SSH Communications Security Oyj

OMXH:SSH1V

Valued shareholders, investors, and customers, and media, welcome to our investor call on SSH Communications Security Corporation's interim report January-June 2023. This meeting is recorded and will be available on our web page alongside with the presentation and the report, you can find it already on our Investor web page.My name is Lauri Koponen, and I'm the Communication Lead at SSH Communications Security. Results will be presented by our CEO, Teemu; and CFO, Michael Kommonen. You can ask questions at the end of the event by asking to speak or writing question in the chat. I will read it out loud. Once again, please keep your mics muted whenever you do not have the floor.And let's start with the financial results. Please, Michael, floor is yours.

Thank you, Lauri, and good morning, everyone. So in the second quarter, our net sales grew by 9.2% and EBITDA was EUR 0.1 million. The breakdown of the net sales growth, which reached EUR 4.9 million was subscription ARR growth of 37%, which reached EUR 10.8 million at the end of the second quarter. The total ARR, which includes both subscription and maintenance sales grew 12% and reached EUR 18.3 million. The EBITDA of -- I'm sorry, EUR 0.1 million was lower than in the comparison period.In the second quarter of 2022, EBITDA was EUR 0.5 million. This is mainly caused by an increase in workforce and continued growth investments in our -- in both R&D and go-to-market capabilities. During the quarter, we launched the Zero Trust Suite to improve customer security posture. We also launched an OpenSSH support service for multi-platform SSH environments. And as just mentioned, we also continued and continue to invest in our organization, working with new partners to serve our customers better.So next slide, please. Subscription sales grew strongly in the second quarter and in line with our strategy and correspondingly, our license and maintenance sales declined somewhat. Invoicing of multi-year contracts meant that our deferred revenues increased to EUR 12.6 million, up from EUR 7.4 million last year. EBITDA, again, was EUR 0.1 million, and EBIT a negative EUR 0.7 million.Cash flow from operations was -- in the second quarter, was minus EUR 1.4 million. This is quite typical for SSH and for our business seasonality, where more of the invoicing happens in the second half of the year and less so in the first. So if we look at the comparison period of negative EUR 1.1 million, it's broadly in line with that. Also the cash position declined and reached EUR 2.6 million at the end of the second quarter, and in line with the negative cash flow from operations. This is also something that we typically see in the summer on the cash, the cash position declining somewhat in the first half of the year.So, with that, next slide, please.

So I guess I'll take over from here. So, this is Teemu Tunkelo. Welcome from my side as well.I must say that we are quite happy with the development of the company. Even under the current stormy waters, we are predictable and we are making great progress with, I think, the 2 key topics. One is driving the average deal size up and the other one is going from point products to communication and security solutions. And Michael mentioned the Zero Trust Suite and it is based on the fact that we are a communication security company. So we enable communication between systems, be it between people, be it between factory to cloud, be it from datacenter to datacenter, cloud to cloud, cloud to datacenter, in a hybrid environment, the communication is always secure. But we are moving towards an environment where it is not useful to protect your internal network from outside risks.The security posture is same everywhere. Internet, intranet, extranet, it's at least the same in all these areas, especially now that we -- people work remotely. There are more and more third-party suppliers maintaining your systems, having superuser access and endpoint security is disappearing. The firewalls DMZs are disappearing. Endpoint security will move into Apple, Android, Microsoft, and it becomes more and more clear that most of the applications move to browsers that have to be protected, not the antivirus, but the browser and its communication to the cloud and the session control, who did what, when is utterly important.And we are addressing this with Zero Trust Suite, which is new for SSH also because we don't develop anymore everything ourselves. We use strategic partners who help us, what we call upstream partners, who help us on things that are related to hardware security models, pattern -- recognition of fingerprint -- recognizing the identity with anything else but passwords.On the SSH key side, the key topic is that SSH keys are something like your home key. If you have it -- the one who has it can use it. And with our Zero Trust Suite, you can attach the key to the identity. So you know who did what, when and you can record the session, see what is happening. You get the safer security posture. Because as we've said before, there are 2 fundamental things that are difficult with SSH keys. The first one is that it is not connected to identity. The second one, it doesn't have a best before date. And we have solved that problem with our solutions, especially UKM. When connected to PrivX, it provides a Zero Trust solution and Tectia enables safe access. NQX enables connection between 2 geographical sites and the Deltagon between humans. And all these, all our products are future-proof because everything can be done with post-quantum-safe solutions.So, without any change to the user experience, you can move to PQC, now or later, partly or fully, whatever is your approach, how you want to improve your security posture. And the key topic is the traffic control, not the walls.If I take, for example, city of Munich, it still has city walls, but they are irrelevant. It has gates where you can go to the city and the problem for the city management nowadays is how to get the traffic flowing to the city. How much in data transfers are between 2 systems or between human and system like Tectia, interactive use. And that's the concept of the Zero Trust Suite that you can look at your problem, you have less partners because one of the things we can see the market analysts saying that customers would like to have less partners to implement their Zero security software architecture because then they have less people to support, they have less system responsibility because the supplier takes more.And the third underlying key topic is the cloudification. So people want to go to cloud at least at the moment. So which means that for the coming years, you will have an environment where you have both on-premise datacenters and clouds and they need to communicate with each other. And that is important thing to remember from our [indiscernible]. The systems and their shape and form are less relevant. The question is how do the systems communicate with each other and how do you control the communications.Zero Trust Suite is based on the PrivX platform, and it is moving ahead from being good system to look at what happened in the past with our behavioral control system, with artificial intelligence, there are new ways for the customers to be sure that not only do we detect what happens, we can predict what's going to happen. And the Zero Trust Suite is based on PrivX technology, and it's providing point solutions, which are now better integrated than before. And it provides the benefit for the customer. They can choose which 1 of our 5 solutions they want to implement, in which order, so their journey towards future-proof cybersecurity future is based on the steps that they want to make.And if I look at -- I'm really happy with the performance in the operational side. We have gotten our professional services returning back to the historical levels, which means we can be closer to customers. And now, in New York, traveling around U.S. for the 3 weeks visiting our Fortune 500 customers and prospects and seeking to understand what is their ambition level on making sure they are really secure. And from that point of view, it's interesting to see that the end-user market segments are different.The finance which is our basic core bread and butter is very advanced and is very cloud adverse. The government is more prone to move to cloud, but they are also quite advanced in protecting critical data in at rest, in transit, and in use. OT is for factories, especially because of the geopolitical situation in Ukraine. People hesitate to understand. It's important that water, water waste, electricity, heating, and cooling works under any conditions. And it doesn't have to be a missile. It can be a digital missile that causes you problems and that we have all seen in the press, cyber warfare is becoming more and more important. And there, the hackers have different kind of capabilities and resources behind them, which makes it a bigger threat than before. And for these purposes, the cybersecurity threat is -- cybersecurity suite is targeted to our main markets, so banking, government, OT.And the technology side, if we go to the next slide. Just take them all out. So these are the cornerstones of our go-to-market strategy. First and last, our technology. So Zero Trust and post-quantum safe software solutions in all our 5 products. The OT in the middle is the huge growing market opportunity where we have gotten very good results and also responses from the customers. If I compare these 3 elements, OT is the one where I think we have been the first mover and we continue to win ground with major customers, be them utilities, machine builders, harbors, ships where the benefit comes from secure way of maintaining the availability of the factory production equipment or strategic facility equipment regardless of the environment behind.And this is an area where the customers are still struggling in a sense that many of them don't have CSOs. Many of them don't have cybersecurity organization because they didn't need it before because the factories were not connected. Now everybody wants to connect their factories to cloud. They want to move the big data to cloud, to do artificial intelligence, big data analysis, to understand better what is going on in the production. The OT is -- has proven itself that it's really, really going well. Zero Trust is also going well, and that's really something where we also, over 2 years ago, launched the PrivX Zero Trust Suite and now we are moving to -- Zero Trust edition. Now we are moving to Zero Trust Suite, which is not only PrivX. It's PrivX inside like the old slogan of Intel. And customers want to go passwordless, keyless.The reality is that they have to be borderless because firewalls will become irrelevant. And I was meeting one of our big government customers talking about Zero security. Now we see gale in the U.S. and they said that they understand what we are telling them, the traffic control is more important than blocking people with gates and walls. In the end, this is a transition. They need to go there, they need to go stepwise, they will continue to buy firewalls for the time being, but they understand that the communication security is important.And in that sense, Zero Trust is something that has taken us to the place -- so actually PrivX, which is our implementation of Zero Trust, has taken us to a place where customers are interested. We have the highest pipeline ever that I have seen over the last 3 years.There is some slowness in decision-making, which I would say consists of 2 main reasons. One is the internal resources or the cost of outsourced resources of strategic partners to be able to implement changes in their security posture. And that means that we are competing with other projects the customer has because they have limited resources and limited budget. The other thing is money. The current situation at the world market is still a little bit of a question mark. So customers are very carefully considering when they do things. It's not about if they do things.And to that respect, one of the great things in our biggest-ever pipeline is that the average deal size continues to increase significantly. And that's why I'm meeting the customers now here in U.S. for 3 weeks to get better understanding what is their appetite, what is their ambition level in being future-proof. And that's why the quantum-safe, our third cornerstone, is utterly important because it takes us to the table. Everybody is interested in quantum-safe in our customer base, partially because they don't know what it means and how should I do it. And it's a lot of kind of education to our customers. Once we get in, we can talk about the other topics.And so it's kind of a -- it's like Zero Trust was 2 years ago. It's an interesting marketing gimmick that gives us air space to talk to customers about what are the steps to go to the quantum-safe world and that leads to the fact that we have started to make deals with Tectia quantum-safe especially. And there we can see that the customers have 10,000 superusers, maybe 100 of them they put, because there's really critical data, they put on quantum-safe. They are not moving full speed to quantum-safe, but we can see the trend coming with the standardization coming with the establishment of de facto things, quantum-safe is a big part of the cryptography future.And the way we are approaching quantum-safe is that the end user, the user of our systems, the superuser or the power user, he doesn't have to change anything. Same user interface, same functionality, and if certain servers are so critical that you want to have them quantum-safe, you can have them quantum-safe, the other ones, you can still use traditionally because implementing new things in the production environment requires a lot of testing, which is resources and they are limited with resources.So we want to help the customer from the maturity level of their cybersecurity posture in a way that you'll have to classify your data. You have to know where your data is, in which cloud, in which cloud do you want to have it, what is the security level of that cloud? And there we come back to the Tectia's main benefit over the last 20 years, Tectia has got all the unique flavors. We speak all the clouds. There are very few customers who are only using one cloud. If they do, they have found themselves in a position where then they are actually not even oligopole, almost a monopole because if you have all your data in the cloud, what happens to your pricing model -- to your cost model depending on what the supplier does with the pricing.It's like mobile phone subscriptions some 10 years ago. If you tried to compare what is the cost of different networks, what's the quality of the network, it was difficult to be able to compare because the pricing parameters were different. Now, it's more and more flat internet free calls. You know what you pay per month and that's it.And I've been talking just last week with the mainframe people of some of our customers and they have said that the challenge is that when you move to cloud, you can't predict the costs. And depending on what is your use of the data or data in use, it might have a huge impact on your IT bill because some of the cloud vendors have the model that if you just upload data to the cloud that is utterly cheap. If you delete even the file, it costs more. So you should just leave the data and forget it. It doesn't sound very clever now. And then if you start to do transactions, the CPU pricing is relatively demanding and that's why the application structure is changing. What will be in the cloud, data models that message between people and other systems, encrypted and safe. And the application logic moves to run on a browser. And this is all good.And I think that's a great architecture that people are targeting for, but the first steps on the road are what do you do tomorrow to go towards that direction. And that's where the old traditional protocols for safety like SSH and RDP protocols are still needed because the operational systems, especially in critical infrastructure, meaning banks, government, factories will later move, because of the risk profile, they want to keep a working system running. And that's why PrivX provides the opportunity to be proven in use and future proof and this is very well accepted by our customers, especially now with the addition of the Zero Trust Suite because then they have a supplier who takes more system responsibility than just a piece of binary code.Next slide, please. Oh, there we are. Back to you, Lauri.So the outlook for the year, I am very optimistic. We don't change the guidance and this is normal for me, if you remember previous year. First half of the year is difficult because people implement what they have already decided. And now we can see that the typical pattern, in the last quarters, there is more business available. We are in a good position. We just have to go after the business. We want to be closer to customers. We still continue to invest in the go-to-market and especially partners. We continue to drive investment in our R&D, which is one of the reasons why our EBITDA remains low because we see there is a market. We are a small vendor, we are a challenger, and we can see the opportunity. That's why we do it.And last but not least, that we are improving our internal processes to ensure that we remain as high quality as we are today, and we provide the leading-edge functionality for our customers for a safer cybersecurity future.

Thank you, Teemu. And we will move now to the Q&A section here. So the idea is that you can ask to speak via chat or raise your hand in Teams or write the question in the chat, and I will read it out loud. Let's give you 10 seconds for that, and we have first.

Sorry, Lauri, I think we had one question sent in previously.

Yes. We will address those also. We always have a couple of questions also in advance, and we'll come back to them soon. But first, Fredrik, floor is yours.

Good morning. This is Fredrik Reuterhall from Redeye. Thank you for the presentations and the numbers. I have a few questions. You continue to invest in marketing, engineering, and R&D, as we talked about. But right now, sales are rather soft. How will you balance cost versus sales rest of the year?

Well, rest of the year, typically, our market dynamics is that rest of the year is better, and we are now focusing on -- have been focusing on also in the early years to be a lot on the fair shows because we need to get the money from customers and we need more leads. So we focus on lead generation by being actively closer to our customers and we want to make sure that we close as much business as possible at Q3. With payment terms, the money, of course, comes a little later. But I think we are in -- with my history, we are in the best position ever to be able to build on the base we have and the growth possibilities we have in sight that the solution is that we will do more deals and bigger deals than we've done in the first half of the year. And I think we have good proof that we are on the right way.

You mentioned in the report after the NATO acceptance that you had some increased interest in NQX and Zero Trust Suite. But will there be any additional cost for you to make these products NATO-ready?

It's an interesting question. Our position is a little bit that we need to do inter-vendor compatibility testing, which is the benefit of the customer. And the NATO relevant market is, of course, relatively limited in different lines of army organization. So every country has a handful of NATO customers, and then you have the suppliers supplying to those customers, either products or systems or operational services. So the market is relatively granular, and we see that there is -- best way to move forward is to get the customers to commit that they will support the upfront investment because the business case just by building a product to worldwide, a couple of hundred customers, is not easy. And what is on our side is that Europe is a safe place, Finland as a small country is even safer place. So if you want to deal with somebody, why not Finland. We are kind of the Israel of European Union. Now we are getting Sweden also on board. So we are looking at cooperation with Sweden and generally in Nordic, that there would be things that we can really directly work with our customers and see what are the needs they have.And at the moment, the business related to NATO is a lot about professional services and providing architectural services, how should you do it? Because one of the key topics adding NATO, we can see that in all the customers we talk to, they want to have their military operations to operate regardless of NATO, and they have to be NATO-compatible. So they need NATO gateways. And that means they have to support on other standards and they want to have something that they still control themselves. So that would also mean -- that has already meant that we are having discussions about technology transfer that not only would we sell them binary code, we could maybe license the technology that they can maintain and operate it themselves. And with that way, the country can operate it even if the connection to NATO disappears and that also the country itself is NATO safe. So if a country has the need to look at, I am safe and I'm interacting with NATO. And that means every country has the need to develop a little bit peaceful solution for their country.And we are targeting to start or we have started with the professional services. And we are looking at, especially in Europe, the smaller countries that have Russian border, and because that's the logic we have that we have the experience of NATO. We are in EU and we are in NATO. EU market is much more homogeneous. So the government -- general government side, there we see a market that is interesting. And our idea is to invest as little as possible on our balance sheet because we don't have the power of the countries and that's why we want to go with professional services. We help the customers to make the architecture, make the implementation plan, be it military or be it general government and then it will lead to the solutions where our products will play a pivotal role. And in that way, we don't have to use our balance sheet to develop something that has a limited market.

And my last question, how fast did PrivX grew in the quarter? I think it was like 9% last quarter.

Michael, you have the numbers.

Yes. So, the year-to-date growth of products is 20%.

Maybe if I can expand a little bit on Fredrik's question that what we have done over the last year is that we have increased the deals as of PrivX from 70,000 to the sweet spot 200,000, 250,000, and we continue to grow. And what we can see now when we've seen in the first half of the year is that once you get bigger deals, subscription deal that is recurring cost for the customer, that could be EUR 0.5 million, it could be EUR 1 million, goes at the customer side higher level management decisions, which still is the decision-making. So with our pipeline, we have proven our product, it's proven in use, the technical people love it, and now they fight for the budget. And that is one of the reasons, even though I think we did quite well in the first half of the year. Based on our strategy, we don't have -- haven't done any recapitalization of the company. We are living out of the money coming from customers, and we are using that as good as possible to grow organically as much as possible.And in subscription business, almost 10% growth year-on-year, subscription business organically and without capital investment, good. We are profitable now 9 quarters and many of our competitors are still pouring in capital from the balance sheet or from the owners to keep their growth coming at any cost and we are not planning to grow at any cost.

Thank you, Fredrik, and thank you, Teemu, and Michael. Do we have more questions? I have one in advance. You can write or raise your hand. In the meantime, let's take the question which came in advance.So what would be -- sorry. What would have been the net sales and EBITDA in January-December 2022 and January and June 2023 under the old accounting treatment, licenses, and supporters compared to the subscription-based sales model?

Michael, do you want to take this?

Yes, I can take this. So firstly, just to clarify, it's not an accounting issue per se, how we recognize the revenue. It's based on the agreements we do, whether they are subscription or license-based contracts. Then the question itself, it's -- there are several reasons why it's quite difficult to give an exact number on that and it's quite hypothetical. If we first -- looking at the trend in the software business of moving from a license -- perpetual license sales towards a subscription model is something that is happening in the market generally and something that we are participating in and also actively driving strategically. So it would be kind of counterintuitive to try to move that backwards towards the license sales.Then in practical terms, would we have tried to sell or would we have been successful in selling all the subscription sales we did during that period as license sales is very hard to quantify how that would have gone would the customers have agreed to purchase licenses, would they have -- would the pricing have -- what would the pricing have been with the purchases and the purchase decisions have happened faster or slower, and what would the split have been between license and maintenance sales. So there's a number of variables that are very hard to quantify or calculate. So for that reason, we can't give -- it would be very speculative to give a number of what that would have been if we would have sold only licenses during those periods. I think what we can say is that, in general, sales revenues would have been higher because of the nature of the selling licenses that you recognize more sales in a shorter period of time. So it's very likely that sales would have been higher and consequently also EBITDA would have been higher if that would have been the case.

And I think there are 2 elements from the customer side, most of the customers are willing to buy subscription because it comes to the OpEx budget. So pay as you go, leasing cars instead of owning cars. And if you take from our side, our engineers are paid by the month anyway. So a business model where we get the money as revenue over the contract period is better, but if I somehow -- and it is like because it is impossible to calculate, but just to give you some idea, the way we do our pricing, the customers have still a choice and some customers still want to do CapEx investment and have a lower running cost per year after the capital investment. They can do that. And some, very few, nowadays do it. And if you compare the pricing of a perpetual license, take a single theoretical deal or stereotypical deal, you can roughly say that a subscription price is based on the idea that you don't only get a working system, you get a system that is being upgraded, gets more -- some more functionality included in the price, so you pay in the subscription also R&D price.And when the customers ask from us perpetual license versus subscription, the basic idea is that if you buy perpetual, you should be able to write it off over 3 years. And then you can say, do I want to pay it upfront or do I want to pay it over 3 years. So that's the CapEx OpEx question. So that's kind of -- the only thing I can say is that, that is our story to customers. But if you want to buy perpetual, think about it that it's you would have to write it off in 3 years, typically. So that's the basis of the conversion between perpetual and subscription. Plus, in subscription, you have the extra benefit that you have a living system and that is important in cybersecurity because the hackers become all the time more intelligent, they have new ideas. So you can't just believe that I buy a visual scanner and leave it there forever. It will not protect you. You need to buy a subscription because the threat posture is living all the time, and it's better for you if you have a partner on the technology side that makes it as a solution ready for you that your product stays fresh. So it's like if you leave a car service included, service included plus.

Thank you. Do we have any more questions? You can still raise your hand or write in the chat. Let's wait for 5 -- yes, not a question, but in the chat. But I just have to say I'm a happy PrivX user. Please keep up the good work. This is also not a paid advertisement. Thank you.More questions, comments, or something?Recording, report, and presentation will be available on our web page. I think that at this stage, we don't have any more questions. Thank you, dear guests. Thank you, Teemu and Michael, for participating in our call. The next major and interesting event, actually, especially for you, will be the SSH Capital Markets Day on 29th of August. It will be a hybrid event. So you can attend here in Helsinki or you can attend remotely. Please visit our Investor page where you can read more information about Capital Markets Day and register yourself. So see you the latest then.Thank you. Okay. Great. I will close the call.