Biggest Deal in Cyber History: Google Eyes Cloud Security DominanceBiggest Deal in Cyber History: Google Eyes Cloud Security Dominance In a groundbreaking move, Google is reportedly in advanced talks to acquire cloud security phenom Wiz for a staggering $23 billion. This acquisition would shatter records as Google’s largest ever purchase and the largest for a pure-play cybersecurity company. Implications for the Cyber Landscape This deal would transform Google’s security portfolio, enabling it to rival Microsoft’s comprehensive platform offerings. With Wiz’s cloud workload security capabilities, Google can bundle cloud computing and security without relying on partnerships. Market Impact and Antitrust Concerns While Wiz commands a strong market position, Google’s acquisition is unlikely to raise antitrust concerns. IDC data indicates that neither Google nor Wiz ranks among the top cloud workload security leaders. Regulators would have to demonstrate a threat to national security to block the deal, which is improbable given both companies’ U.S. headquarters. Fate of CNAPP Companies The potential Google-Wiz deal casts doubt on the viability of independent cloud-native application security platform (CNAPP) companies. With Lacework also recently acquired by Fortinet, the remaining standalone players may struggle to reach the critical mass necessary for a public offering. The Future of Cloud Security This acquisition suggests that cloud security may increasingly become a feature within broader platforms rather than a standalone foundation. As vendors are expected to achieve multi-billion dollar valuations and significant recurring revenues before going public, it is likely that the remaining CNAPP companies will be acquired by financial or strategic buyers.
Biggest deal in cyber history would help Google rival Microsoft, limit partnerships
Michael Novinson (MichaelNovinson) •
July 15, 2024
Despite all the buzz around platformization, few vendors have market-leading capabilities in at least three different categories of security technologies.
Also see: Realities of Choosing a Response Provider
Microsoft has built well-regarded products in endpoint security, email security, security operations, and identity and access management, while Palo Alto Networks and Cisco have supplemented native network security strengths with acquisitions in other cyber domains. Palo Alto has made a series of smaller deals in cloud security and security operations, while Cisco has made huge purchases in authentication and security operations.
Now a fourth company is about to launch its own platform story: Google.
The search and public cloud giant developed SIEM capabilities in-house with Chronicle, supplemented them with a $500 million purchase of SOAR provider Siemplify in early 2022, and expanded into incident response and threat intelligence with the $5.4 billion acquisition of Mandiant in late 2022. Now, Google is reportedly considering its biggest, boldest move yet to break into a new cyber domain: cloud security (see: Scaling Threat Intelligence Advice: Mandiant’s Way with Google).
The Wall Street Journal reported Sunday that Google parent Alphabet is in advanced talks to acquire category leader Wiz for about $23 billion, with a deal potentially closing soon. The report was subsequently confirmed by Bloomberg, Reuters and The New York Times. Neither Google nor Wiz immediately responded to requests for comment on the reports from Information Security Media Group.
An asset to the record books
A transaction of this size would be a record on several counts. It would be, by far, the largest acquisition in Google’s 25-year history, surpassing the company’s $12.5 billion purchase of Motorola Mobility in 2012. It would also be the largest purchase ever of a pure-play cybersecurity company, surpassing Advent and Permira’s $14 billion purchase of consumer cyber company McAfee in March 2022.
Until Google’s takeover bid, Wiz seemed like a sure bet to become the next big public cybersecurity company, with $350 million in annual recurring revenue, 40% of the Fortune 100 and a “strong performer” cloud workload security rating from Forrester in the four years since its founding. The reported deal price makes it clear how eager Google is to either fend off other suitors or let Wiz strike out on its own.
To seal the deal, Google is offering a 91.7% premium over the $12 billion valuation Wiz received just two months ago in conjunction with its $1 billion Series E funding round. A $23 billion valuation would make Wiz the fifth most valuable pure-play cybersecurity company in the world, trailing only Palo Alto Networks, CrowdStrike, Fortinet and Zscaler and ahead of industry heavyweights Check Point Software and Okta (see: Why Wiz is Seeking Its 2nd Major Funding Round in 2 Years).
Wiz is on track for this astronomical valuation even though Check Point and Okta’s combined sales are nearly seven times greater than Wiz’s ARR, illustrating a high level of expected growth in the cloud security space, as well as Wiz’s leadership position in the space. Public cyber companies are often acquired at a 50% premium to their stock price, meaning Google is willing to pay $5 billion more to bring adversaries on board.
From the middle road to Microsoft Lite
Shares of Alphabet, Google’s parent company, rose $2.68 — or 1.44% — to $189.46 per share in midday trading Monday. The company has so far found a middle ground between Microsoft’s strategy of selling products in virtually every security category and Amazon’s strategy of building security into its tools internally but relying primarily on partnerships with vendors like CrowdStrike to provide additional protection for customers (see: Growing influence of hyperscalers in cybersecurity markets).
By limiting its cybertools footprint to security operations and adopting a more services-oriented strategy in areas like consulting and incident response, Google maximized opportunities to partner with vendors that sell products in other cyber categories. The Wiz purchase would upend that strategy and pit Google against Palo Alto, where CEO Nikesh Arora and Chief Business Officer Amit Singh are Google alums.
On the plus side, the Wiz purchase would allow Google to rival Microsoft and bundle cloud computing and cloud security capabilities without the need for third-party integrations. Wiz earned Forrester’s highest “current offering” ranking in cloud workload defense in January, with praise for Wiz’s agentless cloud workload protection, compliance template mapping, CIEM and container orchestrator protection.
But a weak cloud workload security strategy meant Wiz’s overall score fell to fourth place, behind CrowdStrike, Palo Alto Networks and Microsoft, with Forrester criticizing Wiz for lagging in adoption of agent-based cloud workload protection and reporting and auditing of admin user identity and access management. Wiz had 900 employees in February and planned to add another 400 staff by 2024.
Antitrust concerns likely overblown
Despite Google being in the crosshairs of regulators on both sides of the Atlantic, antitrust scrutiny is unlikely to derail a potential Wiz acquisition. According to IDC, neither Google nor Wiz are among the top seven cloud workload security leaders in 2022, with Trend Micro, Palo Alto, Microsoft, CrowdStrike, Check Point, Broadcom and Trellix holding the market.
Since Google’s purchase of Wiz wouldn’t limit consumer choice, regulators would instead have to determine that the deal poses a threat to national security. This happened in 2018, when President Donald Trump blocked Broadcom’s proposed $117 billion purchase of Qualcomm over concerns that it would give China an edge in mobile technology. Broadcom has since moved its headquarters from Singapore to the U.S.
Given that both Google and Wiz are headquartered in the United States – with R&D for the latter happening in U.S. ally Israel – it’s unlikely that national security concerns will come into play here. And the few cybersecurity deals that attracted antitrust scrutiny – most notably Thoma Bravo’s $2.3 billion plan to buy ForgeRock and combine it with identity protection rival Ping Identity – were ultimately not thwarted by regulators.
Are the days of an independent CNAPP numbered?
The expected sale of Wiz to Google casts doubt on the future of the cloud-native application security platform space. Like endpoint security or identity and access management, CNAPP is seen as large and important enough to sustain a single, successful public company, and Wiz was increasingly expected to be that company. But if Wiz becomes part of Google, the outlook for CNAPP will become murkier.
Network security giant Fortinet agreed to acquire struggling cloud security company Lacework in June, with the deal coming just two months after reports that Wiz was planning to buy Lacework for less than $200 million. If both Lacework and Wiz are acquired, the remaining standalone cloud security companies would be Sysdig, Orca Security and Aqua Security, which are worth just $2.5 billion, $1.8 billion and $1 billion respectively (see: Fortinet Acquires Unicorn Lacework to Enhance Cloud Security).
Given that cybersecurity vendors today are expected to have valuations of at least $5 billion and annual recurring revenues of $500 million before they go public, this would suggest that the most likely exit for the remaining cloud security players would be a sale to a financial or strategic buyer. Cloud security would therefore become a feature of a broader platform rather than the foundation for a proprietary platform.
Will CNAPP go the same way as sandboxing and CASB and become a possibility rather than the reason for a standalone company? The fate of the reported talks between Google and Wiz will likely determine the answer to that question.
