Okta CEO and Co-Founder Todd McKinnon got right to the point Wednesday during the company's Q3 earnings call. The late-September cyberattack is “top of mind for everyone,” he said.
“The stakes are high and we will do whatever it takes to protect our current and future customers,” McKinnon said.
The recent cyberattack is just the latest in a series of security incidents this year. A string of attacks hit high-profile customer environments over the summer, and an attack against a third-party vendor exposed sensitive health information on nearly 5,000 current and former Okta employees.
And, an investigation into the September incident disclosed Wednesday, concluded that, it wasn't 1% of Okta customer support system clients compromised in the breach — it was 100%.
Okta’s security posture was the chief topic of discussion and inquiry on the company’s earnings call for the third quarter fiscal year 2024, which ended Oct. 31. “The No. 1 priority is securing Okta and securing our customers, full stop,” McKinnon said. “Everything else is prioritized after that.”
Here are four takeaways from the earnings call, which the company held just hours after revealing the extent of the support system incident.
Business impacts, customer worries
Okta reported an increased amount of customer deal delays during the quarter and said it expects that slow down or short-term pauses to continue.
Customer retention remains in the mid-90% range, which is consistent with recent quarters, CFO Brett Tighe said during the call.
The company’s customer base grew about 10% year-over-year to 18,800 customers at the end of October.
Okta’s leadership team said it factored a “stable, but still challenging macro environment” into its financial outlook and expects annual revenue to grow 21% to almost $2.25 billion in fiscal year 2024 and 10% to $2.47 billion in fiscal year 2025.
Okta’s revenue has consistently grown on a year-over-year basis since it went public in 2017. The company has never reported a quarterly profit, yet losses narrowed 61% year-over-year to $81 million during its latest quarter.
“All of these attacks are highlighting the need for very strong phishing-resistant access management, identity governance, and then privileged access management and control,” McKinnon said. “The market we serve, and the opportunity for our products is only getting bigger and bigger, and the threat landscape is part of that.”
Okta leadership owns security shortcomings
McKinnon repeatedly affirmed the company’s commitment to make security its top priority.
While it has balanced security with other objectives, such as company growth and product development, a focus on infrastructure defense was sometimes inadequate, McKinnon said.
The company’s security efforts have been very specific and mature in areas of product infrastructure, but “we’re not as mature and we haven’t had the comprehensive approach on overall IT operations and overall company operations,” he said.
“We know now that’s not good enough. We have to do more. We know that Okta is one of the most targeted companies in the world,” McKinnon said. Okta has to “raise our game to be able to defend ourselves and our customers” against attacks.
Program Bedrock, a 90-day sprint across 4 pillars
Okta initiated a 90-day sprint in mid-November it calls “Program Bedrock,” and it spans four pillars.
- Bottoms up: Okta is encouraging employees to share every idea they have to bolster security. One example of a change that’s already in the works is to require multifactor authentication on all administrator accounts, McKinnon said.
- Tops down: Okta is seeking advice from top security experts on how it should architect its business, IT and product operations.
- Culture: Leaders are communicating and setting a clear priority on security across all levels of the business. “Nothing makes the priority clearer for everyone than a full focus and a 90-day sprint,” McKinnon said.
- Product: Okta is seeking a balance wherein its products are valuable, powerful and “built in a way that ensures the security of our customers as well,” McKinnon said.
The 90-day sprint “gives everyone space and clarity to have no confusion about this being the priority,” McKinnon said. “There’s enough things that will decrease the risk at a significant level that we think it’s worth a sprint here.”
This isn’t the first time Okta asserted a need to push harder on security. The company committed to a security action plan in April 2022 and said it completed those efforts in October 2022.
Program Bedrock, which McKinnon also described as a “hyper-focused security action plan,” is now underway one year later.
Okta shifts culture focus foremost on security
Following the attack against Okta’s support system and other recent incidents, the company recognizes it needs to do more to improve the security architecture of its operations, according to McKinnon.
The need is so great and immediate, company leaders earlier this month instituted a pause on all new products through the final weeks of winter 2024.
“We will stop at nothing to make sure we become one of the most secure companies in the world, because it's kind of clear to everyone that we're short of where we need to be now and we will fix that,” McKinnon said.
“The job of securing the Okta ecosystem will never be done, but during this hyper-focused phase, no other project or even product development area is more important,” McKinnon said.
The applications Okta uses, the hardware it deploys and the vendors it works with are all being reviewed for unmet security measures.