The recent security breach of a third-party supplier to Okta Inc. has been widely reported. The criticisms of Okta’s response have been harsh and the impact on Okta’s value has been obvious: Investors shaved about $6 billion off the company’s market cap during the week the hack was made public.
We believe that Okta’s claim that the customer technical impact was “near zero” may be semantically correct. However, based on customer data, we feel Okta has a blind spot. There are customer ripple effects that require clear action, which are missed in the company’s public statements.
Okta’s product portfolio remains solid. It is a clear leader in the identity space. But in our view, one part of the long journey back to credibility requires Okta to understand and recognize fully the true scope of this breach on its customers.
In week’s Breaking Analysis, we welcome our Enterprise Technology Research colleague Erik Bradley to share new data from the community. In addition, we’ll analyze some of the statements made by Okta Chief Executive Todd McKinnon in an interview with Emily Chang on Bloomberg to see how they align with what customers tell us.
Summary timeline of the Okta breach
On Jan. 20 of this year, Okta got an alert that something was amiss at one of its partners, Sitel Group (Sykes via M&A), which provides low-level contact center support for Okta. The next day, Sitel retained a forensics firm (reported to be Mandiant) to investigate. That investigation was completed on Feb. 28.
A report dated March 10 was created and Okta received a summary of that from Sitel on March 17 — five days later. Lapsus$ posted the infamous screenshots on Telegram and later that day, Okta got the full report from Sitel and responded publicly. Then the media frenzy and the back-and-forth ensued.
Okta’s version of the timeline was posted on March 23. What appeared to be a benign incident in January has turned into a public relations disaster for Okta (and Sitel).
We asked Bradley to comment and he said that “opinions only exist due to a lack of data,” so let’s start with the customer data.
Spending indicators before and after the breach became public
Followers of Breaking Analysis know well that each quarter, ETR applies its proprietary Net Score methodology to determine customer spending momentum, essentially measuring the net number of customers spending more on a particular product or platform. The hack in question occurred about two weeks into the latest ETR survey, as shown on the chart above, and ETR isolated the results to assess spending sentiment before and after the hack. Here’s how Bradley explains the data:
As you know, our motto here is opinions only exist due to a lack of data, so I’m going to start with the data. What we were able to do is because we had a survey that was in the field when the news broke is that we were able to observe the data in real time. So we sequestered the data up until that moment when the breach was announced – so we have data before March 23 and then after March 23. Most of the responses came in prior, so it wasn’t as much of an N as we would’ve liked. But… it really was telling to see the difference of how the survey responses changed from before the breach was announced to after.
So again, let’s caveat. Okta is still a premier company based on our work. They are top five in overall security, not just in their niche, and they still remained extremely strong at the end of the survey. However, when you look at a more micro level, what you notice is a true difference between before March 23 and after. Overall, Okta’s cumulative Net Score or proprietary spending intention score that we use, was 56% prior to the breach. That dropped to 44% during the time period after and that is a significant decline. Even a little bit more telling, and again, small sample size, I want to be very fair about that: Before March 23, only three of our community members indicated any indication of replacing Okta. That number went to eight afterwards. So again, small numbers, but a big difference when you’re talking about a percentage change.
Despite the small N, a drop in Net Score of 56% to 44% pre- and post-publicly announcing the breach is notable. Okta has held an elevated Net Score for years and that type of rapid dip, while coming from a small sample size, is meaningful in our view. Moreover, historically in the ETR surveys, the percentage of customers who indicated they were replacing Okta was consistently in the low single digits.
CISO roundtable reveals additional insights
ETR Insights is a panel discussion that Bradley hosts regularly. He conducted a deep dive on the Okta breach with chief information security officers after the hack was made public to better understand how customers view the situation. The comments below summarize their thoughts.
Participating were some of the top CISOs in the community. The first one is really concerning: “We heard about this in the media.” The next one summarizes the overall sentiment: “Not a huge hit but loss of trust.” And this next one underscores the lock-in factor: “We can’t just shut Okta off like SolarWinds.”
Then there was a reveal that there are customer impacts beyond what Okta has stated: “We may need to hire additional individuals.” Several CISOs indicated procurement would be more involved: “This breach will have a material impact on contract negotiations.” And finally, the majority sentiment that Okta remains a strong solution and customers are comfortable their Okta environment is secure, but Okta needs to regain their trust.
These are really painful comments to hear. At the end of the day, Okta has to own this and Todd McKinnon did acknowledge that in his Bloomberg interview. But as we stressed earlier, there are domino business impacts of a breach like this that we think Okta may not be seeing and such blind spots will hurt the company’s ability to win back trust.
We asked Erik Bradley to elaborate on what he learned from his panel and other work.
There’s a lot we’re going to need to get into here, and I think you were spot-on earlier, when McKinnon said there was no impact. And that’s not actually true, there’s a lot of peripheral, derivative impact that was brought up in our panel. Before we even did the panel, though, I do want to say we went out quickly to about 20 customers and asked them if they were willing to give an opinion. And it was sort of split down the middle where about half of them were saying, “You know, this is OK. We’re going to stand by ’em, Okta’s the best in the industry.” A few were cautious, “Opinion’s unchanged, but we’re going to take a look deeper.” And then another 40% were just flat-out negative. And again, small sample size, but you don’t want to see that. It’s indicative of reputational damage right away. That’s what led us to say, “You know what, let’s go do this panel.” And as you know, from reading it and looking at the panel, well, a lot of topics were brought up about the derivative impact of the breach. And whether that’s having to hire people to go look into your backend to deal with and manage Okta, whether it’s cyber insurance ramifications down the road, there’s a lot of aspects that need to be discussed about this.
Okta’s response to our request for comment
Now before we go on, we want to share that we reached out to Okta to let them know we had new data and shared what we learned– specifically that our research indicated they had potential blind spots regarding the business impact to customers and we felt they were understating the customer impact.
Okta was responsive, humble and not defensive. A spokesperson stressed the commitment that the entire organization has to winning back customers’ trust. Here’s the statement they provided to theCUBE.
Our view of this statement is that it stresses the commitment Okta has in winning back its customers’ trust. We would expect nothing less from such a leader. We’ll point out, however, that we have spent decades researching markets, working with customers and observing how technology actually creates value. The vendor community consistently underappreciates the degree to which process and people are impacted by certain events such as deployment challenges, technology failures, data loss, disasters, security breaches and other notable incidents.
We believe Okta’s position that the technical impact is near zero and the scope of the breach is limited to a maximum of 366 customers understates the true impact of these events.
The Okta breach in customer context
The visual below is our attempt to explain how Okta is describing the impact and how we see it from a customer point of view.
The diagram is a simple way in which organizations think about the impact of a breach: What’s the probability of a breach on the vertical axis and what’s the impact on the horizontal? Now Okta has said, the “technical impact” in terms of things customers need to do or change is near zero. That’s represented by the red dot in the bottom left.
The fact is Okta has 15,000-plus customers and at most 366 had data that was potentially exposed by this breach – less than 3% of its base. And it’s probably less than that. And the technical impact, which Todd McKinnon described in his interview with Emily Chang was near zero in terms of actions the customers had to take such as reporting, technical changes and remediation. Basically negligible.
However, based on customer feedback outside the 366 – that’s what we’re calling a blind spot for Okta – there are several actions customers must actively take as a result of this incident. Despite minimal or no exposure to their data, CISOs must apply resources to analyze and audit the situation, report to their boards, review their policies, assess technical changes that may be required, evaluate insurance costs and changes, communicate to their customers, defend their decision to stay with Okta, evaluate the business case for migrating off Okta and so on. And it’s almost a certainty that many if not most customers will make changes.
We prefer a discussion where business impact is the key metric, which includes technical changes. As is often the case technology impacts often pale in comparison to the business issues. So if we replace the horizontal axis with “Business Impact” that red dot moves to a hypothetical position that we’ve superimposed on the diagram – “Real Business Impact.” Reasonable people can debate the position on the horizontal axis, but all 15,000-plus Okta customers are impacted by this event in our view.
Erik Bradley further elaborates on the business impact, including fears from one CISO that the Okta breach was a first step to a broader intrusion:
The panel really brought the business impact to light even more than I expected, to be quite honest. First of all, you’re right, most of them believe that this was a minimal impact. The true damage here was reputational and the derivatives that come from it. We had one panelist say that they now have to go hire people because, and I hate to say this, but Okta isn’t known for their best professional support. So they have to go get people now in to kind of do that themselves and manage that. That’s obviously not the easiest thing to do in this environment. We had other ones express concern about, “Hey, I’m an Okta customer. When I have to do my cyber insurance renewal, is my policy going to go up? Is my premium going to go up?” And it’s not something that they even want to have to handle, but they do. There were a lot of concerns. One particular person didn’t think the impact was minimal, and I just think it’s worth bringing up.
There was no demand for ransom here. So there were only two-and-a-half percent of Okta customers that were hit, but we don’t know what the second play is, right? This could just be stage one. And I think that there was one particular person on the panel who truly believes that could be the case, that this was just the first step. And in his opinion, there wasn’t anything specific about those 366 customers that made him feel like the bad actor was targeting them. So he does believe that this might be a step one of a two-step situation. Now that’s a bit of an alarmist opinion and the rest of the panel didn’t really echo it, but it is something that’s kind of worth bringing up out there.
Unpacking Todd McKinnon’s public statements
We want to evaluate some of Todd McKinnon’s statements from the Bloomberg interview and make some additional points. We’ve always been impressed with Okta and McKinnon’s management decisions, execution, leadership – super-impressive individual. Big fan. And we have to say, in the Emily Chang interview it looked like he hadn’t slept in three weeks – so we feel for him. But we think there are some statements that need to be further evaluated. We’ve highlighted some of them above.
McKinnon took responsibility and talked about how it will be transparent about steps to avoid this in the future. We talked about the near-zero technical impact comments and how that understates the business impact. The two things that struck us as communications misfires were the last two — especially the penultimate statement here: “The competitor product was at fault for this breach.”
By the way, we believe this to be completely true from a technical perspective. Sitel, which acquired Sykes for $2 billion-plus in 2021, was using a legacy identity access platform. We’re all trying to figure out who it was – we can tell you it definitely was not CyberArk and not likely any modern solution. Our issue is you can’t say, “We are responsible” and then later say it was the fault of a competitor. Even if it’s true. Don’t say it later in a conversation after saying, “We own it.”
This was a PR miss in our view and we’ll give McKinnon a mulligan for lack of sleep. But the wording should have been something to the effect of “Our initial investigation shows that Sitel was not using Okta for authentication, it was using a legacy platform from a previous acquisition. We’ve taken full responsibility for not ensuring that our partners’ infrastructure was not up to our standards.” That would demonstrate owning the problem and truly taking accountability.
Now on the last point regarding firing Sitel…. Our first reaction was Okta is throwing its partner Sitel under the bus. Okta is asking for forgiveness from its customers but it just shot Sitel. We get it – this shows customers they’re taking action. But we would have preferred something like: “We’ve suspended our use of Sitel’s services for the time being pending a more detailed review. We’ve shut that relationship down for now to block any possible exposures. Our focus at the moment is on customers and reviewing our partner network to ensure their security is up to our standards.”
The reason we prefer this posture is that Sitel can’t be all bad. Okta chose it for a reason. Are all of Okta’s other partners using Otka for identity? This is a tough one, but we think the communications could have conveyed that Okta has stopped the bleeding and we’re all in this together.
Nonetheless, although we fully believe the buck stops with Okta, Sitel must take responsibility for its lack of urgency and transparency. It communicated to Okta what appeared to be a benign attack and perhaps even a false positive. Sitel was slow to release full details to Okta and as a multibillion-dollar company should be held accountable for its security infrastructure and response mechanisms.
Okta investors are paying the price
Okta’s stock took a big hit. Initially it didn’t look that bad, but as the week progressed and more information was released the stock got hammered and continues to underperform relative to peers. Pile on inflation, quantitative tightening and rate hikes, and you have a perfect storm. But the real damage is to the trust and reputation that Okta had earned and now has to work hard to earn back.
It’s unfortunate. Okta was founded in 2009 and in over a decade there have been no major incidents. And we’ve seen the damage hackers can do by going after the digital supply chain and third- and fourth-party providers. Rules on disclosure are still not tight – maybe the new law the House just sent to President Biden will help. The point is Okta is not alone here. It feels like Okta got what looked like a benign alert, Sitel wasn’t fully forthcoming and Okta is fumbling a bit on the communications. This has all created a spiral effect.
We’ll have to wait for the real near-term and mid-term impacts. Long-term, we believe Okta will be win back the trust of its customers and thrive. But in the near- to mid-term it will have to sacrifice some margin and go through more pain to regain the loyalty of customers. And we really would like to hear from customers that Okta understands the full extent of this breach and actually does recognize there are impacts beyond the 366 customers that were possibly compromised.
Here are Erik Bradley’s comments on the longer-term impacts to Okta and the reports that the hacker responsible for the breach was a 16-year-old kid living with his mom:
Well, there was a great quote, one of the guys said, “Okta’s built like a tank, but they just gave the keys to a 16-year-old valet.” So he said, “There is some concern here.” Yes, they are best-of-breed, they are the leader, but there is some concern. And every one of the guys I spoke to, all CISOs, said, “This is going to come up at renewal time. At a minimum, this is leverage. I have to ask them to audit their third parties and their partners. I have to bring this up when it comes time.” And then the other one that’s a little bit of a concern is in the survey data. We saw Ping Identity jump big, from 9% Net Score to 24%. Don’t know if it’s causative or correlated, but it did happen.
Another thing to be concerned about out there, is Microsoft is making absolutely massive strides in security. And all four of the panelists said, “Hey, I’ve got an E5 license, why don’t I get the most out of it? I’m at least going to look.” So for Okta to say, you know, “Hey, there’s no impact here,” it’s just not true, there is an impact, they’re saying what they need to say. But there’s more to this, you know, their market cap definitely got hit. But you know, I think over time if the markets stabilize, we could see that recover. It’s a great management team, but they did just open the door for a big, big player like Microsoft. And you and I also both know that there’s a lot of emerging names out there too, that would like to, you know, take a little bit of that share.
One ironic point regarding Microsoft: It was reported that Lapsus$ recently hit Microsoft as well, along with Nvidia Corp. and Samsung Electronics Co. Ltd. Perhaps customers are used to Microsoft being a target or maybe they’re so tied to a broad set of Microsoft services that they shrug something like this off. Okta is a security pure play and as such we think will be held to a higher standard than others. Rightly so.
The bottom line in our view is Okta got blindsided by a less-than-transparent flow of information from its partner. It trusted the partner to secure its environment and that raises many open questions about Okta’s partner ecosystem. Okta has misfired on some of its communications and still in our view doesn’t recognize the full business impact on its customers. In our opinion, these events will hurt Okta’s pipeline conversions in the near term and it opens the door to competitors. Longer-term, this can all be fixed, and because Okta is so critical, a clear leader and deeply embedded, the negatives will likely subside.
As always, when we get new data that reflects changes, we’ll be here to share it with you.
Keep in touch
Thanks to our colleague Erik Bradley for joining us and sharing his insights. Stephanie Chan researched several topics for these episodes. Thanks to Alex Myerson on production, who handles the podcasts and media workflows. And special thanks to Kristen Martin and Cheryl Knight, who help us keep our community informed and get the word out, and to Rob Hof, editor in chief at SiliconANGLE.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at firstname.lastname@example.org.
Here’s the full video analysis:
All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.