Cloud Security
,
Cloud-Native Application Protection Platform (CNAPP)
,
Security Operations
Largest Deal in Cyber History Would Help Google Rival Microsoft, Limit Partnerships
Despite all the platformization buzz, there are very few vendors with market-leading capabilities in at least three disparate security technology categories.
See Also: Realities of Choosing a Response Provider
Microsoft has built well-regarded products in endpoint security, email security, security operations and identity and access management, and Palo Alto Networks and Cisco have supplemented native network security strength with acquisitions in other cyber domains. Palo Alto made a series of smaller deals in cloud security and security operations, and Cisco made huge buys in authentication and security operations.
Now a fourth company – Google – is on the precipice of having its own platform story.
The search and public cloud giant developed SIEM capabilities in-house with Chronicle, supplemented them with a $500 million purchase of SOAR provider Siemplify in early 2022 and expanded into incident response and threat intelligence with the $5.4 billion acquisition of Mandiant in late 2022. Now, Google is reportedly eying its biggest and boldest move yet to break into a new cyber domain – cloud security (see: Scaling Threat Intel, Consulting: Mandiant’s Way With Google).
The Wall Street Journal reported Sunday that Google parent Alphabet is in advanced talks to acquire category leader Wiz for roughly $23 billion and said a deal could possibly come together soon. The report was corroborated by Bloomberg, Reuters and The New York Times. Neither Google nor Wiz immediately responded to Information Security Media Group requests for comment on the reports.
An Acquisition for the Record Books
A transaction of this magnitude would be record-setting in multiple respects. It would be by far the biggest acquisition in Google’s quarter-century history, dwarfing the company’s $12.5 billion purchase of Motorola Mobility in 2012. It would also be the largest-ever purchase of a pure-play cybersecurity firm, catapulting above Advent and Permira’s $14 billion buy of consumer cyber firm McAfee in March 2022.
Up until Google’s acquisition offer, Wiz seemed like a surefire bet to be cybersecurity’s next great public company, capturing $350 million of annual recurring revenue and 40% of the Fortune 100 and obtaining a “strong performer” cloud workload security ranking from Forrester in four years since founding. The reported deal price makes it clear how badly Google wants to fend off other suitors or Wiz continuing on its own.
To seal the deal, Google is offering a 91.7% premium over the $12 billion valuation Wiz received just two months ago in conjunction with its $1 billion Series E funding round. A $23 billion valuation would make Wiz the fifth-most-valuable pure-play cybersecurity firm in the world, behind only Palo Alto Networks, CrowdStrike, Fortinet and Zscaler and ahead of industry heavyweights Check Point Software and Okta (see: Why Wiz Is Pursuing Its 2nd Massive Funding Round in 2 Years).
Wiz is on track for this astronomical valuation even though Check Point and Okta’s total sales are nearly seven times larger than Wiz’s ARR, illustrating high levels of projected growth in the cloud security space as well as Wiz’s leadership position in the space. Public cyber firms are often acquired at a 50% premium to their stock price, meaning Google is willing to fork over $5 billion more to get naysayers on board.
From Middle Ground to Microsoft-Lite
Google parent Alphabet’s stock is up $2.68 – or 1.44% – to $189.46 per share in trading midday Monday. The company has up until now forged a middle ground between Microsoft’s strategy of selling products in virtually every security category and Amazon’s strategy of embedding security internally into its tools but relying primarily on partnerships with vendors such as CrowdStrike to offer customers added protection (see: Growing Influence of Hyperscalers in Cybersecurity Markets).
By limiting its cyber tool footprint to security operations and having a more services-focused strategy in areas such as consulting and incident response, Google maximized partnership opportunities with vendors selling products in other cyber categories. Buying Wiz would upend that strategy and bring Google into a rivalry with Palo Alto, whose CEO Nikesh Arora and Chief Business Officer Amit Singh are Google alums.
On the plus side, buying Wiz would enable Google to match Microsoft and bundle cloud computing and cloud security capabilities together without the need for any third-party integrations. Wiz in January got the highest “current offering” rank from Forrester in cloud workload defense, and Forrester praised the company’s agentless cloud workload protection, compliance template mapping, CIEM and container orchestrator protections.
But a weak cloud workload security strategy meant Wiz’s total score came in fourth behind CrowdStrike, Palo Alto Networks and Microsoft, and Forrester chided Wiz for lagging in agent-based cloud workload protection adoption as well as admin user identity and access management reporting and auditing. Wiz in February had 900 employees and at the time planned to add an additional 400 staff members in 2024.
Antitrust Concerns Likely Overblown
Despite Google being in the crosshairs of regulators on both sides of the Atlantic Ocean, antitrust probes are unlikely to sink a potential purchase of Wiz. Neither Google nor Wiz ranked among the seven market share leaders in cloud workload security in 2022, according to IDC, which said control of the market was in the hands of Trend Micro, Palo Alto, Microsoft, CrowdStrike, Check Point, Broadcom and Trellix.
Given that Google’s purchase of Wiz wouldn’t reduce consumer choice, regulators would instead have to determine that the deal poses a threat to national security. This happened in 2018 when President Donald Trump blocked Broadcom’s proposed $117 billion buy of Qualcomm over fears it would give China an edge in mobile technology. Broadcom since moved its headquarters from Singapore to the U.S.
Given that both Google and Wiz are headquartered in the United States – Wiz’s R&D takes place in U.S. ally Israel – national security isn’t likely to come into play here. And the few cybersecurity deals that attracted antitrust scrutiny – notably Thoma Bravo’s $2.3 billion plan to purchase ForgeRock and combine it with identity protection rival Ping Identity – ultimately weren’t scuttled by regulators.
Are the Days of Stand-Alone CNAPP Numbered?
Wiz’s expected sale to Google puts the future of the cloud-native application protection platform space in doubt. Like endpoint security or identity and access management, CNAPP has been seen as large and important enough to sustain one successful public company, and Wiz was increasingly expected to be that company. But if Wiz becomes part of Google, the go-forward prospects for CNAPP become murkier.
Network security titan Fortinet agreed in June to acquire struggling cloud security firm Lacework. The deal came just two months after reports that Wiz was planning to buy Lacework for less than $200 million. If both Lacework and Wiz are scooped up, the remaining stand-alone cloud protection firms would be Sysdig, Orca Security and Aqua Security, which are worth just $2.5 billion, $1.8 billion and $1 billion respectively (see: Fortinet Acquires Unicorn Lacework to Enhance Cloud Security).
Given that cybersecurity vendors are nowadays expected to have at least a $5 billion valuation and $500 million in annual recurring revenue before going public, this would suggest the most likely exit for the remaining cloud security players would be a sale to a financial or strategic buyer. Cloud security would therefore become a feature of a broader platform rather than the foundation for a platform of its own.
Will CNAPP go the way of sandboxing and CASB and become a capability rather than the rationale for a stand-alone company? The fate of the reported talks between Google and Wiz will likely determine the answer to that question.