I think also just our overall the last, call it, five or six quarters when the macro environment changed, you’re just seeing more success for Okta in the bigger companies. So I think it’s — I think OIG has a big future in mid enterprise and SMB. But I think that segment is just the slower segment right now. So, we’re not seeing the attaches with OIG there that we could over time. So, I think it looks better because more people are — have the problem and finding value from it in a large enterprise, and also large enterprise is just doing so well with 40% growth in that cohort, both in ACV of those deals and customer account of those deals in Q3. So, I think attaching OIG, there’s more opportunities to attach there relative to the entire business.
So, I think that’s influencing the perception as well.
Brett Tighe: Yeah. And I would add, although we’re very excited about the progress so far, Matt, I mean, yes, we are being modest with our expectations in the guidance we’ve given you here today. One thing that I know you guys have asked in the past is how much — and we’ve told you, we keep telling we’re going to update every time we get a new number. But that third of workforce spend being IGA continues to hold steady through the end of Q3. So that’s the number we’ve given you in the past, and it continues to be that. So, the upsell associated with it is significant, and we’re very pleased with how things are going, just like Todd said.
Dave Gennarelli: Great. Next up, Jonathan Ho at William Blair.
Jonathan Ho: Hi, good afternoon. With regards to the breach, can you give us a little bit more detail on maybe what’s still left in the third-party validation and investigation? And how confident are you that this is going to be the last finding that comes out of this investigation? Thank you.
Todd McKinnon: Yeah, it’s a great question, Jonathan. In my many, many conversations with customers, this comes up like speed of disclosure and they want to know all the information as fast as possible, and why does disclosure take time and what else is left to disclose, et cetera. So it is on everyone’s mind, obviously. I think the general philosophy we’re taking is that we’re trying to disclose as much as we know as quickly as possible. I think a couple of weeks after the incident, when we had our first disclosure, we disclosed everything we knew at the time. And we just kept looking like you’re talking about the log files from our support system. We’re quite voluminous, and the team went over them click-by-click, row-by-row, line-by-line, kind of took first pass and looked at all the things they thought were incredibly sensitive and took a quick run of some of these reports and found it wasn’t much interesting data and then published the first RCA and remediation steps and then like a good security company would kept looking and kept digging and made sure we had everything covered and frowned more.
And we were more thorough about these reports and ran completely and saw the data was there and made the decision to do a further disclosure based on risk of phishing like we’ve outlined. And so, I think the way I characterize it is now our internal team has gone over it many, many times, and our internal investigation is done. Like we don’t think there’s anything else productively we can look at. We’ve worked with the vendor and got supplemental logs. We’ve combed through it. We’ve done everything three, four, five times to check it. But we still want to make sure we cover all the bases, so we brought on this firm that has started a couple of weeks ago, and they’re looking at it. I think we’re doing it, obviously, to be very thorough and clear.
I think it’s a relatively low priority that they’ll find anything additionally, but we’ll have to wait and see in mid-December when they were done with their analysis.
Dave Gennarelli: Okay. I’d like to welcome back Fatima Boolani from Citi.
Fatima Boolani: Thank you. I appreciate the question. Todd, you were very categorical about securing Okta. So, your customers are secure as being the number one priority. So the question for you is, is that people, process or technology or maybe all of the above conversation? And then maybe to Brett, it’s not immediately apparent in your margin guidance that you’re going to be taking in making these investments. So can you just sort of help us understand and kind of what envelope a lot of this up-leveling and reinforcing of your internal security architecture, what shape or form is that going to take?
Todd McKinnon: Yeah. It’s a super insightful question, Fatima. And as you guessed, it’s all of the above. And I think we — the program internally is called program Bedrock, building the Bedrock foundation. And it has four pillars, I’ll call them pillars. The first one is, there’s just bottoms-up, get all the ideas on the table of everything we know that the team thinks would be great ideas to make us the most secure company in the world. And like a good example of something from this pillar is like this thing that we’re advising customers to do with the latest notification around having MFA for all administrator accounts, that really should be required. There shouldn’t be an option to not. Again, over the years, we, in some cases, made the choice for convenience and speed of implementation or frictionless adoption instead of security.
But as we march toward being the most — or one of the most secure companies in the world, that’s going to change. So we have to make that required and you got to work through that because there’s a reason sometimes customers don’t have MFA required, maybe it’s a service account, maybe there’s a specific workflow. But everyone, as we do this bottoms-up effort, it’s like a lot of good ideas on how we can make that better. And that whole bucket of bottoms up, we have a lot of awesome smart people on the team that have the time and space now to let those ideas come out and they’re going to — we’re going to have time and space to implement them as well. So that’s the bottoms-up track. The second track is really, call it, tops-down, which is making sure from an internal security architecture perspective, specifically in overall business operations and IT operations as inclusive of obviously product and infrastructure, but getting the top experts in the world and to give us their opinion on how we should be architecting our — this part of our security posture and architecture.
