Welcome, welcome, dear guests. We'll be starting just right now. People arrive, I let them in. We'll start. Valued shareholders, investors, customers, and media, welcome to our investor call on SSH Communications Security Corporation's financial statement release of the year 2022. The meeting will be, of course, recorded, and the recording, alongside with the presentation, will be available on our webpage after this call. My name is Lauri Koponen. I am the Communications Manager at the SSH Communications Security. Results will be presented by our CEO, Teemu Tunkelo, this time. You can ask questions at the end of the event by asking to speak, raising the hand or writing in the chat that, "I want to speak," or you can write the question there. I will read it out loud.
Please keep your microphones muted whenever you don't have the floor. We can proceed. Please, Teemu, you can start.
Thank you, Lauri. As you probably all know, we have a little bit of transition period here with Niklas leaving the CFO position and we have Taneli Virtanen on the call who has been covering the transition in the last months and will be helping Michael to onboard into the CFO role. Taneli has been to me like for Peter Pan, Helena, Tinker Bell, you know, sitting on my shoulder and trying to keep me cool and concentrate on the right things. Let's go through the business highlights very briefly, the financial results, and then a little bit what we are doing in the business. If we look at the full year, I am really proud of the team. All hands on deck.
We grew well, I remember some years ago, I said that the team is on board, the boat is clean, the sails are on, and the wind is in the... It takes some inertia to get the boat going, and that is providing results to us now. For the full year with our five product lines in different life cycle phases, we were able to achieve 21% growth. We continued to grow our ARR. The growth side of our portfolio, I'm really proud of what we were able to achieve with our customers. We also got some new significant logos. We got longer deals than before with UKM, with NQX, and PrivX. We are getting the customer confidence coming up that they are willing to make longer term commitments with us and not rely on annual subscriptions only.
Because of these longer term contracts, we have customers paid in advance. All in all, the invoices we were able to send grew significantly more than our revenue based on the subscription model that actually when we got the deals in the last quarter, it didn't really contribute to revenues, but it contributed to invoicing. We are looking at ways that we could describe better the orders received in our business compared to revenue because if you sell boxes, you ship boxes, you can say easily orders received and shipped, but in subscription business it is more difficult. This invoicing which leads to deferred revenue, the money we got from the customers, real money grew a lot and it will be converting revenue to the revenues in the future which of course builds a solid base for future growth.
Profitability also improved, and following the logic over the last seven quarters, I think we are ahead of the game of our competition in the sense that we are already going for the Rule of 40 that we want to be over 40 if you combine our growth and our EBIT %. In the last quarter we were there. For the full year we are still lagging behind, but I think we are on the right track. We continue to invest in our future. We have proven and used products. We are developing future-proof products like NQX and PrivX, and we continue to invest significantly to R&D. We have clarified our marketing position to zero trust operational technologies and post-quantum safe solutions.
We have put a lot of effort in last year on revamping our partner network and integrating the partner network management for all product life. In that sense, completing the merger of Deltagon to be one product line of the whole SSH. Next slide, please. If we look at the numbers with the pictures, which is more interesting for me, that you can see that we have been able to grow in the last seven quarters top line. We were very close to the quarter last year, even though we didn't have any major license orders like last year on the last quarter, we still made extremely good last quarter. That also builds for the future growth.
It also, if I look at the regional level, Europe was the hero, and Europe has become our biggest region, and it is on a solid base moving forward. Asia, which is dependent on partners only, we did major revamp with the partners and the local management, which kind of made it a little bit change pain that we had to go through. U.S. is still the huge opportunity. We have been able to defend our base, and we are working very hard to get U.S. to challenge Europe, who is the biggest region in 2023. Compared to the current market phase where the Rule of 40 is becoming more visible, we have gone that way already for seven quarters. We are focused on keeping EBITDA at a good level and growing at the same time.
Doing that with the, with the portfolio management, we are really making PrivX, which is growing to the adult age in our portfolio, the core platform of our solutions. We are launching SSH Zero Trust Suite, which is access management for key users for accessing people, accessing applications talking to other applications in three areas. We started with traditional IT. We have gone successfully now to managed service providers also in the U.S. with the, with the latest deals we did last year. Operational technology, we have really, especially in Europe, got ground with major logos in using our technology to connect the factories, harbors, airports to the cloud and back. If we look at the whole journey from a technology point of view, we started with digital keys some 20 years ago with SSH keys, which basically had two fundamental problems.
They don't have a best before date. They are not connected to identity. They are like like the physical key to your home. The one who has the key can use it. Digital keys, which is the future, you can't use it if you are if your identity hasn't been verified. That's what UKM does, which was our first generation on the certificate environment. The market went for DSL, SSL certificates and password rotation, which we think is old-fashioned. We jumped the gun with PrivX already some years ago to go to passwordless, to keyless world. That, especially in the OT environment where SSH keys are used a lot for application to application communications and remote maintenance, it is key that you don't have passwords and you don't have permanent keys.
That's where we are today, and we are also ready for the future. Zero trust is the core of our offering today, and a lot of the time we now spend with our customers is actually teaching them that the next generation, the next wave will be post-quantum. It gives limited revenue today. NQX is in early stages. NQX is where PrivX was three years ago. We see that the post-quantum is coming to PrivX, it's coming to Tectia. Big customers of ours are having major projects and saying, "How do we go to post-quantum world?" Which is for them a big project taking years. We can provide them the two last waves for the future. Easy to use, cloud-native solutions that gets rid of password rotation, gets rid of static keys that are not connected to identity.
That is the message that we feel that we are getting very good traction in the market, and customers understand that the traditional certificates that last for a year or two. Pain of changing passwords is not the way moving forward. You have to go zero trust. You have to go post-quantum. We have ready-made products that you can use in your environment, and we can help you to get to that journey. The key message we tell to our customers is passwordless, keyless, and defensive cybersecurity. We talk about defensive cybersecurity because we are not about hackers. We are about protecting your critical data. Very often, cybersecurity as such is attached to the bad boys. Actually, the biggest risk in most cybersecurity environments are the people working inside the companies or the third parties accessing the systems in the company.
We provide not only the user access, which is maybe 20% of the system access. 80% of our customers' data traffic is applications to applications in different ways or systems between systems. With Deltagon, we went to the space of sharing information between people with the Deltagon suite. With NQX, we are providing the backbone traffic between your subsidiary and the cloud, your factory and the cloud in a way that is really over-secure, that you don't need to use leased lines to connect your critical infrastructure. You have a high performance over internet link, which is fully tunneled in a tunnel that can run any data, any protocol you need up from the physical network layer.
That's where we are absolutely unique with NQX, because the way we've developed NQX provides a significant performance improvement compared to the competition because we have built our own implementation of TCP/IP stack in user space. By architectural design, NQX is the most performing point-to-point connection to connect data centers or offices to cloud. We are also expanding our approach not to develop everything ourselves. We are building integrations to key topics, and key topic is the ease of use, get rid of the password. Biometric recognition, getting rid of pins, getting rid of SMS messages. Multi-factor authentication in a different way is a key part of the story. A lot of the digital gatekeeping also has to do with being able to control access real time from your mobile phone, that you don't have to be at the computer.
All in all our products are zero-trust capable, and they will be quantum safe capable. That's why we believe that we are in a very good position with the total portfolio to go for future-proof solutions that is based on technology that is done by a team who have been doing proven and new solutions, especially to the finance sector and government sectors, which is great because if we can help our customers to protect money-related data, I think we can help factories to protect their production critical data as well. Our portfolio focus continues to be zero trust. That's where the traction is. That's where PrivX is making its growth. Operational technology, I think we were already a year or two ago ahead of the game. We started to talk about operational technology when the market didn't.
Now we can see all the competition is following us. We can see that we have gotten traction with machine builders, with maintenance providers, with production facilities, and it has been hugely helped by the last year with the situation in Ukraine that people have understood that actually critical infrastructure, heating, cooling, electricity, water, have to work under every condition. Cyber risk is huge because you can stop a plant without going there. We need to build the digital fence. We need to have the digital gatekeeper, and we have the technology already for banks and governments. Now we want to bring it to OT.
Both of these have the risk of the quantum computing, which not necessarily is sure when quantum computers come, but our customers tell us we might not know when they come, but we have to be prepared for it, at least for our most critical data. Our customers are looking at their critical users and their most critical data, and they talk with us, and we are helping them with our professional services to build a sustainable and defensible future also in the cyberspace. Moving forward this year, we have transitioned to a subscription model, and we are doing that in all product lines. It is, we still like to have license deals if the customer wants to buy it, but we prefer strongly the subscription model because that provides us better performance overall.
Because if we take a license deal, you get the money in the first year. If you get the subscription deal, you get more money over the years. This is not a quarter business we are doing. We are doing a long-term future because our customers use our products for 10, 20 years like they do traditional industrial production equipment. We are just an industrial production in the digital phase. I already mentioned the numbers on the last year performance, which I think the team did with the help of our customers, great work. We want to maintain with our out-outlook for this year. Our main focus is to grow, and we want to grow keeping EBITA and cash flow from operating activities to be positive on the year as well.
With these words, I would like to hand over back to Lauri, and please send your questions or ask online, and we will be happy to provide answers to you.
Yes. Thank you, Teemu, for your good presentation. Definitely let's have a questions and answers section. Please write your questions in the chat, or you can raise a hand and ask your question. We have actually first, Fredrik, the floors is yours.
Good morning, Teemu and Lauri. Thanks for taking my questions here. I wanna ask you talked a bit about Asia, that it was weak, and usually Q4 is pretty strong in licensing sales, but in the quarter it was pretty weak. What is your take here going forward, you think?
Well, partially the quarter was weak because we did the revamp on our partner network, so we had to reshuffle them. We also are moving also in Asia to subscription model with the Tectia post-quantum, Tectia being the biggest product in Asia. That means that when you get subscription deals, they don't come to revenue. These two elements, moving Tectia to subscription business and revamping the channel partners, reducing the number of them, and moving customers to the remaining partners, did impact our numbers. I'm very confident that the work we've done with Asia over last year will bear fruit this year.
Okay. Thank you. Looking at Europe, it's your largest region, and it grew pretty nicely in the quarter. I know we talked about before that the U.S. is pretty hard on the competition. Will you continue to focus more on Europe going forward, or can we see something else there?
I think there are. We focus both on Europe and US. I think US has a lot more potential. The competition is harder, but the great thing is that the market is also reforming from a point of view that people are focusing more on also the financial performance, not only on growth. The late mergers from the competition also helps us because they are focusing on internal topics. I do believe that we will continue to position in Europe to be the European player and that really seems to be working well. In US, we want the position to be the best technology player that is on a solid ground.
So from our marketing expenditure, we will focus to put efforts in the US market because the market is bigger and it is more cloud ready for our solutions, which are future proof. Europe has become a contender for US for us because traditionally US was the bigger market. Rami has announced the competition that, "Hey, show me US. Can you be bigger than we are in Europe?" I'm happy to see that race being on.
Okay. That's good. Then, PrivX grew 96%, continued to grow very strongly. What is the trend for the full year? You're gonna continue to be around here, or it's gonna come down?
I would say we are in a very good position to continue the trend. Of course, when the absolute numbers go bigger, maintaining the growth numbers at 100% will be tougher. On the other hand, we have been able to increase the average deal size of PrivX, so I can see it possible. Of course, that creates the challenge of that the PrivX business is granular, that if we get the deal that is 30% of the current PrivX deal, it's great. If that slips a quarter, it's not great. So it's not really a statistical mass, but I think it is the right direction that we go for bigger deals because PrivX works best in organizations that have tens of thousands of servers. That means that you have to go to company names that you know anyhow in the market.
Good answer. The last question for me, and I'm gonna let others in. You just talked about the outlook for 2023, and you're gonna be positive on the EBITDA margin. Do you think the margin is gonna stay around 14, 10, 14%, or will you manage to push it higher?
It is my intent to keep the margins high or higher. I am a strong believer of the Rule of 40. Last quarter, we already were able to be inside the quarter of 40, which is if you combine the growth % of the revenue plus your EBIT margin, if you are over 40 as a SaaS company, you are okay.
Mm.
We did it in last quarter, but last quarter is our best quarter. Now we want to do it on the full year. I can't promise it, but I'm putting all the effort with the team that we make sure that we will go for that target.
Sounds great. That's all for me. Thank you.
Thank you, Fredrik. We have in the chat question, I will read it out loud. The invoicing has grown significantly from EUR 15.1 million to EUR 24.2 million. Can you elaborate on the main drivers of the improvement? Do you have longer invoicing intervals than 12 months?
That's a smaller part, but it's a significant part as well. There are two elements. One is that we got a lot of subscription deals in December, which means we could invoice the whole 2023. The money will come, but it doesn't come to revenue. We were able to send a lot of invoices in December that don't convert to revenue. Some customers have been worried about the inflation, so they want to fix their price for the next two years, three years, and they want to pay upfront to secure that they don't get the hit from the inflation, which what we generally are doing is we target for 5% increase on the prices. The customers are willing to make longer term contracts. Typically, they do...
The ones who want to do multi-year contracts and pay them upfront want to go for three-year contracts. There are some that go for five-year, and there are, especially in Japan, they are interested in seven-year fixed price contract, I pay you upfront, which is great for us, for our cash management. It also shows the customers' commitment that they are gonna use the product for a longer period. I personally like automatically renewing annual contracts better, but I'm also happy to see that the customers are willing to make long-term commitments and pay upfront because that shows that they trust in our portfolio.
Thank you. I remind you, if you have questions, you can raise a hand or write in the chat. In the between, I have couple of questions which came in advance. First question is, has the closer cooperation between Finland and NATO, or let's say NATO joining process, and the pattern of industrial cooperation in fighter procurement had a concrete impact on SSH business opportunities?
Opportunities for sure, and a lot of discussions with customers, professional services, engagements. The customers are looking at what does the new world look like. It hasn't really converted to business. On the, on the jet fighter side, the difference is different because nowadays there is no hard commitment on counter trade, vastakauppa. There is a possibility for technology cooperation, getting access to algorithms, getting access to technologies which doesn't have monetary value but would have a time value in R&D, and especially in post-quantum area, we are looking at accelerating our development by getting access to post-quantum technologies that are being developed in the U.S., and that comes through the industrial cooperation. I think NATO will impact us a lot.
I think also European Union and their secrecy policy, so generally government awareness of cybersecurity based on the geopolitical situation in Europe. EU is interested, NATO is interesting. From a technology point of view, the fighter jet opens us opportunities that we otherwise might not have been able to go for.
Thank you. Next question, which came in advance was, in 2020, a contract for the supply of cryptographic products and services worth around EUR 20 million was announced. Far, the order has came for EUR 2 million. What does the implementation of remaining EUR 18 million currently looks like?
It looks positive. Of course, two years is a long time in this technology, a lot of the customer requirements have been changing in two years. We have ended up doing for these customers and other customers more professional services on the architectural design of the network topology and architecture, getting prepared for quantum sake. At the moment, parallel to the frame contract, we are getting from our customers more work, and that work will lead to the implementation of the rest of the frame contract. There, of course, I would say let's see. Hopefully, when we get the NATO through that we are really in NATO, I feel that the frame contract implementation will go faster. European Union gets also clarified with their NIS2 activities, what does it mean. I'm confident that we are on the right road.
I think the customer is happy what we have delivered. We are more limited on the customer's capability of executing the rollout than our capability to deliver. We are trying to help the customer to get their plans clear and move on with the project.
Thank you. I have still four question in advance, but let's take one from the chat between how is Deltagon progressing outside the Nordics?
Deltagon has maybe been a little bit of a disappointment for me outside Nordics. One of the things that we found out that with our traditional SSH customers, the decision makers who buy Tectia and UKM and PrivX, there are different decision makers who buy people to people communication. Building market access to them has been slower than I would have anticipated. I think for Europe, we are on the right way. I do believe that Asia is also, especially with the big customers, there might be coming up something very interesting. Once we get out of Scandinavia, the average deal size will be significantly bigger, which will easily help us.
We are pretty well covering Scandinavia in the sense that the additional deals and our lead and expand strategy means that the Deltagon average deal sizes are small. When you go for these bigger markets, the deals are 10, 100 times bigger, but also then the lead times to close the deals are longer. That's where we are today.
Thank you. One question again in advance. Well, maybe related to this. How well and with which products in particular has SSH gained a foothold in the Nordic countries?
In Nordic, Deltagon is important. I would say also PrivX OT Edition has been doing extremely well. PrivX MSP Edition has been doing extremely well, and traditional PrivX has been doing well. Nordics has very limited customers that are big enough for major implementation of Tectia or major implementation of UKM. NQX, we have been focusing on the Finnish customers, so it's not yet even in Scandinavia. We see a lot of potential for also expanding the non-governmental use of NQX, both in Scandinavia and in other, especially European countries.
Thank you. Question from the chat. Cybersecurity company Nixu reserved a purchase order lately, and Nixu's board is supporting that. What's your thinking on M&A and possibilities in that area in the coming months for SSH point of view?
I think we are not in a M&A market on neither side of the table. We see the Nixu purchase order absolutely interesting because it has raised a lot of connections from customers saying, "Who is my trusted friend?" What is TNV going to do with it? It's going to be a consulting house for ISO/IEC 27001. It's not going to provide maybe the services like security operation center. We can do a lot of automation, helping customers to do their continuous surveillance of their networks better. Nixu offers us opportunities of the change in Nixu's landscape, and questions about Nixu's future has been a positive impact for us. To the original question, at the moment, in the coming months, we are not on either side of the table on the M&A activities.
Thank you. We have three question in advance. Once again, you have time still write your questions in the chat or raise a hand. What are the factors that make the NQX Encryptor particularly competitive and innovative?
I would like to quote Cisco on this, because Cisco has defined the future of firewall in a way that it does more than firewall that opens and closes ports. It also looks at the behavior, it looks at the access control, it looks at the identity and activities that is going between networks. NQX is already there, especially with the NQX zero translation, where it's integrated with PrivX. It does exactly what Cisco says, what is the future of firewalls. We don't see NQX as a firewall, we see it as a next generation firewall. It does more at a lower price. The other thing which is really unique with NQX, it's a pure software product. We sell it also with the hardware when customer wants, but it is fully implemented in software.
For the ones who have Unix competence, we implemented it, and that was the big investment we did for one of our first customers, that we implemented NQX in user space application, doing the communications without system calls that take a lot of time. By design, we are more performing than any other firewall in the market. Especially if you would need to put more demanding algorithms like post-quantum. The fact that we are 100% software-based and that we run in a user space, we are more performing. We are not dependent on proprietary hardware. You can run it on any PC with just... The better your network card, the better it from your network card connection to the CPU with more performance you get, so the hardware has an impact. It's...
I have not found any other company in the world who would have done the next generation firewall. This comes actually pretty much to, back to the NATO question, that when you want to implement EU SECRET or NATO SECRET level connections between countries or organizations, performance becomes a major issue. We have run some benchmarks that we are 10 to 20 times more performing than the people who are running it on proprietary hardware. We have more performance, we are software-based, those are the key topics. With the integration of PrivX and NQX, we are already there with the product that Cisco says they will be make later.
Those are the three key elements where I believe that NQX in the non-governmental space, and also in the governmental space, is technologically superior, which is typical Scandinavian engineering companies. We make the best products, we just don't know how to sell them.
Okay. Thank you. We have new question in the chat. Thank you for your activity. You have set target to reach Rule of 40 for the whole year in 2023. Rule of four is defined as growth plus profitability. Rule of four thus could be achieved by 40% growth and 0% profitability. SSH is still in the early stage of global scale. Why not to focus more on the growth component now?
Well, first of all, I set the Rule of 40 as kind of my personal ambition. It's not really a company goal, but it's my ambition to go that way. I truly believe that we have to maintain profitability. We need to be positive EBITDA. I agree, growth is the primary target, but not at any cost. That's also based on our strength in our firepower in the balance sheet. We cannot ignore the fact that cash from operations has to remain positive. We can only grow as much as we get money from our customers. That's the reason why I raised the Rule of 40 as my personal ambition. We want to keep EBITDA positive, but the primary reason is to grow, but not at any price.
Thank you. We are reaching the end of advanced questions. How has the market taken up SSH quantum-ready products, and in which area do you consider SSH to be ahead of its main competitors?
I think the main thing where we are ahead is that we have the NQX team, over 10 people who have been working on this technology for years. We got the funding from the Horizon program from EU to develop it. We have 1 of the 1st products in the market. We have for mainframe computers already, we believe the 1st product in the whole world that can do quantum computing for IBM mainframes. And this is all based on the fact that we have the people who know what does it mean to make products that are post-quantum safe. We have constantly getting questions. Our key people are traveling the world talking about it.
The point is we just were in one big government affair in Singapore, where they really wanted us to come, and they said, "We get a lot of university people to come and talk about quantum-safe, but we want to get somebody who makes products that are quantum-safe." That's where we are. We have products. We are delivering them to customers, and we have a development team that has been driven, drive together for years. We have a team, we have a product, and most of the competition is still talking. Most of the money made with quantum computing, also with us, is actually professional services, that we help our customers to make a roadmap to post-quantum.
I think we are considered a thought leader especially because we have quantum-safe products in the market, and those are few and far apart.
Definitely. Thank you. One question from the chat. How do you see personal development in 2023? Are the major needs in R&D or marketing?
I would say that we have all hands on deck. We have done a lot of development last year. This year, I don't see major need for total team size improvement. I think we have if I would invest something extra now, it's more on the go-to-market, out-of-pocket marketing spend than getting more people. Don't expect a lot of headcount increase. I expect that we are driving for growth with the current team with all hands on deck.
Thank you. Last question, which came in advance, and you have still time to raise a question, dear guests. Last question. When do you expect SSH to be included in the PAM Gartner Magic Quadrant? What is the key?
one key is the size of the PrivX business, that they take only typically companies that have on the magic relevant space revenues at the level of EUR 10 million plus, where PrivX is not yet today. However, we have been able lately to be in two analyses from Gartner Group. We have gotten a lot of peer reviews, about 20, giving very good remarks. I feel confident that we are on the, on the radar for the Gartner Group that makes Magic Quadrant.
We have a constant dialogue, with and me, with the Gartner guys. They know we are here, they know what we are doing, and they want to see more hard evidence that we are really continuing the PrivX growth to be in a critical mass, that we can be compared to companies that are focusing only on PAM, and they are 10 times bigger than we as a whole company. We need to grow PrivX as we have done, keep the percent growth as it has been, even though it means more absolute dollars. I think we can get to the Magic Quadrant in the near future. It's not my choice. I really can't say a timeline.
Yes. Looking at the chat and the email, I don't have any more questions to raise. If you will have some more questions, you can always write us, write me, and I will find the answers for you. Thank you, dear guests, for participating in our call, for your activity. We had, again, a lot of different good questions. Materials for this call is actually already on our site, but the recording will come also soon, later this day. My name is Lauri Koponen, and I work as a company's communication manager. We have a lot of different content, webinars, and events again coming. We are going next week already to London Gartner event, and so on. Please follow our channels, LinkedIn especially, and Twitter, and our webpage, and join the discussion about the future of defensive cybersecurity.
Thank you, Teemu, and thank you, guests, and have a good rest of the day.
Thank you.