Frankly Speaking - How Okta fails
An IT security company takes the wrong bet
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Just a reminder that dbt Labs is still hiring in many departments, so if you or anyone you know is affected by the recent tech layoffs, please encourage them to apply.
LET’S BE FRANK
This week, I’m continuing my thought experiment series on how large cybersecurity companies might fail. I’ve talked about Crowdstrike and Zscaler, and in this newsletter, I’m going to discuss Okta, which I believe is an amazing company that has done a lot with a simple concept.
As a disclosure, I currently use Okta at dbt Labs, and I am long Okta stock.
The rise of SaaS and the need for Okta
Okta is best known for its single sign-on (SSO) product. However, SSO itself is not a new concept. It started in the 1990s when a mixture of Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and Web Access Management (WAM) tied together user identity and access to servers, networks, and applications on-premise.
However, many companies stopped managing applications on-premise and started moving toward the cloud and SaaS as a way to reduce the burden on IT teams. Okta capitalized on this trend by implementing a centralized way to access SaaS apps. This made it easier AND more secure for IT to manage user access to SaaS apps. In many ways, this is an ideal security solution, i.e. a tool that is both easier to use and more secure. One of the main benefits is centralization. All the apps are in one location, and users do not have to create a password for each application. This is especially important as each SaaS app requires login credentials whereas before with on-premise logins and corporate networks, one can trust traffic in the network and just manage permissions to applications. Like many cloud-related changes, IT lost control, and Okta was a way to gain this back in the world of SaaS apps.
Building an identity platform
Okta has expanded in various products, such as universal directory, user management, authentication, API access management, advanced server access, etc. It’s true that IAM is a huge market, and there’s plenty of room to build a cybersecurity platform. The tricky part is what parts of the market to tackle. It really comes down to GTM motions.
Okta has traditionally sold to IT. I don’t see this changing any time soon because I don’t believe that developers or any other part of the organization have any interest in managing SaaS applications, which is Okta’s core product. However, this business will eventually saturate, and they are already expanding into other parts of IAM, such as authentication with the Auth0 acquisition and server access with the ScaleFT acquisition. However, in my mind, these acquisitions have completely different buyers. Developers are the traditional buyers for authentication, and although server access has also been bought by IT, with the shift to the cloud, developers have been acquiring these types of tools to have more control over cloud and developer infrastructure. Teleport and StrongDM are perfect examples of the rise of developer access tools.
IAM has always been a tricky space. Ownership and report structures remain unclear. Although many companies have a dedicated IAM team, there isn’t consensus on reporting line. At some companies, security owns IAM. At others, engineering owns it. Sometimes, even IT owns parts of IAM. To further this complication, it’s common for different reporting lines to own different parts of IAM. The rise of security engineering teams might solve some ownership or might worsen the situation. Fortunately, this complication has never affected Okta because their core product around app access was clearly an IT buy.
Unfortunately, Okta cannot only have one product to justify its current valuation. As a result, like every other cybersecurity company, it has needed to expand its product offerings.
The failed bet on the developer
Unlike Zscaler and Crowdstrike, I do believe that Okta is aware of the rise of the developer and of the market this phenomenon creates as a result. That’s why they took a big bet on the Auth0 acquisition. However, Okta was not prepared for the GTM integration struggles, and it’s already showing. It’s no surprise that selling to developers is very different than selling to IT, but Okta underestimated how difficult having these GTM motions would be. Palo Alto Networks shows us that a company needs to have two separate GTM teams/motions, and it’s extremely difficult to combine both.
In other words, their thesis is correct: their growth is plateauing in a shrinking IT market, and they need to find a way to capture the growing developer market. They have also found the two largest markets to tackle, i.e. authentication and developer access. However, this is where they start facing substantial challenges. They never figure out how to execute this thesis.
They slowly start to de-prioritize their core SaaS access management product and focus on developers, and they continue to struggle to split their GTM motions. The current nimble startups capitalize on Okta’s confusion and are able to capture market share much faster. Namely, companies like Stytch and Transmit Security are able to gain ground rapidly in the authentication space, and companies like Teleport and StrongDM are able to gain rapid ground in the developer/server access space. Okta spends aggressively to keep up, but developers fall in love with the other products, which makes switching costs high. Okta never receives sufficient developer love.
Microsoft realizes Okta’s lack of focus on its core SaaS access management product. As a result, Microsoft improves its current AD product to better tie together endpoint access and SaaS management, the two areas still owned by IT. They slowly chip away at Okta’s market. Okta’s product is not particularly defensible since it uses open standards like SAML, so Microsoft is able to replicate much of it easily. Since this is only a small piece of Microsoft’s business, they don’t need to aggressively grow in this market.
As a result, Okta’s bet on the developer falters, but their core product still has strong IT backing. Unfortunately, that’s not enough to justify being a public company. Microsoft acquires them, seeing this as an opportunity to expand its capabilities in this space. Microsoft bolsters its AD product and repurposes the developer-related products into Azure and Github. They might also choose to keep parts of Okta separate to maintain the brand name.
Conclusion
Okta is an amazing company with a solid product that fulfills a critical need. I don’t see them going away anytime soon. In fact, unlike other security companies, they have gotten ahead of the developer trend and have been investing heavily in that space with their acquisitions. I like how they are not settling for the status quo and being aggressive, but the question is whether they are being too aggressive and whether they will execute properly. Only time will tell.