Why Is Google Buying Cybersecurity Platform Wiz, And What Does AI Have To Do With It
While it’s hard to overstate the brilliant way Wiz was executed, it also had luck on its side. Wiz was founded in February of 2020 (only five years ago!), a timing that couldn’t have been more favorable: just as Covid hit, and enterprises – struggling to enable remote work and keep their businesses running – were abruptly pushed to spinning up digital operations in the cloud. This created major concerns for Chief Information Security Officers, for whom the Wiz Cloud Security platform was a godsend.
But as much as Covid turned out a massive, unplanned, driver of success for Wiz - an even greater, and serendipitous, catalyst may be the AI boom, which erupted almost 3 years after Covid; AI partially explains the hefty price tag – $32B – Google has agreed to pay for the five-year-old startup. This makes Wiz one of the top ten largest M&A deals in the history of tech, by far the largest acquisition ever made by Google, and by far the highest price ever paid for an Israeli company.
The Magic of Wiz
The thing about the cloud is that it is so easy to spin up another virtual machine. Or another process that dumps data into yet another folder. Or add some accounts to an access list configuration. Whatever is necessary to make remote work function smoothly - the self service model in the cloud removes the traditional friction of filing a ticket and waiting for the IT staff to handle it. This is amazing for productivity, and a nightmare from a security standpoint. It’s almost impossible to keep an up-to-date inventory of all the assets – databases, background processes, applications, customer-facing services – that the organization owns in the cloud; let alone track who can access what, and attempt to enforce the principle of least privileges or other security policies.
The early version of the Wiz product solved it – just like magic – by automatically extracting information about everything you had running in the cloud – any cloud, that is – alongside the relevant access and security configurations. Everything was visualized in one graph, finally enabling organizations to monitor their cloud deployments, detect vulnerabilities and identify risks.
The unique thing about Wiz is the agentless approach. No need to install anything - simply hand over your Cloud API Key(s), so that Wiz could pull data1 from your cloud provider interfaces (all hypersclaers are supported), and provide visibility into your security posture2. The benefits of the “Switzerland” status– a neutral player integrating with all cloud providers – has allowed Wiz to build close ties, as well as deep integrations, with the different hypersclaers; this is probably why Google would keep Wiz independent post-merger.
The other thing that was magical about Wiz is that, unlike the traditional disruptor route of starting at the bottom of the market, Wiz went after the top-end from the very beginning. It probably helped that Assaf Rappaport, co-founder and CEO, was previously the head of Microsoft Cloud Security, where he had established relationships with the major companies who use Microsoft’s cloud, and had earned their trust3. As a result, five-years-old Wiz claims that – despite fierce competition in cloud security – its platform protects 50% of Fortune 100 companies.
A price paid for acquiring a company can largely be attributed across financial and strategic considerations. Wiz has extremely strong financials (according to different reports): a close second to OpenAI’s ChatGPT in terms of time to reach $100M in ARR, recently reaching ~$700M in ARR, while growing at ~70% YoY into an incredibly large TAM. Is it worth thirty-two billion dollars, though? My guess is that there is also a strong strategic component behind Google’s decision here.
There are many strategic reasons for Google to acquire Wiz – mainly around the opportunity to boost its lagging cybersecurity product portfolio – though I am not sure they warrant the aggressive strategic price premium paid in this case; my guess is that the key decision factor had less to do with enhancing Google Cloud’s cybersecurity sales (though it is a very nice benefit!), and more to do with pushing forward Google Cloud’s AI sales.
Google Cloud and AI Strategy
Microsoft Azure enjoys the second largest share of the cloud market, and a leading position amongst large enterprises. During the 2010’s shift to the cloud, the world's largest enterprises would, more often than not, trust Microsoft – with its decades-long reputation as a trustworthy IT vendor – over Amazon, a retailer that was suddenly renting storage and processing capacity to startups. As noted above, the Microsoft executive in charge of protecting their Azure deployments, was no other than Assaf Rappaport, who left Microsoft in 2020 to found Wiz.
Both Microsoft and Amazon run the typical incumbent playbook when it comes to AI: they are trying to make it into a sustaining innovation. something along the lines of “all AI models taste like chicken, and all of them can be found on AWS4 as well as on Azure; choose whichever one you like, and just run it where your data already is.”
In contrast, Google – a distant third in terms of cloud market share – likely attempts to make AI into a disruptive force that could change the structure of the cloud market, and boost its position. By promoting the multicloud concept, they try to unbundle cloud services – such as data storage and analysis – from AI services. Google’s hope is that enterprises wouldn’t default to consume AI services from their primary cloud provider, but rather make a separate and well-informed choice of their AI vendor.
That explains why Google is the only player with an integrated approach for building AI: they are hoping to offer a differentiated and more compelling platform. Gemini, the family of Large Language Models trained by Google, using hardware designed by Google, is only available on Google Cloud. Such an approach may, eventually, result in better models, either in terms of performance, or costs (or both).
Google Cloud CEO Thomas Kurian has discussed it with Ben Thompson on a Stratechery interview last year:
Thomas Kurian: We started this thing called multicloud, which is, “Don’t be locked into a single cloud provider, allow people to use a choice of cloud provider, allow them to choose the best cloud provider for the task”. So analytics is an area where we did particularly well, we did really well in certain areas, like certain kinds of legacy systems, migrating them, our systems ran them really well because we can handle scale-up in a different way than other people did, and so it allowed us to open a lot of doors.
When AI came along, the first cycle was everybody thinking, “I have to pick a model,” and the model changes every three weeks and so our point was, “You’re chasing the wrong thing when you think about picking a model, what you need to do is to think about a platform”, because you need to integrate it into your heterogeneity and think about the platform first and the model second, and make sure the platform supports a collection of models, because you may choose the latest one from anybody, and so that’s the nature of it.
Ben Thompson: Well, that’s the bit though as to why I’m getting to the question of a reboot, because I think this idea of you’re going to handle, you can have your multicloud, that makes sense given your competitive position in the market, being third place. Do you see AI, though, in all this talk about, “You need to choose a platform? Sure, our platform’s going to be open, you can use it anywhere” — but do you see this as a wedge to be like, “Okay, this is a reboot broadly for the industry as far as cloud goes, and sure, your data may be in AWS, or in Azure, or whatever it might be, but if you have a platform going forward, you should start with us”? Then maybe we’ll look up in ten, fifteen years, and all the center of gravity shifted to wherever the platforms are?
Thomas Kurian: For sure. I mean, it’s a change in the way that people make purchase decisions, right? Ten years ago, you were worried about commodity computing, and you were like, “Who’s going to give me the lowest cost for compute, and the lowest cost for storage, and the lowest cost for networking?”. Now the basis of competition has changed and we have a very strong position, given our capability both at the top, meaning offering a platform, offering models, et cetera, and building products that have long integrated models.
Thompson’s line of questioning implies that AI may be an opportunity for Google to increase their market share, by selling AI services to existing Azure and AWS customers; such opportunities – a paradigm shift of a disruptive nature with the potential of changing the market structure – usually occur once in a decade or two, and, therefore - must be pursued aggressively. And what’s more aggressive than spending $32B – the equivalent of Google Cloud’s total aggregated revenue of the last three quarters – on a single acquisition?
Google Cloud and Wiz
There is one critical hurdle, though, threatening to halt Google’s strategy in its tracks: security concerns. This could be a very good reason to bundle the cloud where your data is stored, together with the cloud that is hosting your AI services. If your data is stored with Azure, just go with Azure AI Foundery; even if Google’s Vertex AI turns out to be cheaper or more performant - would it really be worth the additional exposures and risks?
Every folder or database or piece of data is guarded by access configurations, which reference a pre-defined hierarchy of roles and accounts. If you’re running on Azure – everything is already baked into the Identity and Access Management configuration within Azure, and would be enforced when you use Azure’s AI products. As long as you’re in Azure, you don’t have to worry about it. If you try to run Google’s AI services over data that you have stored in Azure, however, now there’s much to worry about: are you allowing unathorized access to some of your sensitive data? Might sensitive information somehow leak through the non-deterministic LLMs? Nobody even really knows how they work.
If you’re the CTO of a Fortune 100 company - why would you even bother with this headache? This ain’t Covid. There’s enough time to do things properly. No reason to tolerate elevated security risks.
Unless, perhaps, your cloud security vendor builds all the features required for that headache to go away. Like, really everything that’s needed to make you comfortable with consuming AI from a different cloud vendor. It just so happens, that for half of Fortune 100 companies, that vendor is Wiz. Oh and by the way, it is run by the same guy who – in his previous role as head of Microsoft Cloud Security – you may have trusted with moving your data to Azure in the first place.
Are you now comfortable enough to give Google AI a shot? Well maybe you would, assuming it’s so much better and cheaper compared to Azure AI.
I believe this to be the most important strategic angle, and key the reason Google kept aggressively pursuing this deal5 (after Wiz rejected the previous offer): Wiz provides Google with access to 50% of Fortune 100 companies, and, most importantly, removes the key blocker standing between Google Cloud and its attempt to lead in the age of AI. It’s revealing that in Google’s announcement of the acquisition, the words multicloud and AI were mentioned almost as many times as the term cybersecurity.
Success is far from guaranteed, though: Google might still fail to differentiate its AI services, despite the integrated approach. Or there could be other reasons why it might fail to sell its AI platform to a meaningful share of Azure / AWS. Nevertheless, thanks to the Wiz deal, Google can at least try. Much like the enterprises scrambling to secure ballooning cloud workloads during the early phase of Covid, Google Cloud has been rushing to secure its AI strategy; it remains to be seen whether in this case, too, Wiz would turn out to be a godsend.
Full Disclosure: I used to work for Google, and spent a few years on the Google Security team; none of the above, however, is based on any non-publicly available information I learned while working for Google.
Wiz started with duplicating a customer’s entire cloud setup, and running security assessments against the “digital twin”, without causing interruptions to the primary production copy.
Over time, as Wiz emerged as a dominant cloud security vendor, it developed special partnerships with each of the major cloud providers. Just like anti-virus software used to run in kernel-space, allowing it to access far more information compared to a regular application running in user-space - Wiz is now able to extract more nuanced information – even without installing an agent – thus making its security graph better informed and more effective.
It may also helped that Wiz was backed by Cyberstarts, an Israeli VC focused on cybersecurity, who manages a network of CISOs.
With the exception of OpenAI models, which cannot be found on AWS; The once-tight partnership between OpenAI and Microsoft does seem to be weakening though.
In addition, the new US administration, which may be more permissive toward big tech acquisitions, may also explain the timing of the deal.