And there’s people that do this for the most secure companies in the world, and we want to take those experts and combine them with our experts internally to make sure we have the best security blueprint from an architectural perspective. So, we have bottoms-up, we have tops-down. And then the third pillar is really cultural. And that starts with me and the leadership team in setting this clear priority and setting the expectation that we are going to be the most — our goal is to be one of the most secure companies in the world, and we’re going to prioritize that, number one. When you think about executing well, it can be pretty straightforward. It’s like you have to make sure you have a clear vision. We want to be one of the most secure companies in the world.
We want — you’ve got to set clear priority and get the right amount of resources on it. And that kind of sets up this cultural component to be successful. And then the last one is, I think I mentioned before, is in the product. We have to make sure that the products themselves are beyond just being valuable and powerful for our customers. They have to be built in a way that ensures the security of our customers as well. And the best example for this is after the notification of this incident in October, we quickly implemented this feature, which actually cryptographically binds an administrator console session to a specific network. So, this is the kind of thing that is very valuable for customers and keep them secure. And as we think about it more and go through the entire product architecture and overview, there’s many more of these things that can put us closer to being from a product perspective and products that protect our customers and their use of it and their deployments of it, the most secure company in the world, and that’s the fourth pillar.
So, it’s quite comprehensive. I think the 90-day focus gives everyone space and clarity to have no confusion about this being the priority. And I think after 90 days, what you’ll see is, obviously, these kind of efforts have — they’ve been going on in some shape or form for many years, and they will continue after this 90 days. But right now, we just need this real clear alignment on getting ourselves closer to that goal of being the most secure company in the world.
Fatima Boolani: I appreciate that. Thank you, Todd.
Brett Tighe: And then, for the second part of your question, Fatima, it’s really, there’s two things. One, we’re already investing a good amount in FY ’24. So, to step up in the margins, not like we’re starting at zero. So, we’re investing a good amount right now. We’re going to invest more in Q4. But this is one of the benefits of the structural efficiencies that we found and driven over the last 12 to 18 months. It allows us to expand the non-GAAP operating margin from 13% to 17%, while also investing more into these critical areas like security. And so, we’ve invested a lot already, but we’re going to invest even more in FY ’25, but while also being able to balance it with the margin that you mentioned. So, it’s one of those benefits of us to we’ve been working so hard on for last 12 to 18 months.
Fatima Boolani: Thank you, Brett.
Brett Tighe: No problem.
Dave Gennarelli: Okay. We’re going to try to get to a couple more. Let’s go to Josh Tilton at Wolfe Research.
Josh Tilton: Hey guys, can you hear me?
Todd McKinnon: Loud and clear, Josh.
Josh Tilton: All right, great. I wanted to clarify a previous question. Does the guidance for Q4 embed some conservatism around the recent incident because you are anticipating to see something or because you are already seeing an impact? And then just a follow-up is, Todd, you mentioned that you spoke to customers and they kind of understand why as an identity provider, you guys are being targeted by hackers so much. Is that raising any questions from the customer base as to whether or not it makes sense to go all in with all of your identity needs from one provider? Or given that you guys are the center of the security ecosystem and the number one target for hackers, does it maybe make sense to diversify some of your identity risk across a different PAM vendor and a different governance provider?
Brett Tighe: Hey, Josh, I’ll take the first part. So anticipating is the answer — short answer since we’re running out of time because we did see, like I said earlier, an elevated amount of pushes or deal pushes from Q3 into Q4. And so we’re just anticipating that as we go through the quarter because as a reminder to everybody, we do not have a linear bookings quarter. It is very back-end weighted. And so, we’re just taking into account what we saw at the end of Q3 and looking and making sure we had put that into our expectations for Q4.
Todd McKinnon: Yeah. And on the question on the — getting everything from one vendor versus spreading out your risk with different vendors, I think it comes down to at the actual physical layer of how the products are implemented, how you mitigate that risk of getting everything from one vendor. And then the second thing is the product, there has to be a lot of value in getting it from one vendor like in terms of decreasing risk, the operational simplicity, the power of how you can secure things because things are better integrated. So that’s the equation. In fact, I was having this exact conversation with a customer just a few days ago about the risks and reward of consolidated around one vendor versus the spread things around spread the risk perspective. And I think that’s — those are the variables in the equation that people think about.
Dave Gennarelli: Let’s go to John DiFucci at Guggenheim.
John DiFucci: Thanks, Dave. So Todd, my question is a follow-up to Fatima’s question. I got to remember to try to get ahead of her because she — it’s hard to follow her, but I thought that was a really good question. And thank you for all the detail you gave around that, the program Bedrock. But in the end, still like, how long is it going to take to get to, as you say, raise your game to get to a point of, I don’t know, you’re never going to be comfortable, but relative comfort when you can actually sit down with the customer and tell them that you’re there. You’re never quite there, but you’re there don’t — listen, we worry about it every day. We don’t want this to happen ever again. That’s not to say it never will. But how long do you get to a point where you have that relative comfort through that?
