Assessing the Wiz-Google deal
It's a high risk, high return deal
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I woke up on Sunday on what I thought was already a somewhat hectic day given the amount of important sports events going on, i.e. the Copa America final, the Euro final, and the Wimbledon final. Imagine my reaction scanning my LinkedIn and Techcrunch to learn about the rumors of Google acquiring Wiz. Initially, I was a bit shocked, but as I started to think more, it made sense. I can see what Google is trying to accomplish, but at the same time, I do think there’s a fair amount of risk.
Google and Wiz
These two companies are so well-known that there’s no real need to introduce them. Google is a well-known technology company. What’s important to note is their current security portfolio. They have Chronicle, Mandiant, and Siemplify. Wiz is a cloud security platform that detects risks across AWS, Microsoft Azure, and Google Cloud. I give a more detailed description of Wiz in my previous post.
Why would Wiz want this?
It’s worth starting to talk about why Wiz would want this. Wiz just announced a raise of $1B about 2 months ago. Wiz was likely in these discussions with Google during the fundraise, but they couldn’t come to a deal in time. Or, they were looking to have more leverage on Google. It’s a lot easier to negotiate when you don’t need an exit — Wiz is doing well and likely can continue to raise money.
Let’s start with an obvious reason for Wiz. An acquisition is an easier path to an exit than an IPO. This isn’t a reason specific to Wiz but how many startups think about exits. It provides liquidity to employees and investors immediately without having to deal with lockouts and the process of going public. From a purely financial standpoint, there’s opportunity cost and risk to waiting, especially if they believe this is good, which it seems it is. If we believe that Wiz has a run rate of 300M, then a ~75x multiple in an extremely competitive market is an extremely good deal.
Related to this, cybersecurity is a competitive market. If Lacework’s struggles and recent acquisition were any indication, it’s hard to remain competitive in the cloud security market. I talked in previous posts that Wiz has reached a saturation point with their initial agentless cloud security product where it’s hard to further justify upselling given the limited technological moat. That is, at a certain point, it doesn’t make sense for companies to pay for Wiz. It’s not technically hard to do this. At a very high level, Wiz does some scans of snapshots and calls some APIs.
That’s why they are expanding into a real-time, agent-based product. In my opinion, this is the real value of cloud security, and practically, this is what actually detects real-time threats. In order to fully grasp the environment, they also need to analyze cloud audit logs. This is where Lacework got into trouble since this was their first product, and it turned out to be a major cash burner. The economics never worked out. Either way, there are a lot of failure modes that might substantially slow down growth, and it will require more cash to reach profitability. I wrote about these risks in more detail in the past.
Either way, Wiz needed to expand its platform, and it was evident by the fact that it tried to acquire both SentinelOne and Lacework. This indicates a feeling that keeping its growth organically is changing.
Google has a lot to offer here. They are a highly profitable company that has a sales team and can put more money both into R&D and GTM without having to raise money and take dilution. The next phase of Wiz’s technological evolution will likely require a substantially different type of talent than what it had to develop its initial product. Google already has this talent. Moreover, Wiz was already trying to better scale its economics. We saw this as they migrated users from Auth0 to Cognito and are finding ways to raise prices to improve gross margins. Google can further help them by reducing their cloud costs.
Overall, this seems like a good deal for Wiz on multiple levels.
Why Google wants to acquire Wiz?
Let’s look at Google’s current portfolio. They primarily have security operations products. They have Chronicle, which is a SIEM, and Siemplify, which is a SOAR product, to augment the SIEM. Finally, they have Mandiant, which is an incident response service. In security, they are providing the detection and response capability. However, they don’t own any of the data that is going into the SIEM, so their product is only as good as the data that’s provided. Similarly, Mandiant helps with the response aspect, but companies hire them only when things have already gone wrong.
Overall, Google has a part of a security platform that I believe is shrinking, i.e. operational security, as SIEMs and SOC tools fall out of popularity. Also, the rise in security engineering will further contribute to this decline.
In broader dynamics, Google is behind Microsoft and AWS in the cloud races by a good amount. Regarding security, AWS has some security features that help companies get started, but it doesn’t have the maturity of Microsoft, which has a whole security platform that’s impressive and can work well even with mature companies who just want to stick to one platform. In other words, AWS is a good starter. Microsoft is good enough if you want to have a primarily IT-focused security function.
The problem is that Google has none of that. It has these SOC tools where the ideal buyer is unclear. However, what’s interesting is that these products are becoming an important part of cloud security. I believe that these cloud security platforms need to expand into doing some form of anomaly detection and response. They can’t just generate the alerts, but they need to correlate with other data to reduce false positives and allow security teams faster response. It’s no surprise that Wiz tried to acquire SentinelOne, and endpoint companies like Crowdstrike and SentinelOne acquired log management solutions, i.e. Humio and Scalyr.
Google likely sees Palo Alto Networks and Crowdstrike as its competitors and who it wants to be. However, Google has the capital to do the acquisitions and/or build the capabilities that, in my opinion, both of those companies lack. (Palo Alto Networks lacks an endpoint product, and Crowdstrike lacks a cloud security product.)
Specifically, for Wiz, as described above, Google likely believes that it can fix many of the problems that Wiz faces. Since Google has so many resources and capabilities, they probably think they take on the business and make it profitable in a few years. It’ll also allow them to be in more cloud-purchasing conversations or any sort of SaaS conversation in general. This is every corporate development team’s goal, but it’s overly ambitious and shows a misunderstanding of the security market. I’ll talk more about this later.
Finally, $23B is a lot of money, but for Google, it isn’t. They had a net income of $82B last year and have over $100B of cash on their balance sheets. Also, since they are such a good business, they can likely get favorable terms on any leverage. A hedge for them is that if this doesn’t work out, they can likely sell this business and not take a full write-off. Overall, it might feel like a worthwhile risk for them.
What is Google getting into?
It’s easy to write how this deal can go wrong, how it’s overpriced, etc. Google is no stranger to this when they bought YouTube for 1.65B. They invested substantial resources to build Google Chrome. The list goes on. Google has earned the right to take major bets.
A lot of people have been writing on why this acquisition makes sense. Some investors, like Pramod Gosavi, have written that it’ll be a write-off in the near future. There’s a lot more nuance, in my opinion. Google doesn’t do a lot of acquisitions, and they can invest in a good integration process. Where most acquisitions fail is that the acquiring company doesn’t invest properly. There’s a lot of work for Google to do, but fortunately, compared to other companies, they have the resources to do this. I never discount the power of a company with a strong cash balance and cash flow.
So, what does Google need to get right? There are two major areas: GTM and technology.
First, Google needs to understand how to sell enterprise products, especially ones that sell to large enterprises. Let’s be honest. People perceive Google as a consumer company, and its products primarily focus on targeting consumers. They are very good at that. However, selling enterprise products isn’t its forte. They have struggled to grow Google Cloud and compete with Microsoft Office with Google Workspace. The question is whether Google can operate two types of companies.
We haven’t seen this happen in the past with other large technology companies. Amazon has a completely separate consumer business from its cloud business. Microsoft tried to get into the consumer business with Bing, its phone, etc., but it failed and decided to focus on enterprise. Facebook has tried to venture into the enterprise but hasn’t made much progress. Running an enterprise company is fundamentally different, and running a security has its own nuances. It might need to explore a GM model that many larger companies have adopted. Either way, figuring out how to run Wiz inside of Google is a prerequisite to Google having a successful cybersecurity business.
Next, they have to figure out their overall cybersecurity strategy and offering, especially at its end state. Of course, this requires figuring out GTM first, but let’s just assume for now they have figured that out by hiring the right leaders. One thing that Google has done well is to have strong technology back their products. They did this with search, YouTube, and Google Cloud. However, as we know better technology doesn’t equal high-performing products as technological advantages wane over time. I do think security is a space where we need better technology, especially given the increase in the number and severity of breaches, and I’ve explained this throughout my blog.
I think cloud security is an area we especially need this. I can see Google building a competitive platform by improving Wiz’s technology, but it’s likely they will have to continue to acquire because I don’t see Google being able to build from scratch. The missing piece is likely an EDR company. They have some capabilities with ChromeOS, but those are somewhat basic and weak. Maybe, an interesting target for them would be SentinelOne or Tanium, but that’s a discussion for another post.
There is potential here, but a lot has to go right. I do think Google has unique advantages with its resources, and I hope they can get this right because it would benefit the security community as a whole.