Google’s 32 billion dollar Wiz acquisition has created a media frenzy the likes of which is rarely seen, and that’s because every stakeholder in the cybersecurity industry has money to make:
Investors want you to believe their cool cybersecurity investment is worth 1/30th what Google just paid for Wiz
Other vendors want you to believe this is the death of Wiz and it’s time to start the migration process
Wiz wants you to believe Google is going to make them innovate faster, not slower
Google wants you to believe the industry is clamoring for an all-in-one multi-cloud security platform
Influencers, CISOs, etc. want to get some of that social relevancy reaction juice. (Unfortunately, my most reacted to post is now a Miley Cyrus meme)
In this blog, I want to cut through all of that and give a more nuanced perspective - one that clearly communicates who wins, loses, and what it’s too early to tell.
Who wins?
To me, the winners of the Wiz acquisition are pretty clear:
Other security startups, but especially in the Wiz-adjacent Cloud Runtime and AppSec spaces.
Investors, who can now sell a heck of dream when it comes to cyber investment payouts.
The Wiz team, who I believe had a clear path to achieving 32 billion dollars in value after a few years going public, but now they get it in right now instead of in some years.
While other vendors are pitching their solutions as if there’s a frenzy of churn waiting at the door, the real benefit to them is that Wiz is going to finally get distracted…right? Hopefully?
What’s always been scary about Wiz is how well positioned they are to assemble the cloud Triforce - Code, Cloud Posture, and Cloud Runtime (and vulnerability management/CTEM but then I can’t say Triforce). The acquisition will theoretically make them innovate more slowly on code, vulnerabilities, and runtime, and that’s where most of the innovation is happening from other vendors.
In the long-run, I think this means especially ASPM and CADR do well, while Tomer from Dazz (their CTO) is busy bathing in the data about to get flooded into Wiz with GCP. CSPM and the evolution of vulnerability ingestion it introduces will continue to be highly competitive from Wiz, as it fits the multi-cloud narrative (and Google’s interests) extremely well. Conversely, I think code and runtime have to suffer, because Google doesn’t currently have much invested in code or runtime workload protection and it’s unclear how it would serve the immediate “multi-cloud security made easy” vision.
Who loses?
It’s really hard to spin this as all that immediately impactful for Wiz’s customers, but it’s also not the kind of thing you get excited about. To be clear, it’s not bad for Wiz customers in the way competitors want it to be. There’s no immediate max exodus happening - Wiz isn’t going to meaningfully change for years at this point - it’s still a great product, with a great direction, and it seems most of the teams have strong retention incentives. The loss instead is theoretical, long-term, but ultimately likely - that innovation will slow down.
If the best pitch is “Wiz will have more money and AI now, so they can go faster,” we’re in a weird place. It’s possible Wiz yet again beats expectations here and manages to stay innovative while going enterprise, but I’m not drowning in the Wiz kool-aide enough to feel confident it will happen - it would certainly be the exception rather than the rule. It’s possible there’s AI something or other that helps here, but I also don’t have enough AI VC cash to speculate that.
It’s also easy to see that this hurts AWS and Azure, the question is just how much does it hurt them? Even if Google’s plan is a catastrophic failure in the long run, in the short term it’s a big amount of interest in GCP, and shines the spotlight on AWS’ good-but-disjointed offerings. If the idea of a Google or Microsoft multi-cloud security product seems far off, Amazon’s seems not even started. Amazon’s individual security services, like GuardDuty and Security Hub, have in my estimation always been fine, but they’ve never had a UX pleasing to AWS customers, never-mind multi-cloud security users. As an aside, I think GuardDuty is the best out of the box security offering from any cloud provider, and I think AWS cares about that startup adoption curve more than Ms. Enterprise CISO’s multi-cloud single pane of glass vision. Microsoft’s multi-cloud security vision is also taking a hit by having some serious competition.
As an example to the power of the acquisition, multi-cloud, cloud provider security offerings were almost never discussed because they were always so irrelevant, but this acquisition alone brings the conversation front and center.
Too early to tell?
The most exciting part of all this is trying to figure out if Google will win from it. As a certified cool DevOps guy, the idea of a “cool cloud native Multi-cloud Security Presented by Microsoft™” was always giving “hello fellow kids.” Everything in the DevOps/CloudOps/SRE/Platform brain is opposed to getting sucked into the Microsoft ecosystem. Heck, I even got guilted into trying it now that I’m an analyst and just got a bunch of Azure login errors because of some account issue and thought “this seems about right” and gave up. Dear Microsoft friends, I will get back to it, I promise.
However, the idea of “Wiz Presents Multi-Cloud Security (oh and Google owns it but don’t worry about that)” isn’t immediately off-putting the way Microsoft Defender is. I’m open to the idea of Wiz being good, and Google just being the bankroll behind it - like GitHub and Microsoft. Unlike Azure, there are also GCP services I’m open to using - GKE is pretty chill, Firebase is neat, and BigQuery is fun - Wiz is a decent gateway drug to those services.
There’s a massive opportunity here for Wiz to own all of GCP’s security services, and turn Security Command Center from a confusing amalgamation of tools into the leading cloud security solution. If Google’s security services consolidate into Wiz, instead of Wiz’s consolidating into GCP, it will be a force to be reckoned with.
My biggest unknown is if the industry really wants a Multi-Cloud security experience presented by your cloud vendor. On the one hand, cost consolidation and licenses always carry a lot of weight in the security world, once you start down the E-9000 licensing path you never come back. On the other hand, cloud native solutions have often barely understood and supported their own clouds, never-mind other vendors.
To put it simply: If cloud vendor multi-cloud security is a thing people want, buying Wiz is the best way Google could make that market happen. But if it’s not something people want, this is going to do almost nothing to help Google besides speculating on big data from other clouds and AI.
It’s worth connecting this to the CNAPP re-bundling from last week - it’s clear that the cloud security industry is ready for what’s next now that we’re done yelling at developers to stop the all the critical alerts from flooding in.
As for me and my house, ASPM (with code to cloud) + CADR (runtime for cloud apps) is the way to go, and I don’t know why people are so obsessed with this CNAPP stuff anyways. But more on that later.
Amazing summary. Totally agree on ASPM + CADR (ideally both at runtime).
To address your last paragraph, I personally believe that the people who are obsessed with CNAPP often don't fully understand insecure code (or any code) and that with port 443 wide open inviting attackers in the front door, there's insecure code waiting to be exploited on the other end ... it's the path of least resistance and the most challenging to fix (partly because it involves developers getting involved). Why else would the Verizon DBIR indicate in 2023 that 80% of security incidents involve insecure software?
You have a blog post written on CADR, is CADR like XDR again? Because XDR was this snake oil where you took a log event from a firewall, from a cloud and tried to link them to together which makes 0 sense. Is CADR the same , where you take a log event from CDR, ADR and combine them? This would never work. A cloud event is different from an application event