even days after reportedly being notified of it.

Despite the drama, I expect that this will eventually blow over like most breaches. Although Okta could have handled the situation better, they are somewhat absolved of responsibility since their customer support contractor Sykes was to blame for the initial part of the breach. The details of the breach are still emerging but since it occurred through a contractor and social engineering hasn’t been ruled out, I think it’s unlikely that Okta’s underlying product was at fault… although they possibly could have detected the issue sooner.

Valuation

Wall Street wants profits now, and in general, I agree with them that all other factors being equal, I prefer a profitable company that passes the Rule of 40. Okta’s increasingly negative margins are undeniably concerning especially relative to its more profitable peers.

But the recent selloff in Okta’s shares may have gone too far, and its valuation is no longer equal to peers’. Okta has $2.5B in cash against $2B in debt, so even at their current run rate, they could avoid raising more capital for another few years. They may have to raise again before 2026 (when they aim to have 20% FCF margins) but the dilution probably won’t be extreme. Over the last two years, shares outstanding have grown at an 8% CAGR, which is significant especially relative to other cybersecurity leaders like Fortinet and Palo Alto Networks (NASDAQ:PANW) which have been reducing their shares outstanding. But this dilution pales in comparison to Okta’s 45% sales CAGR during the last two years and the expected 35%+ sales CAGR going forward.

I’m willing to look past a lack of profitability for the right price, and I believe that Okta has reached that price:

Company	P/S	5 Year Rev. CAGR	P/S/Growth
OKTA	19	52%	37
CRWD	36	94%	38
ZS	40	53%	75
FTNT	16	21%	76
PANW	13	25%	52
CHKP	8	5%	160

Source: The Author

Okta is the cheapest of its peer group when looking at P/S adjusted for growth, especially considering that CrowdStrike’s 94% growth is unlikely to be repeated off its current larger revenue base. Even if Okta simply meets its 35% revenue growth guidance going forward (despite posting an average beat of >5%) its growth-adjusted P/S would be 54, which is still on the cheaper end of the group.

As a company, I rate Okta below CrowdStrike, and probably below Fortinet and Palo Alto Networks as well. But as a stock, Okta’s valuation makes it the most compelling buy among its peers at this point.

Conclusion

While B2B cybersecurity is a fragmented industry, there are only a few large players, especially in Okta’s niche of identity management where pretty much everyone uses either Okta or Microsoft (NASDAQ:MSFT).

As long as Okta maintains its market leadership and long-term guidance for strong growth and FCF margin, I will continue to hold the stock and accumulate more shares when presented with buying opportunities like the one now.