Okta’s 90-Day Delay On Product Releases Is A ‘Critical’ Step: Analyst

The company’s commitment to prioritizing security is much-needed following several major breaches over the past two years, according to Macquarie’s Fred Havemeyer.


Okta CEO Todd McKinnon speaking during Oktane 2023

Okta’s commitment to delay product and feature launches for 90 days in order to focus on its security is much-needed, following several major breaches over the past two years, according to Macquarie equity analyst Fred Havemeyer.

After Okta revealed this week that its most recent breach affected all of its support customers — a far broader impact than previously known — Okta co-founder and CEO Todd McKinnon said that the identity platform developer would be postponing upcoming product updates in order to prioritize security.

[Related: Okta Didn’t Acknowledge Breach For More Than Two Weeks, Customer Says]

Okta will follow a “hyper-focused security action plan” during the 90-day period, which the company is referring to as “Program Bedrock,” McKinnon said Wednesday during the company’s quarterly call with analysts.

The effort aims to ensure that the company’s products are “built in a way that ensures the security of our customers,” he said. “During this hyper-focused phase, no other project or even product development area is more important.”

As part of that commitment, “the launch dates for the new products and features that we highlighted at Oktane last month will be pushed out approximately 90 days,” McKinnon said, referring to the company’s annual Oktane conference. The one exception to the product launch delay is on Okta’s Privileged Access offering, which will be generally available as of this week, he noted.

‘Tough Spot’

At Macquarie, “we think Okta’s reputation is in a tough spot,” wrote Havemeyer, head of U.S. AI and software research at the firm, in a note to investors.

“Even after this candid earnings call, Okta will need to demonstrate that it is executing on concrete actions to improve its security practices,” Havemeyer wrote. “We think Okta delaying product releases for 90 days (except PAM) to focus on security over shipping is critical at this juncture.”

In response to an inquiry from CRN, Okta said in a statement that “we aim to be one of the world’s most secure companies in the world, and following this incident, bolstering our security environment is, by far, the highest priority for everyone at Okta.”

“The stakes are high, and we are looking hard at strengthening our security culture and operations to protect our customers,” the company said in the statement.

The recent breach at Okta impacted data from customers who had used the company’s support system. Okta had previously said that an attacker accessed files belonging to 134 customers — representing less than 1 percent of its customer base — between Sept. 28 and Oct. 17.

However, Okta disclosed Wednesday that further investigation found that the breach included the theft of all support customer names and emails.

“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users,” Chief Security Officer David Bradbury said in an updated disclosure about the incident.

User credentials and other sensitive data were not included in the report downloaded by the attackers, Bradbury said.

Growing Concerns

Customers and investors have expressed increased concern about Okta’s security practices, given that this breach was just the latest in a series of incidents over the past two years.

The most notable prior incident occurred in early 2022 when Sitel, a third-party Okta support provider, was breached by the Lapsus$ hacker group.

The incident led to significant reputational damage to Okta, mainly due to the fact that the company didn’t disclose the breach until after Lapsus$ had posted about it.

With the latest breach analysts have pointed to the fact that a customer, cybersecurity firm BeyondTrust, raised concerns about the incident to Okta that were not acknowledged by the company for more than two weeks. Another Okta customer, Cloudflare, has said it first notified Okta about the breach, rather than the other way around.

Shaul Eyal, managing director for equity research at TD Cowen, wrote in a note to investors that Okta’s “financial performance is reflecting the impact of recent high-profile breaches involving the company’s solutions.”

“Close and win rates could slow on the back of the scale and magnitude of the most recent breach,” Eyal wrote.

Okta’s stock price was down 4.8 percent to $67.40 a share as of this writing Thursday afternoon.