Todd McKinnon: Yeah, it’s a super — smart question — supersmart question. I think I would add color this way. This has been something we’ve been very focused on for several years, particularly since Lapsus$ breach a couple of years ago. We’ve been very focused on it. And actually made quite a bit of progress to make us feel comfortable about our progress towards being one of the most secure companies in the world. I think the reason for the 90-day sprint and focus are there is a calculation of — I and the management team think that there are enough things that will decrease the risk at a significant level, not that the risk is incredibly high, but there’s enough things that will decrease the risk at a significant level that we think it’s worth a sprint here.
But probably more importantly, John, it’s kind of cultural. Execution requires clear priority, and nothing makes the priority clear for everyone than a full focus in a 90-day sprint. So beyond the decrease in risk and get closer to this areas you describe it where we feel real comfortable as we progress towards being one of the most secure companies in the world, there is just a cultural tone setting thing, which I think is very important for customers and for investors and for employees as well.
John DiFucci: So it’s the 90 days and then just keep going…
Todd McKinnon: It’s not like we’ve never been focused on security, because we’ve absolutely had a huge focus on it. Like I said, very, very specific and mature in the areas of the product and the infrastructure. I think we’re not as mature and we haven’t had the comprehensive approach on the overall IT operations and overall company operations. But it’s something we’ve been doing for a long time and we’re going to have the sprint and then we’ll keep doing for a long time after because we have to be — like I’ve said it many times, we have to be one of the most secure companies in the world given the position we’re playing in the critical role we fill for our customers. And that’s what they expect from us and that’s what we expect from ourselves as well.
John DiFucci: Thank you very much. And listen, I just have to add one last thing, something I never say. Actually, I think you guys did a good job. I mean this quarter numbers look good and then even some — given everything that’s going on, I guess, nice job.
Todd McKinnon: Yeah, I appreciate it. A lot of hard work from the team.
Dave Gennarelli: Great. And now we’re going into overtime here. We’re going to take Fred and then Shrenik and we’re going to have to cut it off at that point. But Fred Havemeyer from Macquarie, go ahead.
Fred Havemeyer: Thank you. I think many good questions have been asked. So I think, Todd, what I’d like to ask is, as we from the outside are looking at what you were doing at Okta, what sort of concrete checkpoints might we expect to see to understand what progress you’re making here towards improving your overall security posture, understanding also that no news is kind of good news with respect to data breaches? And secondly, on that one, with the upcoming SEC disclosure timeframe requirements, do you feel that you have the reporting frameworks in place to comfortably meet all of those requirements?
Todd McKinnon: Yeah. On the second question, I feel really good about that. The disclosure frameworks and so forth, something we — I think in some ways, we’re — the role we play in the industry and the tone and the transparency we’re trying to set with customers, we have a lot of things in place that put us in good standing there in terms of our ability to execute on those disclosures. The first question you asked is I think there’s — we have a really good answer on the product visible things. We’re going to be reporting those out like as we would do product releases or feature capabilities. These — like the two examples I mentioned are the network binding for session tokens and the required MFA, that’s going to be published.
And so, you’ll see the roadmap for those things, and you’ll see that thing published publicly into customers. I think the internal stuff, the things that the team comes up with in terms of improving our operational security and comprehensive look at the security and taking in outside experts, we have to think more about how to communicate that broadly to customers. But I think it’s just as important because not only is it just give customers confidence in how seriously how aggressively we’re taking this, but also it can help them learn because every customer I talk to, they’re thinking like, what can we learn from Okta because Okta is on this journey to be one of the most secure companies in the world. I can learn from that. So I think there’s value in sharing that not just from the trust perspective, but also from the learning and helping customers through that education.
Fred Havemeyer: Thank you.
Dave Gennarelli: Okay. Last question to Shrenik Kothari at Baird.
Shrenik Kothari: Hey, yeah, thanks for taking my question, and appreciate the transparency, Todd and Brett. Just to follow up on your point, Todd, on products security focus and customer security focus. In light of the recent hack incident, the role of PAM seem to be elevating and becoming even more kind of broad based. It’s great to see that you guys are focused on PAM. As you said, the only product with GAs on track versus other product features, maybe relatively [deprioritized] (ph). Can you elaborate how are you positioning PAM in your customer conversations? More importantly, how are customers responding? And how is the customer feedback evolving given post this hack incident on one hand, of course, everybody knows PAM is going to be a key piece of puzzle in this threat landscape while the incident perhaps leading to customer perception of perhaps not adequate implementation of core PAM solutions within your internal environments on the other hand.
So, if you can provide your thoughts there?
Todd McKinnon: Yes. No, it’s a good — I think every specific incident is different in PAM and the definition of PAM addresses some of them better than others. So I won’t comment specifically on this recent incident and what our PAM product does or doesn’t do. But broadly speaking, what you’re saying is right. All of these attacks, whether it’s — highlighting the need for very strong phishing resistant access management, identity governance and then privileged access management and control. And I think the reception that we’ve seen with customers is basically, it’s very simple. Our positioning is very simple. It’s like you’re using Okta to manage the user life cycle and the access for many business applications, you should use the same engine and the same access control for your privilege servers and containers.
And as I mentioned earlier, in the future release coming relatively quickly for your SaaS applications and for the Okta admin console itself. So that’s the pitch. And what customers like is that they get this comprehensive integrated workflow across all of the access points they’re trying to secure, whether that’s servers, apps, business applications, different kinds of applications, and that’s what resonates. And then they can report that back to their auditor and they get complete visibility from a governance risk and compliance assessment and that’s the value prop for them. So, it is — the market we serve and the opportunity for our products is only getting bigger and bigger and the threat landscape is part of that. There’s many other drivers of the market size we’re going after.
