 From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. The recent security breach of an Okta third party supplier has been widely reported. The criticisms of Okta's response have been harsh and the impact on Okta's value has been obvious. Investors shaved about $6 billion off the company's market cap during the week the hack was made public. We believe Okta's claim that the customer technical impact was near zero may be semantically correct. However, based on customer data, we feel Okta has a blind spot. There are customer ripple effects that require clear action, which are missed in Okta's public statements in our view. Okta's product portfolio remains solid. It's a clear leader in the identity space. But in our view, one part of the long journey back to credibility requires Okta to fully understand and recognize the true scope of this breach on its customers. Hello and welcome to this week's Wikibon Cube Insights powered by ETR. In this Breaking Analysis, we welcome our ETR colleague, Eric Bradley, to share new data from the community, Eric, welcome. Thank you, Dave. I always enjoy being on the show, particularly when we get to talk about a topic that's not being well covered in the mainstream media in my opinion. Yeah, I agree. You've got some new data and we're going to share some of that today. Let's first review the timeline of this hack. On January 20th this year, Okta got an alert that something was amiss at one of its partners, a company called Cytel. It provides low level contact center support for Okta. The next day, Cytel retained a forensic firm to investigate, which was completed, that investigation was completed on February 28th. A report dated March 10th was created and Okta received a summary of that from Cytel on March 17th. Five days later, Lapsis posted the infamous screenshots on Twitter and later that day, sheesh, Okta got the full report from Cytel and then responded publicly. And the media frenzy in the back and forth ensued. So Eric, you know, there's so much wrong with this timeline, it's been picked apart by the media. But I will say this, what appeared to be a benign incident and generally has turned into a PR disaster for Okta and I imagine Cytel as well, who I reached out to, by the way, but they did not provide a comment, whereas Okta did, we'll share that later. I mean, where do we start on this, Eric? It's a great question, where do we start? As you know, our motto here is opinions only exist due to a lack of data. So I'm going to start with the data. What we were able to do was because we had a survey that was in the field when the news broke, is that we were able to observe the data in real time. So we sequestered the data up until that moment when it was announced. So before March 23rd and after March 23rd. And although most of the responses came in prior, so it wasn't as much of an end as we would have liked, it really was telling to see the difference of how the survey responses changed from before the breach was announced to after. So let's start it to wrap. Let's bring that up. Let's look at some of that data and as followers of this program know, let me just set it up, Eric. Every quarter ETR, they have a proprietary net score methodology to determine customer spending momentum. And that's what we're talking about here, essentially measuring the net number of customers spending more on a particular product or platform. So I apologize for interrupting, but you're on this data right here. So take us through this. Yeah, so again, let's caveat. ATTA is still a premier company in our work, top five and overall security, not just in their niche. And they still remained extremely strong at the end of the survey. However, when you kind of look at that at a more of a micro analysis, what you noticed was a true difference between before March 23rd and after. Overall, their cumulative net score or proprietary spending intention score that we used was 56% prior. That dropped to 44% during the time period after. That is a significant drop. Even a little bit more telling and again, small sample size, I wanna be very fair about that. Before March 23rd, only three of our community members indicated any indication of replacing ATTA. That number went to eight afterwards. So again, small number, but a big difference when you're talking about a percentage change. Yeah, so that's sort of green line that was shown there. You know, not too damaging, but definitely a noticeable downturn with the caveat that it's a small N. But here's the thing that I love working with you. We didn't stop there. You went out, we talked to customers. I talked to a number of customers. You had actually organized a panel this week. Eric hosted a deep dive on the topic with CISOs. And we have, if we could bring up that next slide, Alex, these are some of the top CISOs in the community. And I'm gonna just summarize the comment and then turn it over to you, Eric. The first one was really concerning. We heard about this in the media. Oh, ouch. Next one, not a huge hit, but loss of trust. We can't just shut Octa off like solar winds. So there's definitely a lock in effect there. We may need to hire new people out here. There's a business impact to us beyond the technical impact. We're rethinking contract negotiations with Octa and bottom line, still a strong solution. We're not really worried about our Octa environment, but this is a trust and communications issue. Eric, these are painful to read in the end of the day. Octa has to own this, Todd McKinnon did acknowledge this. As I said at the top, there are domino business impacts that Octa may not be seeing. What are your thoughts? There's a lot we're gonna need to get into in a little bit. And I think you were spot on earlier when McKinnon said there was no impact. It's not actually true. There's a lot of peripheral derivative impact that was brought up in our panel. Before we even did the panel though, I do want to say we went out quickly to about 20 customers and asked them if they were willing to give an opinion. And it was sort of split down the middle where about half of them were saying, this is okay, we're gonna stand by him Octa is the best in the industry. A few were cautious, opinions unchanged, but we're gonna take a look deeper. And then another 40% were just flat out negative. And again, small sample size, but you don't want to see that. It's indicative of reputational damage right away. That was what led us to say, you know what, let's go do this panel. And as you know, from reading and looking at the panel, well, a lot of topics were brought up about the derivative impact of it. And whether that's your own, having to hire people to go look into your backend to deal with and manage Octa, whether it's cyber insurance ramifications down the road. There's a lot of aspects that need to be discussed about this. Yeah, so before I go on, and by the way, I've spent a fair amount of time just parsing and listening very carefully to Todd McKinnon's commentary. I did an interview with Emily Chang. It was quite useful, but before I go on, I reached out to Octa and they were super responsive and I appreciate that. And I do believe they're taking this seriously. Here's a statement they provided to theCUBE, quote, as a global leader in identity. We recognize the critical role Octa plays for our customers and our customers and users. Octa has a culture of learning and improving and we are taking the steps to prevent this from happening again. We know trust is earned and building back our customers' trust in Octa through our actions and our ongoing support and their secure as their secure identity partner is our top priority. Okay, so look, what are you going to say, right? I mean, I think they do own it. Again, the concern is the blind spots. So we put together this visual to try to explain how Octa is describing the impact and maybe another way to look at it. So let me walk you through this. Here's a simple way in which organizations think about the impact of a breach. What's the probability of a breach? That's the vertical axis and what's the impact on the horizontal? Now I feel as though business impact is really is the financial condition. But we've narrowed this to map to Todd McKinnon's statements of the technical impact. And they've said the technical impact in terms of things customers need to do or change is near zero. And that's the red dot that you see there. Look, the fact is that Octa has more than 15,000 customers and at most, 366 were directly impacted by this. That's less than 3% of the base. And it's probably less than that than just being conservative. And the technical impact which Todd McKinnon described in an interview again with Emily Chang was near zero in terms of actions the customers had to take on things like reporting and changes and remediation, basically negligible. But based on the customer feedback outside of that 366, that's what we're calling that blind spot and that bracket. And we list the items that we're hearing from customers in on things that they have to do now despite that minimal exposure. Eric, this is new information that we've uncovered through the ETR process. And there's a long list of collateral impacts that you just referred to before actions that customers have to take, right? There's a lot and the panel really brought that to life even more than I expected to be quite honest. First of all, you're right. Most of them believe that this was a minimal impact. The true damage here was reputational and the derivatives that come from it. We had one panelist say that they now have to go hire people because, and I hate to say this but Octa isn't known for their best professional support. So they have to go get people now in to kind of do that themselves and manage that. That's obviously not the easiest thing to do in this environment. We had other ones express concern about, hey, I'm an Octa customer. When I have to do my cyber insurance renewal, it's my policy going to go up. It's my premium going to go up. And it's not something that they even want to have to handle but they do. There were a lot of concerns. One particular person didn't think the impact was minimal and I just think it's worth bringing up. There was no demand for ransom here. So there were only two and a half percent of Octa customers that were hit but we don't know what the second play is, right? This could just be stage one. And I think that there was one particular person on the panel who truly believes that that could be the case that this was just the first step. And in his opinion, there wasn't anything specific about those 366 customers that made him feel like the bad actor was targeting them. So he does believe that this might be a step one of a step two situation. Now that's a bit of an alarmist opinion and the rest of the panel didn't really echo it but it is something that's kind of worth bringing up out there. Well, you know, it pays to be paranoid. I mean, you know, it was reported that this supposedly this hack was done by a 16 year old in England out of his mother's house. But who knows, you know, other actors might have paid that individual to see what they could do. It could have been a little bit of reconnaissance throw the pawn in there and see how, you know what the response is like. So I want to parse some of Todd McKinnon's statements from that Bloomberg interview. Look, we've always, you and I both have been impressed with Okta and Todd McKinnon's management decisions, execution, leadership, super impressive individual, you know, big fans of the company. And in the interview, it looked like a guy hadn't slept in three weeks. So we really, you have to feel for him. But I think there are some statements that have to be impact. The first one, McKinnon took responsibility and talked about how it'll be transparent about steps they're taking in the future to avoid, you know, similar, you know, problems. We talked about the near zero technical impact. We don't need to go there anymore. But Eric, the two things that struck me as communication misfires were the last two, especially the penultimate statement there that quote the competitor product was at fault for this breach. You know, by the way, I believe this to be true. Evidently, Cytel was not using Okta as its identity access platform. You know, we're all trying to figure out who that is. I can tell you it definitely was not Cyberock. We're still digging to find out who, but, you know, you can't say in my view, we are taking responsibility. And then later say it was the competitor's fault. And I know that's not what he meant, but that's kind of how it came across. And even if it's true, you just don't say that later in a conversation after saying that we own it. Now, on the last point, love your thoughts on this, Eric. My first reaction was Okta is throwing Cytel under the bus, you know, Okta is asking for forgiveness from its customers, but it just shot its partner and I kind of get it. This shows that they're taking action, but I would have preferred something like, look, we've suspended our use of Cytel for the time being pending a more detailed review. We've shut down that relationship to block any exposures. Our focus right now is on customers and we'll take a look at that down the road. But I have to say in looking at the timeline, looks like Cytel did hide the ball a little bit and see you can't blame him. And, you know, what are your thoughts on that? Well, I'll go back to my panelists again, who unanimously agreed this was a masterclass in how not to handle crisis management. And I do feel for them. They're fantastic management team. The acquisition of Office Zero alone was just such a brilliant move that you have to kind of wonder what went wrong here. They clearly were blindsided. I agree with you that Cytel was not forthcoming quickly enough. And I have a feeling that that's what got them in this position in a bad PR. However, you can't go ahead and fire your partner and then turn around and ask other people not to fire you. Particularly until a very thorough investigation in a root cause analysis has been released to everyone. And the customers that I have spoken to don't believe that that is done yet. Now, when I asked them directly, would you consider leaving Octo? Their answers were, no, it is not easy to rip and replace and we're not done doing our due diligence. So it's interesting that Octo's customers are giving them that benefit of the doubt, but we haven't seen it flow the other way with Octo's partner. Yeah, and that's why I would have preferred a different public posture because who knows? I mean, Cytel the only partner that's not using Octo as its identity management, who knows? I'd like to learn more about that. And to your point, maybe Octo's got to vertically integrate here and start supporting the lower level stuff directly itself and or tightening up those partnerships. Now, of course, the impact on Octo obviously has been really serious, big hit on the stock. It's piling on inflation and quantitative tightening and rate hikes, but the real damage, as we've said, is trust and reputation, which Octo has earned and now it has to work hard to earn back. And it's unfortunate. All right, look, Octo was founded in 2009 and in over a decade, by my count, there have been no major incidents that are obvious. And we've seen the damage that hackers can do by going after the digital supply chain and third and fourth party providers. You know, rules on disclosure are still not tight and that maybe is part of the problem here. Perhaps the new law, the house just sent over to President Biden is going to help. But the point, Eric, is Octo is not alone here. It feels like they got what looked like a benign alert. Cytel wasn't fully transparent and Octo is kind of fumbling on the comms, which creates this spiraling effect. Look, we're going to have to wait for the real near-term and mid-term impacts and long-term. But long-term, I personally believe Octo is going to be fine, but they're going to have to sacrifice some margin, if it was possibly in the near to mid-term and go through more pain to regain the loyalty of its customers. And I really would like to hear from customers that, from Octo, that they understand that customers, the impact of this breach to customers actually does go beyond the 366 that were possibly compromised. Eric, I'll give you the final word. Yeah, there's a couple of things there if I can have a moment. And yes, Octo, it was a great quote. One of the guys said, Octo's built like a tank, but they just gave the keys to a 16-year-old valet. So he said, there is some concern here. But yes, they are best of breed. They are the leader. But there is some concern. And every one of the guys I spoke to, all scissors said, this is going to come up at renewal time. At a minimum, this is leverage. I have to ask them to audit their third parties and their partners. I have to bring this up when it comes time. And then the other one that's a little bit of a concern is, data-wise, we saw Ping identity jump big from 9% net score to 24% net score. Don't know if it's causative or correlated, but it did happen. What's going to be concerned about out there is Microsoft is making absolutely massive strides in security, and all four of the panelists said, hey, I've got an E5 license. Why don't I get the most out of it? I'm at least going to look. So for Octo to say, hey, there's no impact here. It's just not true. There is an impact. They're saying what they need to say. But there's more to this. Their market cap definitely got hit. But I think over time, if the market stabilized, we could see that recover. It's a great management team. But they did just open the door for a big, big player like Microsoft. And you and I also both know that there's a lot of emerging names out there too that would like to take a little bit of a share. And you know, but here's the thing. Keep going here for a minute. Microsoft got hit by lapses. NVIDIA got hit by lapses. But I think, Eric, I feel like people, oh yeah, Microsoft, they get hit all the time. They're kind of used to it with Microsoft, right? So that's what I'm saying. It's really interesting here. Customers want to consolidate their security portfolio and the number of tools that they have. But then you look at something like this and you say, okay, we're narrowing the blast radius. Maybe we have to rethink that and that creates more complexity. And so it's a very complicated situation. But your point about Microsoft is ironic, right? Because when you see Microsoft, Amazon, customers get hit all the time and it's oftentimes the fault of the customer or the partner. And so it seems like, again, coming back to the comms of this is that really is the one thing that they just didn't get right. Yeah, the biggest takeaway from this without a doubt is it's not the impact of the breach. It was the impact of their delay and how they handled it and how they managed it. That's through the course of 25 sizzles I've spoken to now. That's unanimous. It's not about that this was a huge damaging hit, but the damage really came from their reaction or lack thereof. Yeah, and it's unfortunate because it feels like a lot of it was sort of, I don't want to say out of their control because obviously they could have audited the partners, but still I feel like they got thrown a curveball that they really had a difficult time parsing through that. All right, hey, we got to leave it there for now. Thank you, Eric Bradley. Appreciate you coming on. It's always a pleasure to have you. Always good talking to you, Dave. Thanks a lot. ETR team, you guys amazing. Do some great work. I want to thank Stephanie Chan who helps me with background research for breaking analysis. Kristen Martin and Cheryl Knight help get the word out as do some others. Alex Meyerson on production. Alex, thank you. And Rob Hofe is our EIC at Silicon Angle. Remember all these episodes, they're available as podcasts wherever you listen to search breaking analysis podcasts. I publish each week on wikibon.com and siliconangle.com. Check out ETR.ai. It's the best in the business for real customer data, real-time, near real-time, awesome platform. You can reach out to me at davidotvalante at siliconangle.com or at dvalante or comment on my LinkedIn post. This is Dave Vellante for Eric Bradley and theCUBE Insights powered by ETR. Thanks for watching. Be well and we'll see you next time.