Welcome online, dear guests. We'll start in just a second. Please mute your mics, and at this stage, also shut your cameras if you are not talking yet. People are arriving, but let's start. Valued shareholders, investors, and customers, and media, welcome to our investor call on SSH Communications Security Corporation's interim report, January-June 2023. This meeting is recorded and will be available on our webpage alongside with the presentation and the report. You can find it already on our investor webpage. My name is Lauri Koponen, and I'm the Communications Lead at SSH Communications Security. Results will be presented by our CEO, Teemu, and CFO, Michael Kommonen. You can ask questions at the end of the event by asking to speak or writing question in the chat. I will read it out loud.
Once again, please keep your mics muted whenever you do not have the floor. Let's start with the financial results. Please, Michael, floor is yours.
Thank you, Lauri, and good morning, everyone. In the second quarter, our net sales grew by 9.2%, and EBITDA was 0.1 million EUR. The breakdown of the net sales growth, which reached 4.9 million EUR, was subscription, ARR growth of 37%, which reached EUR 10.8 million at the end of the second quarter. The total ARR, which includes both subscription and maintenance sales, grew 12% and reached 18.3 million EUR. The EBITDA of 0.1 million EUR was lower than in the comparison period in the second quarter of 2022, EBITDA was EUR 0.5 million . This is mainly caused by an increase in workforce and continued growth investments in both R&D and go-to-market capabilities.
During the quarter, we launched the Zero Trust Suite to improve customer security posture. We also launched an OpenSSH support service for multi-platform SSH environments. As just mentioned, we also continued and continue to invest in our organization, working with new partners to serve our customers better. Next slide, please. Subscription sales grew strongly in the second quarter, and in line with our strategy and correspondingly, our license and maintenance sales declined somewhat. Invoicing of multiyear contracts meant that our deferred revenues increased to EUR 12.6 million, up from EUR 7.4 last year. EBITDA, again, was EUR 0.1 million, and EBIT, a EUR -0.7 million. Cash flow from operations in the second quarter was EUR -1.4 million.
This is quite typical for SSH and for our business, seasonality, where more of the invoicing happens in the second half of the year and less so in the first. If we look at the comparison period of 1, EUR -1.1 million, it's broadly in line with that. Also, the cash position declined and reached EUR 2.6 million at the end of the second quarter. In line with the negative cash flow from operations, this is also something that we typically see in the summer, on the cash, the cash position declining somewhat in the first half of the year. With that, next slide, please.
I guess I'll take over from here. This is Teemu Tunkelo. Welcome from my side as well. I must say that I'm quite happy with the development of the company. Even under the current stormy waters, we are predictable, and we are making great progress with, I think, the two key topics. One is driving the average deal size up, and the other one is going from point products to...
... communication security solutions. Michael mentioned the Zero Trust Suite, and it is based on the fact that we are communication security company, so we enable communication between systems, be it between people, be it between factory to cloud, be it from data center- to- data center, cloud- to- cloud, cloud- to- data center in a hybrid environment, the communication is always secure. We are moving towards an environment where it is not useful to protect your internal network from outside risks. The security posture is same everywhere. Internet, intranet, extranet, it's at least the same in the all these areas, especially now that people work remotely, there are more and more third-party suppliers maintaining your systems, having super user access, and endpoint security is disappearing. Firewalls, DMZs are disappearing.
Endpoint security will move into Apple, Android, Microsoft, and it becomes more and more clear that most of the applications move to browsers that have to be protected, not the end device, but the browser. Its communication to the cloud and the session control, who did what when, is utterly important. We are addressing this with Zero Trust Suite, which is new for SSH, also because we don't develop anymore everything ourselves. We use strategic partners who help us, what we call upstream partners, who help us on things that are related to hardware security models, pattern recognition of fingerprint, recognizing the identity with anything else but passwords. On the SSH key side, the key topic is that SSH keys are something like your home key. If you have it, the one who has it can use it.
With our Zero Trust Suite, you can attach the key to the identity. You know who did what, when, and you can record the session, see what is happening. You get the safer security posture. As we've said before, there are two fundamental things that are difficult with SSH keys. The first one is that it is not connected to identity. The second one, it doesn't have a best before date. We have solved that problem with our solutions, especially UKM, which connected to PrivX, it provides a Zero Trust solution, and Tectia enables safe access. NQX enables connection between two geographical sites, and Deltagon between humans. All our products are future-proof because everything can be done with post-quantum safe solutions.
Without any change to the user experience, you can move to PQC now or later, partly or fully, whatever is your approach, how do you want to improve your security posture? The key topic is the traffic control, not the walls. If I take, for example, city of Munich, it still has city walls, but they are irrelevant. It has gates where you can go to the city, and the problem for the city management nowadays, is how to get the traffic flowing to the city. How much in data transfer, so between two systems or between human and system, like Tectia interactive use.
That's the concept of the Zero Trust Suite, that you can look at your problem, you have less partners, because one of the things we can see the market analysts saying that customers would like to have less partners to implement their zero security software architecture. Then they have less people to support, they have less system responsibility because the supplier takes more. The third underlying key topic is the cloudification. People want to go to cloud, at least at the moment. Which means that for the coming years, you will have an environment where you have both on-premise data centers and clouds, and they need to communicate with each other. That is important thing to remember from our remit. The systems and their shape and form are less relevant.
The question is, how do the systems communicate with each other, and how do you control the communications? Zero Trust Suite is based on the PrivX platform, and it is moving ahead from being good system to look at what happened in the past. With our web, our behavioral control system, with artificial intelligence, there are new ways for the customers to be sure that not only do we detect what happens, we can predict what's gonna happen. The Zero Trust Suite is based on PrivX technology, and it's providing point solutions which are now better integrated than before. It provides the benefit for the customer. They can choose which one of our five solutions do they want to implement, in which order, so their journey towards future-proof cybersecurity future, is based on the steps they want to make.
If I look at I'm really happy with the performance in the operational side. We have gotten our professional services returning back to the historical levels, which means we can be closer to customers. I'm now in New York, traveling around U.S. for three weeks, visiting our Fortune 500 customers and prospects, seeking to understand what is their ambition level on making sure they are really secure. From that point of view, it's interesting to see that the end user market segments are different. The finance, which is our basic core, bread and butter, is very advanced and is very cloud adverse. The government is more prone to move to cloud, but they are also quite advanced in protecting critical data, in at rest, in transit, and in use. OT is...
Factories, especially because of the geopolitical situation in Ukraine, people have start to understand it's important that water, wastewater, electricity, heating, and cooling works under any conditions. It doesn't have to be a missile, it can be a digital missile that causes you problems. That we have all seen in the press. Cyber warfare is becoming more and more important. There, the hackers have different kind of capabilities and resources behind them, which makes it a bigger threat than before. For these purposes, the cybersecurity suite is targeted to our main market, so banking, government, OT. The technology side, if we go to the next slide. Just take them all out. These are the cornerstones of our go-to-market strategy.
First and last, are technology, so Zero Trust and post-quantum safe software solutions in all our five products. The OT in the middle is the huge growing market opportunity, where we have gotten very good results and also responses from the customers. If I compare these three elements, OT is the one where I think we have been the first mover, and we continue to win ground with major customers, be them utilities, machine builders, harbours, ships, where the benefit comes from secure way of maintaining the availability of the factory production equipment or strategic facility equipment, regardless of the environment behind. This is an area where the customers are still struggling, in a sense that many of them don't have CISOs, many of them don't have cybersecurity organization, because they didn't need it before, because the factories were not connected.
Everybody wants to connect the factories to cloud. They want to move the big data to cloud to do artificial intelligence, big data analysis, to understand better what is going on in their production. The OT has proven itself that is really, really going well. Zero Trust is also going well, and that's really something where we also over two years ago, launched the PrivX Zero Trust Suite, and now we are moving to no zero trust edition. Now we are moving to Zero Trust Suite, which is not only PrivX, it's PrivX inside, like the old slogan of Intel. Customers want to go passwordless, keyless. The reality is that they have to be borderless, because firewalls will become irrelevant.
I was meeting one of our big government customers talking about Zero security now with the GL in the U.S., and they said that they understand what we are telling them, that traffic control is more important than blocking people with the gates and walls. In the end, this is a transition. They need to go there, they need to go stepwise. They will continue to buy firewalls for the time being. They understand that the communication security is important. Yeah, good. In that sense, Zero Trust is something that has taken us to the place. PrivX, which is our implementation of Zero Trust, has taken us to a place where customers are interested. We have the highest pipeline ever that I have seen over the last three years.
There is some slowness in decision-making, which I would say consists of two main reasons. One is the internal resources or the cost of outsourced resources or strategic partners to be able to implement changes in their security posture. That means that we are competing with other projects the customer has because they have limited resources and limited budget. The other thing is money. The current situation at the world market is still a little bit of a question mark, so customers are very carefully considering when they do things. It's not about if they do things. To that respect, one of the great things in our biggest ever pipeline is that the average deal size continues to increase significantly.
That's why I'm meeting the customers now here in U.S. for three weeks, to get better understanding what is their appetite, what is their ambition level in being future-proof. That's why the Quantum-Safe, our third cornerstone, is utterly important because it takes us to the tables. Everybody is interested in Quantum-Safe in our customer base, partially because they don't know what it means and how should I do it. It's a lot of education we do to our customers. Once we get in, we can talk about the other topics. It's like Zero Trust was two years ago. It's an interesting marketing gimmick that gives us airspace to talk to customers about what are the steps to go to the Quantum-Safe world.
That leads to the fact that we have started to make deals with Tectia Quantum-Safe , especially. There we can see that if customers have 10,000 super users, maybe 100 of them, they put because they have really critical data, they put on Quantum-Safe. They are not moving full speed to Quantum-Safe, but we can see the trend coming. With the standardization coming, with the establishment of de facto things, Quantum-Safe is big part of the cryptography future. The way we are approaching Quantum-Safe is that the end user or the user of our systems, the super user or the power user, he doesn't have to change anything. Same user interface, same functionality. If certain servers are so critical that you want to have them Quantum-Safe, you can have them Quantum-Safe.
The other ones you can still use traditionally, because implementing new things in the production environment requires a lot of testing, which is resources, and they are limited with resources. We want to help the customer from the maturity level of their cybersecurity posture in a way that you have to classify your data. You have to know where your data is, in which cloud, in which cloud you want to have it, what is the security level of that cloud? There we come back to the Tectia's benefit over the last 20 years, Tectia spoke all the Unix flavors. We speak all the clouds. There are very few customers who are only using one cloud.
If they do, they have found themselves in a position where then they are actually in a not even oligopoly, almost a monopoly, because if you're all your data is in the cloud, what happens to your pricing model, to your cost model, depending on what the supplier does with the pricing? It's like mobile phone subscriptions some 10 years ago. If you tried to compare what is the cost of different networks, what's the quality of the networks, it was difficult to be able to compare because the pricing parameters were different. Now, it's more and more flat internet, free calls, you know what you pay per month, and that's it.
I been talking just last week with the mainframe people of some of our customers, and they said that the challenge is that when you move to cloud, you can't predict the costs. Depending on what is the your use of the data or data in use, it might have huge impact on your IT bill. Some of the cloud vendors have the model that if you just upload data to the cloud, that is utterly cheap. If you delete even the file, it costs more, so you should just take the data and forget it. Doesn't sound very clever. If you start to do transactions, the CPU pricing is relatively demanding. That's why the application structure is changing. What will be in the cloud are data models that message between people and other systems, encrypted, safe.
The application logic moves to run on a browser. This is all good, and I think that's a great architecture that people are targeting for. The first steps on the road are, what do you do tomorrow to go towards that direction? That's where the old traditional protocols for safety, like SSH and RDP protocols, are still needed because the operational systems, especially in critical infrastructure, meaning banks, government, factories, will later move because of their risk profile. They want to keep a working system running. That's why PrivX provides the opportunity to be proven in use and future-proof, and this is very well accepted by our customers, especially now with the addition of the Zero Trust Suite, because then they have a supplier who takes more system responsibility than just a piece of binary code. Next slide, please. There we are.
Back to you, Lauri.
The outlook for the year, I am very optimistic. We don't change the guidance, and this is normal for me, if you remember previous years. First half of the year is difficult because people implement what they have already decided, and now we can see that the typical pattern, the last quarters, there is more business available. We are in a good position. We just have to go after the business. We want to be closer to customers. We still continue to invest in the go-to market, and especially partners. We continue to drive investment in our R&D, which is one of the reasons why our EBITDA remains low, because we see there is a market. We are a small vendor, we are a challenger, and we can see the opportunity. That's why we do it.
Last but not least, that we are improving our internal processes to ensure that we remain as high quality as we are today, and we provide the leading-edge functionality for our customers for a safer cybersecurity future.
Thank you, Teemu.
We could move now to the Q&A section here. The idea is that you can ask to speak via chat, or raise your hand in Teams, or write the question in the chat, and I will read it out loud. Let's give you 10 seconds for that. We have first-
Sorry, Lauri, I think we had one question sent in previously.
Yeah, we
address those also. We always have couple of questions also in advance. We'll come back to them soon. First, Fredrik, floor is yours.
Good morning. This is Fredrik Reuterhäll from Redeye, thank you for the presentations and the numbers. I have a few questions. You continue to invest in marketing, engineering, R&D, as we talked about, right now, sales are rather soft. How will you balance cost versus sales rest of the year?
Well, rest of the year, typically, our market dynamics is that rest of the year is better. We are now focusing on have been focusing on, also in the early years, to be a lot on the fair shows, because we need to get the money from customers, and we need more leads. We focus on lead generation by being actively closer to our customers, and we want to make sure that we close as much business as possible at Q3 with the payment terms. The money, of course, comes a little later, but I think we are in.
With my history, we are in the best position ever to be able to build on the base we have and the growth possibilities we have in sight, that the solution is that we will do more deals and bigger deals than we've done in the first half of the year. I think we have good proof that we are on the right way.
Okay. You mentioned in the report, after the NATO acceptance, that you had some increased interest in NQX and Zero Trust Suite. Will there be any additional cost for you to make these products NATO-ready?
It's an interesting question. Our position is a little bit that we need to do inter-vendor compatibility testing, which is the benefit of the customer. The NATO-relevant market is, of course, relatively limited in its different lines of army organization. Every country has a handful of major customers, and then you have the suppliers supplying to those customers, either products or systems or operational services. The market is relatively granular, and we see that the best way to move forward is to get the customers to commit that they will support the upfront investment, because the business case, just by building a product to worldwide, couple of hundred customers, is not easy. What is on our side is that Europe is a safe place. Finland, as a small country, is even safer place.
If you want to deal with somebody, why not Finland? We are kind of the Israel of European Union. Now we are getting Sweden also on board, so we are looking at cooperation with Sweden and generally in Nordic, that there would be things that we can really tightly work with our customers and see what are the needs they have. At the moment, the business related to NATO is a lot about professional services and providing architectural services. How should you do it? One of the key topics, adding NATO, we can see that in all the customers we talk to, they want to have their military operations to operate regardless of NATO, and they have to be NATO-compatible, so they need NATO gateways.
That means they have to support the NATO standards, and they want to have something that they still control themselves. That would also mean, or has already meant, that we are having discussions about technology transfer, that not only would we sell them binary code, we could maybe license the technology that they can maintain and operate it themselves. With that way, the country can operate it, even if the connection to NATO disappears, That then also the country itself is NATO-safe. Every country has the need to look at, "I am safe, and I'm interacting with NATO." That means every country has the need to develop a little bit bespoke solution for their country.
We are targeting to start, or we have started with the professional services, and we are looking at, especially in Europe, the smaller countries that have Russian border, and because that's the logic we have, that we have the experience of NATO. We are in EU, and we are in NATO. EU market is much more homogeneous, so the government, generally, the government side, there we see a market that is interesting. Our idea is to invest as little as possible on our balance sheet because we don't have the power of the countries. That's why we want to go with professional services. We help the customers to make the architecture, make the implementation plan, be it military or be it general government, and then it will lead to the solutions where our products will play a pivotal role.
In that way, we don't have to use our balance sheet to develop something that has a limited market.
Okay. Thank you very much for that. My last question, how fast did PrivX grew in the quarter? I think it was, like, 9% last quarter.
Michael, you have the numbers.
Yes. The year-to-date growth of PrivX is 20%.
Okay, great. That was all for me. Thank you very much.
Maybe if I can expand a little bit on Fredrik's question, that what we have done over the last years, that we have increased the deal size of PrivX from EUR 70,000 to the sweet spot, EUR 200,000-EUR 250,000, and we continue to grow. What we can see now, and we've seen on the first half of the year, is that once you get bigger deals, subscription deal, that is recurring cost for the customer, that could be half a million, could be EUR 1 million, goes at the customer side, higher level management decisions, which delays the decision-making. With our pipeline, we have proven our product. It's proven in use, the technical people love it, and now they fight for the budget.
That is one of the reasons, even though I think we did quite well the first half of the year, based on our strategy, we haven't done any recapitalization of the company. We are living out of the money coming from customers. We are using that as good as possible to grow organically, as much as possible. In subscription business, almost 10% growth year-over-year, subscription business organically and without capital investment. Good. We are profitable now nine quarters, and many of our competitors are still pouring in capital from the balance sheet or from the owners to keep their growth coming at any cost. We are not planning to grow at any cost.
Thank you, Fredrik, and thank you, Teemu and Michael. Do we have more questions? I have one in advance. You can write or raise your hand. In the meantime, let's take the question which came in advance. What would be, sorry. What would have been the net sales and EBITDA in January, December 2022, and January and June 2023, under the old accounting treatment, licenses and supporters, compared to the subscription-based sales model?
Michael, do you want to take this?
Yes, I can take this. Firstly, just to clarify, it's not an accounting issue per se, how we recognize the revenue. It's based on the agreements we do, whether they are subscription or license-based contracts. Then the question itself, there are several reasons why it's quite difficult to give an exact number on that, and it's quite hypothetical. If we first, looking at the trend in the software business of moving from a license, perpetual license sales towards a subscription model is something that is happening in the market generally, and something that we are participating in and also actively driving strategically. It would be kind of counterintuitive to try to move that backwards towards the licensed sales.
In practical terms, would we have tried to sell or would we have been successful in selling all the subscription sales we did during that period as licensed sales, is very hard to quantify how that would have gone. Would the customers have agreed to purchase licenses? What would the pricing have been? Would the purchases and the purchase decisions have happened faster or slower? What would the split have been between license and maintenance sales? There's a number of variables that are very hard to quantify or calculate. For that reason, it would be very speculative to give a number of what that would have been, if we would have sold only licenses during those periods.
I think what we can say is that, in general, sales revenues would have been higher, because of the nature of the of selling licenses, that you recognize more sales in a shorter period of time. It's very likely that sales would have been higher, and consequently, also, EBITDA would have been higher, if that would have been the case.
I think there are two elements from the customer side. Most of the customers are willing to buy subscription because it comes to the OpEx budget. Pay as you go, leasing cars instead of owning cars. If you take from our side, our engineers are paid by the month anyway, a business model where we get the money as revenue over the contract period is better. If I somehow, and it is, like Michael said, impossible to calculate, but just to give you some idea, the way we do our pricing, the customers have still a choice, and some customers still want to do CapEx investment and have a lower running cost per year after the capital investment. They can do that, and some, very few nowadays do it.
If you compare the pricing of a perpetual license, take a single theoretical deal or stereotypical deal, you can roughly say that a subscription price is based on the idea that you don't only get a working system, you get a system that is being upgraded, gets some more functionality included in the price. You pay in the subscription also R&D price. When the customers ask from us perpetual license versus subscription, the basic idea is that if you buy perpetual, you should be able to write it off over three years. Then you can say, "Do I want to pay it upfront, or do I want to pay it over three years?" That's the CapEx, OpEx question.
That's kind of the only thing I can say that that is our story to customers, that if you want to buy perpetual, think about it, that it's. You would have to write it off in three years, typically. That's the basis of the conversion between perpetual and subscription. Plus, in subscription, you have the extra benefit that you have a living system, and that is important in cybersecurity because the hackers become all the time more intelligent. They have new ideas, so you can't just believe that I buy a virus scanner and leave it there forever. It will not protect you.
You need to buy a subscription because the threat posture is living all the time, and it's better for you if you have a partner on the technology side that makes it as a solution ready for you, that your product stays fresh. It's like if you lease a car, service included, service included plus.
Thank you. Do we have any more questions? You can still raise your hand or write in the chat. Let's wait for five. Not a question, but in the chat. "I just have to say, I'm happy PrivX user. Please keep up the good work." This is also not paid advertisement. Thank you. More questions, comments, or something? Recording, report, and presentation will be available on our webpage. I think that at this stage, we don't have any more questions. Thank you, dear guests. Thank you, Teemu and Michael, for participating in our call. The next major and interesting event, actually, especially for you, will be the SSH Capital Markets Day on 29th of August. It will be a hybrid event, you can attend here in Helsinki, or you can attend remotely.
Please visit our investor page, there you can read more information about Capital Markets Day and register yourself. See you the latest then. Thank you. Great. I will close the call.