So, I know it seems a little strange right now. But in some ways, what we did yesterday and today are executing on this plan and this commitment we’ve made to them. And then, I think there’s many more things we can do in terms of just making sure customers understand what happened and what we’re doing about it, and you’ll see us do more about these in — toward these communication efforts going forward. But at the end of the day, I was talking to — I have — I was talking — one of my conversations was with a CISO of a large manufacturing company that’s been heavily adopted on Okta, and this is common to how these things go. He said, “Todd, this — you are — the position you are in the ecosystem, in the industry, you are one of the most attacked and focused on from an adversarial perspective companies in the world.
And we know that if you take this as seriously as you’re saying you do and you have these plans and these priorities in place to improve your — make sure you’re one of the most secure companies in the world, that’s going to be more than enough for what we need because you’re going to be attacked way more than we ever will.” And so, I think they see it as — once we communicate the details, once they can understand our plans and our priority and our focus, they come away with more comfort. But again, at the end of the day, what they really want is no issues like this, and that’s ultimately our goal to try to prevent these whenever possible.
Rob Owens: Thanks for the color, Todd.
Dave Gennarelli: Let’s go to Adam Tindle at Raymond James.
Adam Tindle: Thanks, Dave. Hey Todd, I wanted to ask a little bit more about the renewal process in light of the security incident. Brett mentioned that contract duration continues to shorten. So, the thought would be the renewal process is likely happening more frequently moving forward. I wonder what kind of processes you have in place to retain customers. And any ideas that Jon brings to the CRO role to this process? And Brett, if you could just touch on the assumptions on gross retention and NRR embedded? I know you’re factoring in the security incident, but I would imagine that’s where it’s going to hit the most, so that would be really helpful to understand what the assumptions embedded are? Thanks.
Todd McKinnon: The renewals process and execution of that is something where it’s a very mature part of the company and we’re very good at it. I think it leads to — as we’ve talked about several times, the gross retention in the mid-90%s is a healthy level. And it’s — so it’s a strong muscle we have. Contract durations, as Brett mentioned, have been shortening. I think it’s — they’re still on average, two-and-a-half years. And the reason they’re shortening is this started happening during some of the more economic slowdowns last year. It’s just — I think across the board, people are not signing up for as much as they in terms of length of subscription as they wanted to. So, I think that the renewals conversation will continue to be addressed effectively by our existing motion that we don’t need some kind of new motion or start a new conversation.
I think it comes down to making sure that the adoption of the product is high, which we’re very good at getting our products adopted and making sure that the value is being delivered and that the price they’re being charged for is fair. So, there’ll definitely be some as we just communicate to customers about our prioritization of security and our focus on it and our execution across that plan, that’ll be funneled down to the renewals team as well. But I don’t see any big changes to the overall renewal motion because of this.
Brett Tighe: Yeah, I can also add on to that, Adam. Thank you for the question. So, first on the contract duration, just to be clear, there’s been a general shortening of contracts to what Todd was talking about. But part of the reason is actually the success we’ve had in public sector, which typically is only a one-year contract. So that business is doing well is going to put a headwind on our contract duration. So, I guess that’s a good issue to have in terms of contract duration. So, in terms of what we baked into the guidance for specifically NRR, net retention rate or gross retention rate in FY ’25, we haven’t gotten to that level of detail because — given we’re so early in the planning process. But what I would say is we do believe both the macro puts a headwind on growth and also the security incident.
And so, where each of them comes through, I mean, macro, we’ve talked about new business seed expansions being impacted there. From the security incident perspective, we think growth is impacted. I can’t give you exactly is it more upsell or is it more gross retention in terms of FY ’25. But what I can tell you is, terms of FY ’24, like we’ve talked about in the past, we did expect that number to tick down. Net retention is going to tick down throughout the balance of this fiscal year. And we had a nice quarter in Q3, 115%, flat with Q2. So, we do still expect it to drop in Q4 based on those macro headwinds we’ve talked about with seed expansions. But that hopefully helps you with a little bit more detail on how we’re thinking about FY ’25 as well as our net retention rate in the very near term next quarter.
Dave Gennarelli: Next, we’ll go to Rudy Kessinger at D.A. Davidson.
Rudy Kessinger: Great. Thanks for taking my question, and appreciate the candor as it relates to the breach. Todd, at Oktane, it seemed pretty clear that you were hinting that you guys were close to hiring a new President of Worldwide Field Operations or Head of Sales, and today, I know you’re closing that search, you’re moving Jon into the permanent role. So, I guess I just a couple of clarifications. Did the breach impact your ability to land a new Head of Sales at all? And secondly, just understanding the current structure, is Jon going to be taking on both the Head of Sales and Chief Revenue Officer roles or will you be remaining, I guess, the Head of Sales for the time being?
Todd McKinnon: Yeah, thanks for asking for clarification. On the previous question, I forgot to answer the part about Jon. The decision for the go-to-market structure was finalized before October 20. So, it was finalized in early October. So, it had no — nothing to do with the security incident. The — I think there were — since the search started in January of this year, late January, the timeline on it was we were going to make a decision to finalize things by October, and we hit our timeline. So, we didn’t want to have an interim structure going into planning for FY ’25. So, the goal is to finish it by the end of October. I can’t remember exactly the order of operations in terms of when the final decision was made versus when I made those comments.