Okta & Auth0 – The Future of Security, with Joan D. Pepin
On March 3, 2021, publicly-traded identity management company Okta acquired Auth0, in an all-stock deal valued at $6.5 billion. The acquisition expands Okta’s market share in identity and access management (IAM).
The acquisition sparked conversation among those in both the tech and financial worlds, as the deal came in at around an 80-100X revenue multiple of Auth0’s estimated annual revenue, an unprecedented amount in the IAM space. In July of 2020, Auth0 announced that it had raised a total of $330 million in capital to date and was valued at $1.92 billion, so this was a 3X acquisition against the 2020 valuation.
For an inside perspective on this ground-breaking acquisition, Spark Plug podcast co-hosts Ned Hayes and Karen Jensen spoke with Joan D. Pepin, former Chief Security Officer at Auth0. During her tenure, Pepin was responsible for the holistic security and compliance of Auth0’s entire platform. She was also responsible for re-launching and significantly growing the revenue and margins of Auth0’s product lines. Prior to Auth0, she was also a leader at unicorn SaaS company Sumo Logic. Pepin has recently raised a round for her new company ZeroWall, a stealth start-up taking a new approach to security.
In the latest episode of Spark Plug, Pepin discussed the critical differences between Okta and Auth0. “People would ask us at Auth0, ‘Are you worried about Okta?’ And we would say, ‘They don’t really feel like a competitor. It’s not like we’re losing a deal to Okta because if you’re looking for consumer identity, then you’d probably come to us, and if you’re looking for workforce identity, you’d probably go to them.”
Okta’s primary offering to date has been its workforce identity product. Companies use Okta’s service to provide single-sign-on access for employees to a variety of cloud services. Meanwhile, Auth0 is a developer tool for consumer identity management, providing lines of code for easy single-sign-on functionality so that coders don’t have to build it themselves. Until recently, Okta’s consumer identity product had been a small portion of their business, but the segment has grown in recent years to account for 25% of total revenue.
Pepin explained that both companies were able to grow quite fast and quite successfully while providing similar solutions for different buyers. “The software under the hood does very similar things. But because they focused on very different use cases, they didn’t really compete for a long time.” Things started to change about a year ago, said Pepin, when the two companies started to expand into more offerings to stay competitive. “Each company started to build an inferior version of the other one’s product.”
The two companies together deliver a comprehensive set of identity solutions to developers and enterprise customers. Although this is an acquisition, it is also a critical merger of two different approaches to the problem of identity management at scale.
Pepin sums up the merger by pointing at the possibility of a unified customer experience: “This is a very positive experience for, first and foremost, the customers.” In her view, customers can now go to one business entity, sign one contract and have a best of breed product on every vector of identity management.
In her interview, Pepin went on to discuss the recent Solarwinds-enabled cyber attack which exposed data at 18,000 organizations including the U.S. Departments of Treasury, Justice, Commerce, Defense as well as Microsoft.
“At the end of the day, when we talk about a security breach, there are two real things that we’re worried about,” said Pepin. “We’re worried about the integrity of the data, or of the system, and we’re worried about the confidentiality of the data.” In a security breach, hackers can cause harm in one of two ways: by theft of data or by disruption of data. The key, said Pepin, is to understand how much harm could be caused to your company by a security breach, how important it is to secure your company’s data and to understand what security steps need to be taken and to build this into your process.
“Security should not be an after-thought or an add-on,” explained Pepin. “Security is a feature that your customers should count on just as they count on other features of your products or services.”
If security needs to be a core feature of all software products moving forward, then there’s a need for a great number of critical hires in the cybersecurity industry. Unfortunately, as the team on Spark Plug discussed, there’s a significant gap in the need for trained personnel and the people available to do the job. One study demonstrated that global cybersecurity hiring needs to increase by 89% worldwide and 41% in the United States.
Pepin has a solution for this problem as well. “All of these integration points and all of this software needs to be secure, and there are not currently enough people to do it,” she said. “I think a big way that we can close this talent gap in information security is by opening up the tent… by bringing in people from different backgrounds and from different schools and different races and sexual orientations… people are willing to be trained… we can make this a much bigger, more accepting and more diverse community.”
Creating a more diverse security industry is a big part of Pepin’s vision for her career and legacy. “My mission is to really show that a diverse team, a diverse company, and diverse individuals can compete in this industry and be very successful and be a tremendous value add to their employers, to their customers, to the community and to the ecosystem.”
Read more about Joan D. Pepin and her history.
Read more about the Spark Plug podcast.
Listen to the fascinating interview with Joan D. Pepin at at SparkPlug.audio.
Subscribe to the Spark Plug podcast to hear more conversations with smart people working at the intersection of business and technology. Spark Plug is available on every podcast platform from Apple iTunes to Amazon podcasts to Spotify, Stitcher, TuneIn, and Pandora.