Chris Hughes: [00:00:00] Concerns around vendor lock in with Google and concerns from customers. But there's also something to be said here of what's gonna happen with the other major CSPs, collaborations with Wiz in terms of, how much they're willing to can, share with them about roadmaps, features, functionality, integrations things like that, knowing that they're gonna be working directly, adjacently to their competitor in Google.

Ashish Rajan: So we normally don't do this, but we had 32 billion reasons to do this particular episode. So if you haven't heard, Google Cloud has made it public that they're acquiring a company called Wiz as their biggest cloud security or cybersecurity investment ever, which is really interesting as people who've been talking about cloud security for the past six years.

It also shows the commitment that Google Cloud has but instead of me just talking about what this means and what the trend for cloud security is, I want you guys to hear from other panel members as well. I had a really good panel with Chris Hughes. Mike Privette, Francis Odum, James Berthoty, we all spoke about what this means for people who are potentially gonna be impacted.

People like you, who are listening to this or watching this episode of Security Podcast in terms of what does that mean for CISO, [00:01:00] cybersecurity leaders, practitioners who are already working on a multi-cloud world and trying to figure out, what does that mean? Should I stick with cloud native or should I go with buying a third party product out there?

What does this mean for my security operations team? Is that where cloud security is, by the way? Quick secret Cloud security has gotten beyond CSPM and CNAPP these days, but more on that on another episode. I hope you enjoy this episode. If you have been listening to many of our cloud security podcast episodes over the years, for both offense, defense side, I would really appreciate if we take a moment to hit the subscribe button, whether it's on video platforms like YouTube, on LinkedIn.

Hit subscribe, or it's an audio platform like Spotify or iTunes. Wherever you're listening or watching this, I would really appreciate it if you can hit the subscribe follow button to show us your support. It only takes a few seconds, but means a lot to us. I hope you enjoy this episode and I'll talk to you soon.

Peace. Hello and welcome to another episode of Cloud Security Podcast. I've got a few people here. I've got Mike. Francis Chris James, welcome everyone.

Thank you for coming in and I am super excited for this conversation. And we also [00:02:00] get to know a bit about our guest over here as well. And to keep it a bit spicy.

What I've done is I would ask each one of you to give, a little intro about yourself and also if you are the one winning $30 billion, what would be the first meal you'll have?

Mike Privette: Hey everybody. I'm Mike Privette, founder of Return on Security, where I focus on the cybersecurity economics of our industry.

And if I were the one who just made the kind of life changing money like that, I'd probably keep it low key there. There'd be signs that I would that I would have some extra money. But I'd probably just go to Shake Shack and get like a double just 'cause that sounds really good, like right now.

But that's where I'd probably go.

Ashish Rajan: That's a good one. I Shake Shack is never a bad idea, man. Francis, you're up next man

Francis Odum: Thank you having us. My name is Francis. I'm the founder of the Software Analyst Cyber Research, where we do a lot of advisory and research work across Data, Cloud, AppSec as well as the SOC.

If I were the one you know what, I would just book a flight to, honestly, to Italy right away and [00:03:00] then go have a spaghetti carbonara pasta dish. It's been the food top of mind for me right now. And then yeah, that would be exactly what I would just stick a one wave vacation maybe. And then go enjoy that meal.

Ashish Rajan: Alright. That's a good one. I kinda like that. James, you're up next, man.

James Berthoty: Hello, I'm James. I make engineering content for engineers on cloud and application security and market stuff. I would try to keep it funny and ironic and probably do like ramen noodles or something just so I could.

Ashish Rajan: Fair. I'm Chris you're up.

Chris Hughes: Yeah. Chris Hughes here, CEO at Acqui and also run the Resilient Cyber Podcast and Substack where I write and talk about a little bit of everything around cybersecurity. For me, I do a mix of what folks said there.

Definitely keep it low key in terms of a private meal, but I think I would throw like my five kids and wife on a private jet and roll off to somewhere really nice and take like a private dinner together, do a cool experience.

Ashish Rajan: Oh, I love that. I think of course when you have that, that kinda life changing money, why limit yourself to the local McDonald's I guess why not just go all out. Thank you for the icebreaker. I just thought [00:04:00] for my answer, I was gonna fly to Japan and have some ramen, but that sounds like, I think that was gonna be my thing.

Again, I'm not thinking of an a Michelin star meal, a simple ramen would do for me, but today we're talking about obviously the conversation of the topic for the past 24 hours, 48 hours Wizardry of Google is what we are aiming at. So my question to start off with is the maybe Mike, I'll start with the, with you on this one 'cause I wanna understand what is the current state of cloud security startup as you have seen, cause you obviously cover a lot of that on return security, the investment landscape. And how does this influence the, I guess the venture capital trends that you've been seeing in early stage companies, probably in the same space as cloud security as well.

Mike Privette: Yeah, no it's a good question and I think a lot of the people in the venture capital space for the past several days have been really celebrating.

This is obviously a huge kind of success story. It is an anomaly. I will say that like it's, this is the biggest acquisition in the cyber securities industry to date, as long as it all goes through and checks all [00:05:00] the SEC checks. So that alone is staggering. And so I think a lot of people are happy about that.

And and in the same term, cloud security is, has been a really evolving space, honestly, for the past 10 years. And I think there was a lot of people who were saying, oh man, okay, now, cloud security's on the down and out because the biggest player effectively just got, taken out, which I don't agree with.

But then there, a lot of people are also celebrating hey, now we can finally compete because Wiz is outta the picture, so to speak. I also don't agree with that, I think a lot of people are saying, okay, now that model of cloud security was obviously very successful.

There was one dominant player in that world that evolved from cloud security, posture management and into the CNAPP space and into the cloud runtime detection response and all that, all those new acronyms that we love and hold so dearly. But then, people are saying, okay, now it's wave three.

That's now, it's, now it's the next time to go. So I think many are very excited to see like what comes next with security. So a lot of startups or a lot of [00:06:00] mid-stage companies are very excited about it and people are, have been trying to recreate the success of Wiz now for years.

So I, yeah, I think we'll see more gunning on that angle.

Ashish Rajan: Yeah, I was gonna say, James, do you have some opinion on the over here as well? I guess from a person who works a lot with other cloud security companies and the area as well, are there specific areas you feel there'll be accelerations?

As Wiz goes through this transition period?

James Berthoty: Oh yeah. The scary thing about Wiz was not the immediate product, but the potential of the code and defend products on the ASPM code side and then the runtime defend side there. Those products are good enough that it was a very scary proposition for people really doing a lot of great innovation still on the code and runtime sides, both of which were not where Wiz started, so it was their weakest point, but they were developing super quickly at it. And I think really that's like the sigh of relief that that I feel if I'm trying to help look at these vendors perspective, while I agree that Wiz will still continue to innovate and innovate quickly.

It's [00:07:00] gonna be hard to really continue on both of those fronts at the same velocity as they focus on mergers, looking at big data pictures, integrating with multi clouds more and more. Just the reality is it, I, it opens up innovation for vendors who are trying to do both the runtime stuff and the code stuff.

And so I think that's why I posted the meme I did today of everybody dancing and having a good time because that was the threat, was that Wiz like boxed them out the whole step of the way on it.

Ashish Rajan: Yeah.

James Berthoty: Chris, did you have some thoughts on this as well then?

Chris Hughes: Yeah, I like where James was going with it.

In terms of Wiz having the comprehensive solution in terms of code all the way through runtime, and we see, different players focused on different aspects of that, SDLC, but Wiz had that pool coverage and they were really building out more with code and defend and things like that, that James touched on.

I think the question for a lot of organizations now is gonna be, do they go back to the kind of age old, point solution versus platform debate and focus on one who has maybe ASPM or maybe runtime security covered, or do they stick with someone who has a comprehensive coverage across the board and then maybe take their risk of, being acquired [00:08:00] by Google, right?

And what the impact of Wiz as a product and service. The service you'll get from the supplier, the vendor in this case, will be. So it's gonna be interesting to see how that plays out. I think it's gonna be unique for each organization, depending on their budget, their resources, their expertise, things like that too.

Ashish Rajan: Sure. Francis? Do you have some thoughts as well here, man.

Francis Odum: Yeah just wanted to build upon what everyone has already mentioned, but yes, I think the vendor lock in is a big question. I also think the question is going to be right between those customers who are hybrid or multi-cloud at the moment, I think many of those customers are currently thinking about what does this actually mean for us with Wiz, what are the implications of this?

And then I also think if you're already a GCP shop already, I think you're probably happy or celebrating that you maybe already have this. But I think we need to figure out that dynamic. And I think there's a lot of questions now around we seeso in terms of thinking about what are the consequences of this?

Ashish Rajan: And then I also think there's a question for AWS and Microsoft, what is that relationship going to actually look like going forward? I think it's gonna really be an interesting question. And one last, now I'll just [00:09:00] add together with AppSec and runtime that Chris and James have talked about, I think data security, the DSPM and then increasingly AI-SPM, these were other adjacent areas that, like Wiz was already making quite some moves into like not significant density, the market, but they were making some headways in DSPM and AI-SPM and I do think those guys are also somewhat celebrating too, because they're also like, yep now because there's only so much focus Wiz will do with GCP and I think they're gonna have to pick their battles and they're gonna have to drop some of these huge platform potential. So it's gonna be interesting to see how things evolve.

Maybe 'cause the focus today from at least all of us has been what this means for the customers, the CISO practitioners and others who are looking at this industry 'cause there's a lot of concern that comes in just by, to your point about everyone's mentioned vendor lockin. Everyone's already mentioned the part where there's already a struggle between multi-cloud, for a lot of companies that was the competitive edge that as people talk about in this market, and I don't know [00:10:00] if any enterprise that is not multi-cloud today it'll be surprising if any is. So it almost becomes a, a question where now, traditionally as cloud has been, we've been covering it for six years, and we found that Amazon has always led the raise with AWS.

Ashish Rajan: They were the first to the market followed by Azure with Microsoft's strong footprint in the enterprise land. Now, is this the advantage that Google needed to stick, at least come out, other rank three? 'cause I think from my understanding, and you guys would've looked at the report as well, this is the first time they had five x return on their Google Cloud investment.

This is offer such a long time. It actually looks like it could be profitable in spite of all the investments they've done so far. I'm curious if we feel strongly about what Amazon and Azure, they might have to respond to this anyway. James, do you have some thoughts on this? You seem to be nodding.

James Berthoty: Yeah, I mean it's it's a very interesting play in the sense that I'm open to the idea that first of all, let start by saying, Google has been talking about creating a cloud security tool for a very long time, and this is [00:11:00] definitely, Microsoft positions a Defender the same way where they're always upset when I don't talk about them as being like this multi-cloud amazing thing.

And so definitely this is Google's answer for a multi-cloud security solution and where it matters from like a bottom line driving GCP adoption thing. There are services within GCP that are very good that people should look at adopting, especially around like GKE and auto deploying containerized applications.

Like it is a good cloud for that, where they're gonna have to be really careful is how do you push people towards trusting Wiz as a multi-cloud security solution? Who I like, I believe that both the Wiz team and the Google team genuinely want that to be the case. But then it's all gonna come down to the right way to push people into Google Cloud accounts without making them feel like step one is to create a Google Cloud accounts, access Your Wiz dashboard. So that balance is gonna be the key to this success.

Ashish Rajan: Chris, you have some thoughts as well?

Chris Hughes: No, I really like what he, what James just said. There is something I was gonna mention is like, how do we, Wiz has always had this reputation of having multi-cloud [00:12:00] security coverage across the three largest is providers.

How do you keep that perception, that reputation now with your, being so directly tied to Google without people feeling like you're you're losing some of that autonomy across the ISAs providers and that you won't have to be locked into Google Cloud in particular, to have that multi-cloud security coverage.

Maybe you can use some of the native services from Google where appropriate, but you wanna lean into AWS or Microsoft Azure, et cetera. Still as you have been historically, depending your organization. Being able to balance that and keep that reputation of being somewhat agnostic despite literally being owned by Google now is gonna be a really difficult thread, kind needle to thread.

Ashish Rajan: Yeah. Mike, did you have something as well to add?

Mike Privette: Yeah, I think, part of this goes to the larger story that all of the, honestly, all the service providers have been trying to tell. If you look at like Microsoft and the, run they've had on enterprise security the past couple years, I think like in 2023 they netted like 20 billion in security revenue alone, not even including much of their extra cloud spend. And so they've, all of these major players have tried to center around or create centers of [00:13:00] excellence around security. And you can see over the past several acquisitions from Google with Chronicle many years ago to try to, generate a SIEM, with Mandiant, which is apparently worked out pretty well for them in terms of their response capabilities and forensics.

And so this is just another vote in that kind of same direction. In the same way that cloud service providers have all have their different strengths and weaknesses to kinda lock in different types of workloads and customers. They're now trying to differentiate on the security aspect as well, which Microsoft has had the run of for a while.

And the same people crying, oh, concentration risk are all Microsoft shop people anyway. So it's a it's a bit of a funny point, but so I think this will incentivize some. But then, but since companies are so multi-service and multi-cloud lockin really doesn't make sense.

Like you just kinda use the right tool for the right cloud for the right job. Yeah. Same way the AI world does as well. You go where like the model is or like the easier thing is or the better thing is, and you just adapt. And I think we'll see more of, more customers acting that way.

Ashish Rajan: Francis, do you have some thoughts moment?

Francis Odum: Yeah. Just to beat [00:14:00] up on that, I think. One thing to also remember too is like Wiz was originally built around AWS for the most part. Obviously they've always been independent, but they very much a huge part of the go-to market and success was really built around AWS. And then obviously they had quite a number of partnerships with GCP along the way.

Microsoft was always, you could always like the friction point because Microsoft always had Defender for cloud and Defender for Cloud was quite a decent product on the market. I think on AWS front, we never really knew about their cloud security, but they have a lot of features, like a wide breadth in terms of like just feature capabilities.

But in terms of core cloud security, they never really had it. And Wiz was like a really close partner with AWS. And I do think going forward, it's gonna be really interesting to see how this evolved. And one thing that was very interested in the investor relations call, if you all watch that video yesterday was at towards the end of it.

They mentioned Wiz will be fully integrated within Google Cloud and [00:15:00] that kind of surprised me. 'cause normally with acquisitions at some point you have acquisitions whereby they keep the independent company as like fairly and they retain and keep that brand. And sometimes you just have it where it's just talk out right into GCP.

And my expectation was if Google was smart here. They should have still kept that independent brand of Wiz to at least keep that independence. However, on the call they mentioned, it looks like Wiz will be like fully folded into the core GCP, which you would guess is natural, but brings about all this conflict of interest.

Yeah. Data segregation, you have trust issues and so I think that's, it's gonna be really tricky to see how this evolves. And especially with Microsoft, I think Microsoft is the biggest company because Defender for Cloud is quite a decent product many people use out there, and I think there's gonna be a lot of questions on how that would work.

Chris Hughes: Just to add to Francis' comments real quick goes again to having that autonomy and maintain that independence for Wiz to some extent. And I think this is where may open opportunities for other cloud security players. And then among the three that we've been [00:16:00] talking about, AWS, Microsoft and Google, of course Microsoft as Mike pointed out is the giant in the room in terms of security revenue, and that's because we're focusing a lot on cloud security, which of course is, the topic of discussion here. But there's also broader enterprise security and Microsoft, when it comes to endpoints and things of that nature just has, capabilities and market penetration and coverage that the other two, just historically haven't had.

So I think that still puts 'em in a unique. Unique category to some sense, in terms of their coverage of broader security outside of just cloud.

Ashish Rajan: Yep. And I guess you to what you guys are calling out as well, they're definitely an existing set of tools that are already available from other providers.

But I think the example has come to mind with Microsoft as well, they had Azure Sentinel that they were trying to say as quote unquote multi-cloud, but it wasn't really then Google Cloud came up with. I think something called Security Operation Center, which is what's scanning combined with Wiz to Francis, what you were saying, I think the the CEO of Google Cloud, Thomas Kurian on that investor call, called out that security operation would be that product where eventually Wiz would become integrated with and to me it sounds like, oh, [00:17:00] okay, they already had four quote unquote multi-cloud products that they were trying to go for in all of this.

I was also thinking about, I think, funny enough, Deborah just asked the same question, what does this mean for existing customers? And Christopher was talking about the fact that if someone has asking to change their cloud platform just because they're on Wiz, maybe for trouble, and I share the sentiment in the context that you can't force people to make decisions, but then Google Cloud as a player is trying to, they could literally just be multi-cloud.

As with Mandiant, they have been. Mandiant has been continued to be independent. Maybe the initial phase is that, obviously only time will tell where, what comes in that particular perspective. But where I have always thought about this is a lot of James talks about runtime security. I talk about runtime security.

Francis talks about runtime security. We already know that cloud security is on that verge of the next evolution where we are talking beyond CSPM and CNAPPs. Now. It's no longer just a virtual machine. We have Kubernetes in the mix as well. We have AI workloads, runtime security, NHI, AI security. I can keep throwing acronyms to what Mike was saying earlier but the whole [00:18:00] thing started with the fact that we don't actually have real time capability for understanding security from a security operation perspective.

My thinking with the impact on customers on this would be like, what does this mean for the wider space of real time information on, is it the fact that now runtime security is gonna get a lot more attention because people are gonna be pushed in that direction. Hey, CSPM, CNAPP is no longer enough because it's all native to AWS Azure, Google Cloud cause they've all incorporated that into cloud natively. So the product you're looking for now to get that extra edge for AI-SPM or whatever else you wanna call it, but I'm sure everyone has thoughts on this.

Francis Odum: One thing to just clarify and James obviously talks a lot about runtime, so he has a lot of opinion. One thing to, maybe if we step back a little bit, Google Cloud security or their cloud security offerings, they have four core products. So they have threat intel, Google threat Intel, they have Mandiant that they acquired a few years, which is more around consulting, like more training or more consulting services.

It's attached. And then they have a core SOC, so like an actual SIEM/SOAR [00:19:00] we see amplify and then they always had the security command center. And actually security command center was always what it was like the cloud security product, but never really gained like significant amount of traction.

And obviously that's where Wiz will like help filling that gap. But to question about runtime. When you actually look at those three other products that I actually mentioned, treading tell Mandiant as well as like just the core SOC product. Those were fairly runtime heavy, or you could always say very closely aligned to the SOC.

Right? The SOC highly relies on threat intel to support a lot of the alerts that they're getting with the SIEM, and then if you have like significant more cases you have Mandiant who comes in to help you with IR and whatnot. And I do think they already had this runtime DNA, if you wanna call it, within Google.

And I do think it's gonna be interesting because again, I never, I don't really think Wiz had a, like Wiz was amazing and Gem had a lot of capabilities, but I think now [00:20:00] it really makes Wiz more of a runtime centric, they're gonna be a lot more embedded into the SIEM and within the SOC. It's gonna be a lot more interesting.

I do see more of this runtime conversation happening as a result of where Google Cloud security offerings were already. But maybe James has something to build upon that.

Ashish Rajan: Yeah, I think maybe I just I should probably clarify, I think what I was trying to get to was as well that when I said it means more like cloud security is going beyond CSPM and CNAPP.

Is because most of the enterprises that I'm talking to, they all have started shifting cloud security alerts to the SOC teams now, like security operations have become responsible for looking at security alerts from CSP cloud providers of Wiz and any other cloud security product out there.

I think what this seems to be so far, if you and me, this is like a 10,000 feet view across the board, Google is trying to focus on runtime security. All the vendors and other vendors in the space have been trying to start focusing on runtime security. Security operations in general is becoming the focus point for cloud security now, whether it's your cloud [00:21:00] native on your cloud provider or otherwise, I think I definitely feel there's a trend coming or if it's already there, the most enterprise already doing it. But James, feel free to add more. Man, I think you're definitely a lot. Have an opinion on this as well.

James Berthoty: Yeah, I think a lot of the runtime innovation stuff is still so early

I've been saying it's the year of cloud runtime since 2018, and I'm just happy that it's finally, actually this year. But I fundamentally, I think this is a different play where it's about I don't know how else would how else Google could have entered this market where like, they I'm your standard DevOps person.

And if my CISO said let's take a look at Azure for defending our Kubernetes clusters, I'd be like, okay, no that's not gonna happen. People in the DevOps, dev cloudsec ecosystem like Wiz enough that I'm not just laughing at the idea of a GCP security solution for my AWS clusters now, and that's the advantage to them.

I don't think that when it comes to the more innovative side of things like putting container and application stories together, the stuff that I'm talking about, like some of those advanced workload runtime security stories. I'd have to search [00:22:00] more for the story there. There is a benefit, like what Francis was saying about if you run a more traditional SOC that's based more on like the SIEM.

There is actually I think a little bit of tension between Wiz defend capabilities as like the single pane of glass if you want, for a SOC sort of view. That was very early in getting developed. I think this is much more about the average enterprise cloud security person who is trying to wrangle this massive, complicated multi-cloud infrastructure, do vulnerability analysis, be compliant, deploy secure infrastructure.

This is about winning that customer and opening them into Google's ecosystem as well as getting access to the data of what they're running on those different clouds so that Google can make strategic decisions about what they should develop and where they should strengthen their platform. When it comes to the security specific innovations, that's why I focused on that code and defend side.

I really don't think that factored very much into the calculus here.

Ashish Rajan: Yeah. I think I also, I agree with it. I also want to add that it's it's an interesting [00:23:00] dichotomy for. I guess people who will be tossing between Google Cloud and Wiz Choices at the moment or whatever the other cloud provider may they be looking at. 'cause Azure, as I was saying earlier, Azure Sentinel tried doing this earlier, didn't work because people, even though to what Mike said earlier, most of the enterprises are very Windows heavy shop. Microsoft has dominated that security space for a long time. And even then they were not able to make Azure Sentinel, that one product, it's a uphill battle, especially if you're number three trying to become number two or number one as a Google Cloud. So I think it'll be the, their work would be cut out. Another question which I had, and I think Marina jumped on it as well, is that do we even believe that the SOC currently is equipped or to even understand what a CNAPP alert is. Who wants to do that first? Chris, I think you, yeah,

Chris Hughes: I, yeah, I was just gonna comment on this because I saw this question coming in. I really liked it, and I know James and I have talked about this a good bit. It's like we're focusing a lot on the tech, right?

The tools, the products which is important, but there's a workforce, element to this, a human element to this. And a lot of these [00:24:00] teams in the SOC environments aren't historically haven't been exposed really at depth in terms of skills, knowledge, expertise of cloud environments, whether it's, AWS, Azure, GCP, you name it or more of the kind of DevOps cloud native paradigm that we're used to now with cybersecurity.

So I think that's a factor there. And, that is a, of course a problem, but it also offers an opportunity when we see like the rise of, agentic AI powered SOC type environments that Francis has written so much about is maybe that can accelerate that gap and that knowledge transfer or, if you wanna call it that to that part of the workforce.

'cause they can lean into these technologies to help them make sense of things that they just simply, don't have the experience or exposure to these cloud native environments and technologies like that. So I'm curious Francis and James likely have some commentary on that too.

Francis Odum: I think that dilemma is still there and I quite frankly don't even have an answer in terms of how they're actually gonna go solve for it but there is a skill gap. We know. Obviously I think there's a lot of consult like the Mandiant world and there's a lot of like IR stuff in [00:25:00] and around Google or existing that they have right now that might help before what that talent actually looks like.

But it's going to be one of the big questions they have to ask themselves going forward with this acquisition. And quite frankly, I don't think I have an answer really. I think it's something that everyone's gonna have to figure out eventually. James.

James Berthoty: Yeah, that's definitely no, to answer the question, like as far as does the SOC have the it's not a knowledge issue when we talk about CNAPP, if we think of the posture alerts, like it's not a knowledge thing.

It's just that like a SOC analyst doesn't have access to Terraform to change the deployment and you probably don't want them to. But when it comes to that, and I think that's fundamentally like the Wiz acquisition is fundamentally about like that posture, data visibility problem. And I think that's why this is like less about the SOC because I feel like Mandiant's already doing pretty well from like a SOC standpoint, and it's more about there's this giant market of cloud security that developed and it developed separate from the SOC. And I think this is more about how do we capture that [00:26:00] audience and get them into a cloud provider platform. And I really think a big acquisition like this is like the only way to really do it, or else it comes across as am I really gonna go buy Google's cloud thing for my AWS cluster? Probably not. But with this, it like, it makes me think twice, like maybe I do want to keep using Wiz even though it's owned by Google. If it, it all comes down to that UX and like how they do the transformative process.

Ashish Rajan: Yeah. I think maybe I do wanna call out like the traditionally SOC people have been really amazing at on-premise. They've spent years in it, so they understand. Every thread that comes outta the door, they've basically been experts in all the low level stuff that people security threats have brought in because they have the tools for endpoint.

Nowadays, obviously with the cloud alerts, you can't expect a SOC person to always go back to a cloud security engineer. Or DevOps, DevSecOps person to figure out, Hey, is this a false positive or is this something I should be investigating and calling up an instant response thing? And the funniest thing is, I think we did a recent episode on incident response as well as on Azure, and we're talking about how there are [00:27:00] gaps there as well in terms of how native can you really go versus the actual reality of being native.

That also brings up a gap where if there is innovation, which is probably stalled and if capabilities like the multi-cloud is kept at bay from people, would it really be valuable for people to continue using it or switching because SOC would not still find value from it? I know there are a few questions coming in, but I also on that multi-cloud thing, I'm also curious for people who are considering this world at this point in time who may be customers of Wiz, what does that mean for building a strategy whether this in, however, whichever direction goes, if it becomes agnostic or if it integrates into it, is there something that comes to mind that people should be doing at the moment where in their cloud security program or project to be prepared for this if they were changing anything? If you, to James, what you were saying, if you're Google Cloud, you just don't have to do anything apart from just sit and wait and see what happens.

But if you are some of the other ones like the Azures or the AWS world. I don't know, Mike, did he have some thoughts on this as well, man, as [00:28:00] a former CISO so as well?

Mike Privette: Yeah, I think it really comes down to the risk tolerance of the organization that it is too. Because you have to remember like cloud decisions are well outside of cyber decisions typically.

Yep. A lot of organizations do multi-cloud because they're wary, failover concentration risk, availability zone, getting, knocked out middle of the day. And like a lot of these things, there, there will be the certain risk to averse customer who says, Ooh, I, I don't want to put all my eggs in that one basket just to do cloud security. And then there'll be others who say. It's not really that big a deal. I'll go with them anyway because I believe they're the best on the market right now. And so there, there will be that push and pull. I think there, there is a point of kind of diminishing returns, I think when it comes to resilience on some of these decisions.

Because is it better to use the better tool or is it better to use a different tool that's has a, 0.0, zero, zero, 1% chance of failing over. Just so you can say to the regulators or to your auditors that you've thought about the resiliency aspects of it. There's always a tieback in the business component in addition to the financial aspects of it as well [00:29:00] cause people are, I. Or cost sensitive pretty much all the time when it comes to this stuff. And so then it depends on which bucket of money does this particular spend come out of? Is it a cloud bucket? Is it a cyber bucket? Those are very different buckets, so as much as you want them to play together and they don't talk to your SOC bucket or your AI bucket.

Yeah. So that's a lot of stuff to consider that people are now trying to like risk process through, I think.

Chris Hughes: To add a little bit to what Mike said, I think that's a double-edged sword with the conversation we hear about, concentration risks and vendor locking and things like that.

Because I, as a practitioner, that's worked with a lot of organizations using multiple cloud providers. On the flip side of that concentration risk is complexity. And if you don't have a workforce that's equipped to manage those multiple different cloud providers environments, multiple disparate configurations, getting the systems to talk through one another, like you likely introduce more risk. Trying to do that in a lot of scenarios, depending on your organization's, capacity and capabilities, then you do have, just leaning on one provider and letting them do what they do well. So it's a double edged sword depending on the organization for sure in terms of their maturity.

James Berthoty: I think this all, a lot of [00:30:00] the, what does this mean for a CISO? Should I plan to switch or whatever? It really comes down to how Google handles the actual transition here. And first of all, like there is a flip where if regulators disapprove the deal Wiz makes $3 billion in a new funding round and that is a a scary, all of a sudden the party from all the other vendors turns in the like real scary mode. Aside from that, the it's all gonna come down to how the transition happens. If I was Google, I would let Wiz's brand sort of shine, stay, keep it very separate. Yeah. And just be super light touch about the transition. But if they try to come out and say hey, Wiz's backend is now a hundred percent Google Cloud. Congrats. Like all that. A CISO's mind is just gonna go great. Now my data's in another cloud provider. I gotta freak out about that. And there is a way in which this is successful, but it's gonna come down to the details of how the transition happens.

Ashish Rajan: Keeping it agnostic would be the key.

Francis Odum: Really wanna double click on what James just mentioned there. I think that's so important in terms of retaining Wiz's independent brand whilst seeking in on the company and to, so just wanna double click that. And then just the [00:31:00] other thing I'll just build upon is I think whatever the acquisition will schedule to close at the early in, into 26.

And I do think the terms and the agreements will be very important for CISOs or practitioners to actually look. So actually see in terms of transparency. And also I think Google has to really be very transparent in terms of their terms and agreements in terms of how this will actually unfold. What this means in terms of the data segregation, in terms of when they're scanning assets or looking for misconfigurations on other workload.

What does that look like? So I think transparency on Google's front, I think on practitioner's front, they have to also look very closely at the agreement. So it'd be very interesting. One very quick thing, I just wanted to maybe briefly add to the broader conversation that maybe we haven't brought up is AI, like just in terms of AI models, I'm also trying to justify why Google will pay $32 billion.

We have to think about that. Like this was like a 30 x or about 40 x plus multiple, and I do think AI like Google as a whole, [00:32:00] they're investing significantly in Gemini, right? You, we all know about what they're doing on the AI front, and I do increasingly, I think the bet is also with AI models being deployed on the cloud, they see a significant opportunity for both assets and as well as discovery scanning as a big market that they're actually looking at.

So I think this will interconnect with some parts of what they're thinking about their AI ambitions, the open source ambitions and how they are securing cloud workloads as that market grows. And we stick in a role here, I don't know what that looks like precisely, but I suspect it's probably one of the reasons why you pay this much, especially when we're 15 years into cloud security,

Ashish Rajan: yeah. I think they're saying that the AI market is expected to be about 750 billion, so it's almost almost a hundred times more than the cloud computing market is gonna be. So the multiples already, I'm sure if the deal goes through, it's gonna pay off right by there. But I think you mentioned an interesting point, 'cause when I was reading through this yesterday and we were talking about the whole what does this mean from a Google perspective for whether they have an advantage thanks to [00:33:00] this in the cloud security space, 'cause they were number three. Potentially this means they can come to number one. The AI space was an interesting one because in the AI conversation, even now, at least being the, I guess the race for who would be the default cloud provider for AI, AWS and Microsoft for the two names that keep coming up still with Microsoft, leading that clearly with OpenAI and Google Cloud. Unfortunately, yes, there's Gemini, but they have been more known in that B2C space. Rather than the B2B enterprise space that Google wanted to go into. At least I feel there is that take on this as well for me personally, because enterprise means regulatory compliance is important.

There are these standard pillars, assurances there's a lot that goes into doing security and doing, working in enterprise. Actually I'll be curious to know from Chris as well, 'cause you wanna work with the public sector quite a bit. I guess what do something like this obviously with the regulatory pressure that comes with this and the influence of compliance strategies, what does this mean for regulatory standards where you have to be agnostic in a public [00:34:00] sector or I'm sure there's some regulation for it.

I'll let you explain. What does the impact of this in public sector is?

Chris Hughes: Yeah, this is an interesting one in the public sector in particular because Wiz, I've actually been collaborating with their public sector team a good bit and a lot of great folks over there. They made a lot of solid investments in terms of public relations and solution engineering, you name it, sales, et cetera.

Folks who know this ecosystem and have making a big push into the federal ecosystem with US Federal civilian agencies, department of Defense and things like that. And Google, ironically, has been doing the same shaking off some, bad reputations they had around turning down some work a couple years ago in the DOD space, that they had to recover from.

So they've been making some big hires there too. So both have collectively been pushing into that space. That's one the BD side of things, but in terms of the compliance and regulatory piece, I'll argue that, Google, it's just about as good as anyone in terms of, meeting the multiple disparate, compliance frameworks and helping you navigate that requirements, as a consumer on their platform.

And then, if you have Wiz in the mix of that, you can get that security coverage across multiple cloud environments, not just Google. So it's a really strong play in that regard from my [00:35:00] perspective.

Ashish Rajan: I agree. I think one, one thing I'll definitely call out, and I think Chris can confirm this because. DOD as well as the entire public sectors landscape is primarily, again, AWS and Microsoft. 'cause they've had deep relationships there for years. They've hired people to bring that relationship on board as well.

It'll be really interesting which I I thought about earlier, but I'm gonna bring it up now. 'cause I think once you become part of a another cloud service provider, the advantage you used to have as a external person that you get access to roadmaps for where it's going now. You'll be a step behind on all of that as well.

Now either you're innovating yourself and figuring out a new service comes out from AWS or Azure, how quickly can I get behind it? This was the whole reason why people were against creating their own security solutions in the first place. 'cause oh, how do I keep up with it? But we were fortunate that the cloud security product companies were working closely with these cloud service providers.

But once you tie up closely with one, does that mean the two, the remaining you don't talk to you. It's I think that is still yet to be seen. And maybe that could have impact on the public sector as well.

Chris Hughes: Last [00:36:00] comment from me on that is you raised a good point as we talked a lot about concerns around vendor locking with Google and concerns from customers, but there's also something to be said here of what's gonna happen with the other major CSPs, collaborations with Wiz in terms of, how much they're willing to can, share with them about roadmaps, features, functionality, integrations things like that knowing that they're gonna be working directly, adjacently to their competitor and Google.

So it's gonna be interesting to see how that one plays out, in terms of their partnership with Wiz directly. Yeah. So I'm curious to watch that.

Ashish Rajan: Yeah, same. I think if, and even if they keep it agnostic, I wonder if Amazon and Azure would maintain the reputation of treating it as a separate as a competitor rather than a partner. It'll be really interesting. But I think on that note, I've got another question in terms of success metrics. 'cause I think the conversation started with talking about how cloud security has evolved beyond CSPM and CNAPPs as well now. And we have all these new acronyms that Mike was trying to rattle out, but we ran out of time to rattle out all of them.

Actually, outta curiosity, what does success mean these days in that, in the cybersecurity world for [00:37:00] programs. I'm curious because I think now with this Wiz and Google Cloud I guess whatever ends up happening after the regulatory thing comes through, if they go through or they don't go through.

And do you guys believe that apart from evolution of cloud security to being a beyond CSPM, CNAPP conversation, does this definition of success has changed as well in terms of what used to be a success metric before that I've knocked off all the CSPM alerts. That was the number one priority.

And now what is that now in this world of, we are moving towards runtime security, SOC operations being the people who see cloud security alerts, what does that mean for program success now? What are people using as a measurement or success for the security programs in these modern cloud native environments?

James Berthoty: It's a complex question because I think there's really two buckets and one bucket is people like PagerDuty who are like cloud native SaaS, where I was at like very strong guardrails program. Great. Like when we plugged in a CSPM for example, it wasn't the typical oh, what are we gonna do?

The sky is falling. It was like, oh yeah, we know about what's going on. [00:38:00] And so I think for people, there's a certain part of the market that's that mature. But I think most people are pretty overwhelmed with their current CNAPP misconfiguration stuff and are just looking for ways to, prioritization is the word of the day for security teams.

And I think ultimately that'll transform the remediation because it has to, because in my mind, the reason there's so many alerts is 'cause fixing a single one is just so hard. And so I think there's a few things on the roadmap. There's one on Tamn oon commented earlier, and that's an MDR approach for CNAPP is an interesting idea around it.

It's gonna be about how do we help people actually take action. They've got their CSPM, they've got their CNAPP. They see that there's a ton of issues and how are they gonna actually get those things fixed? And so there's a ton of buzz on the prevention side. I fundamentally, I think that's the strength of ASPM because to me, if you're not using infrastructure as code, like step one of your CSPM journey should be implement infrastructure as code.

And that moves us into the code side. And then on the runtime side, I think just having this my metric for success that I, I dunno if I've [00:39:00] ever achieved is have the SOC troubleshoot a single like container alert without having to involve the DevOps team. Oh. That's like the metric of success ultimately is like, how can we make it so you don't have to go to oh, there's an alert on this pod, I have to call in the chief architect to figure out what it's, what it even means.

Yeah. And so I think those are the two different sides of the equation.

Chris Hughes: Yeah, I love what James said there is I think we're seeing a shift in the industry, and obviously I'm biased. I talk about vulnerability management and AppSec stuff a lot is we're shifting from just finding problems to actually fixing problems and knowing which problems to fix and which ones matter.

And then the AppSec space of course has things like, known exploitation, exploitability, reachability, business contexts and asset data sensitivity, things like that. And then the CSPM side is, looking at the architecture, having attack, paths, visualizations, things like that, that will help you prioritize, where you take action. So I think that's where we're seeing startups and innovators, rally around those kind of things is not just show you more problems, but help you actually fix things.

Ashish Rajan: Yeah, I definitely believe that we are on this path to recognizing where the [00:40:00] gaps are as well, to and what Paul, James and yourself, Chris, what you mentioned about the prioritization.

Although it feels like a bit of a repeat of history, we did try doing auto mitigation in the past. That definitely did not end up well. Hopefully AI probably does it better and filtering out the information that would be there as well.

Francis Odum: I think just to really just emphasize what both of them mentioned is think of Wiz acquired Dazz. So if you actually think about the fact that ever since that rumor acquisition happened in the summer, what happened in the fall was they acquired Dazz.

And again, a big part of Dazz obviously was around this level of prioritization and helping with remediation, which also tells you, you actually need to look at like with this acquisitions to have a really good glimpse of like their prioritizations, right? Like Raftt more on the code side Gem more on, on the CDR runtime side and most recently getting Dazz for, I don't remember this precise amount and I think it tells you as well this is going to increasingly be a part of where we're at now in this cloud security journey. So [00:41:00] just to really build upon that and yeah, so that's what I'll see.

Mike Privette: Yeah, I agree with everybody else's points as well, but it's also recovery, resilience, like that kind of ability to shortcut not just a list of like red blinking lights that say these things are misconfigured. Yeah. It's gonna be important. It's gotta be contextual.

And that's really what the security community wants AI to solve is the context problem and shortcutting that, that path to, taking action quicker. Yeah. So you have the right methods and the right tools to make the decisions like when you need it.

Ashish Rajan: Yep.

And I think there's already a pattern in the AI space, at least what we're talking on, the AI Cybersecurity Podcast. We're also realizing that the innovation is happening around the red team, the the security operations side. There's already work in play for how deep can we find a vulnerability across the entire landscape in spite of, I think one thing has always been the case where send me all the logs was a meme that's been floating around for a long time in security and fortunately now thanks to AI, hopefully we can make some better sense of it before it even reaches a SIEM [00:42:00] provider to reduce the overall cost as well.

Another thing I want to talk about from a success metric a lot of the CISOs that I've been working with across enterprise cost to what we spoke about earlier, has been a big thing this time. And if this could be an advantage for Google Cloud in this context, but if being cloud native means that while you still maintain multi-cloud could mean reduction in cost, that could be a big factor for a lot of companies to use that as success metrics that, hey we've overall reduced the cost that security has causing us by still keeping multi-cloud. That could be one route. If they don't, that's assuming AWS and Azure don't do any more innovation and continue to, which is not possible, but if it was the case, then maybe that could be become a thing.

The other thing that I think of from success metrics is at least onset of security operation getting the importance also means that finally people can talk about what incident response in cloud would look like. I don't think that we've had a conversation about incident response in cloud for a long time too.

Mike, you're point about resilience. If something does happen nine out of ten times, we don't even know if we can actually react to it properly. Can the [00:43:00] security operation person get to the cloud account? They want to be. So I think for me platformization is an interesting question coming up to bring all that together.

The other one has been just measuring right metrics. AI would hopefully make some of that, but I think those are some of the ones key. James, do you have some thoughts as well before I come to the next question, man?

James Berthoty: I think it's important to recognize that a lot of this focus on cloud incident response and my estimation is a reaction to Wiz so thoroughly dominating, like the traditional CSPM asset Vul management, that whole piece of cloud.

Yeah. And I think what'll be interesting is if that continue, like that's considered a solved problem, like dot, dot.by Wiz. And the challenge I think is gonna be like, how much of that if that changes at all, I'm not sure. As a result of this too.

Ashish Rajan: Actually, that brings up another point as well, because your point about the research, like a lot of people were making decisions on which provider to go for based on the research that was coming out from them as well.

They had a lot of researchers who were coming out with Azure vulnerabilities. AWS vulnerabilities and Google Cloud [00:44:00] vulnerabilities.

James Berthoty: Sorry I was gonna say, when you mentioned like if AWS stops talking to them, like I know enough of their researchers are like discovering API endpoints before it feels like AWS is aware that they've launched a service and so like I wasn't super worried about their ability to keep up on that side.

Ashish Rajan: Yeah. And I think apparently they have a program as well now, but I think it goes without saying that. I wonder what this means from a research perspective as well for the cloud space as well. If we actually end up having. But I think it definitely means, what does it mean from a I guess research perspective would be way interesting to unravel. 'cause a lot of decisions were being made on the fact that, oh, the latest research is from Wiz or latest research from X company, Palo Alto, whatever. I wonder how much of that would reduce now and if they would go harder against AWS or Azure? 'cause Google does have Project Zero that they talk about, so I don't know. It'll be really interesting. 'cause I think initially there has been some conversations about, a lot of vendors have to thread lightly with the cloud provider because you don't want to break the relationship. But now that you [00:45:00] are yourself a provider, does that mean you go really hard on the other person? That is yet to be determined.

Chris Hughes: Yeah. Sorry I don't wanna pick on any particular provider. And again, it goes to their outside presence in terms of, penetration and revenue. But Microsoft, as we talked about, has tens of billions of security revenue, but they're also like the perpetual leader on CISA's known exploited vulnerability list.

And they've had. Many visible security incidents, even last year being called a national security threat by members of Congress, but they closed the year with tens of billions of dollars in security revenue, including master federal contracts. So it's quite a conundrum in that regard.

I don't know if it makes an impact or not, to be honest.

Ashish Rajan: Yeah. Yeah. Will yet is yet to be seen. Before we go, what's the final thoughts on this? I know we have a timeline set from Google Cloud on when they'll finish this. Investor and all of that. Maybe we'll have round two at that point in time.

Final thoughts on this particular subject is, I don't even know how many people would talk about this in that much detail as we have over here.

Mike Privette: It's a good story for the security industry. And I also think it's also a nod basically to the public markets or what's not there [00:46:00] anymore because if you remember last time and the story around Google walking away and for whatever reasons from the last time that Google made an offer, it was, we're gonna stick it out on our own. And then now it's a very different term. It's a different year. The market's a very different and, this is just another sign a kind of a vote against going public.

And so I do wonder if we'll see more companies follow that same route this year.

Ashish Rajan: Awesome. Thank you. Francis, any final thoughts?

Francis Odum: Yeah I think one thing we didn't really speak too much about is CrowdStrike. So CrowdStrike actually has a very dominant cloud security product. In fact, just last quarter they reported.

Ashish Rajan: Come on, man. About what? Six? Everyone's equal.

Francis Odum: I think, yeah, just wanted to just raise that again. Just awareness for everyone just think about the cloud security business was growing 600 million ARR, which apparently isn't too far off from Wiz's ARR and then growing about 45% and I. We also, just something to think about is like obviously [00:47:00] CrowdStrike being really close to the Windows environment in terms of like their scanning capabilities and then obviously Wiz not being maybe as strong in terms of Windows versus say Linux type operating system. So I don't know what that looks like, but I think that's just going to be an interesting to see the rise of potentially CrowdStrike or even PaloAlto's role as well. So I do think it's gonna be very interesting to see what happens with those big competitors, even relative to some of the up and coming that we talked about.

I think end up potential thing to just think about too is bundling. We know Microsoft is very skewed at the level of bundling or the E5 licenses. Could we see? We also know Palo Alto has done platformization. CrowdStrike has recently done that actually after their incident. And I do think, will Google do something quite similar in terms of how they bundle their products now with the other existence?

Sim would be interesting to see, and I think the last thing just. More questions for the industry to think about is AI models, right? As we deploy more manage AI models [00:48:00] into cloud environments, what does that whole posture look like? What does that whole scanning capability looks like?

And I think something around cloud and AI will come out of this. I think that's also part of Google's beth around this. I think. We don't know what that looks like, but I think these are just questions we all the industry needs to think about broadly.

Ashish Rajan: Oh, what if Google Cloud gives it for free to everyone and just for using cloud, Google Cloud accounts?

Just give it for free. That, and

Francis Odum: You know why I won't be surprised with that is if you guys know for the last maybe three or four years, Google has been the third, like they've been behind Microsoft as well as AWS in terms of growth, market share and they just haven't been able to grow as fast with those guys.

And I do suspect something like that could happen to juice up the growth for Google Cloud. It's gonna be interesting to see how that plays out.

Chris Hughes: Yeah, just from my perspective, again, looking to see how Wiz, maintains some sense of autonomy and agnostic stance towards the large three CSPs now that they're part of one of the three. And then to Mike's comment, this is something that a friend of [00:49:00] ours, Cole has wrote quite a bit of strategy of security, right? Where he talks about cybersecurity increasingly going private. We did hear earlier that they turned out the deal they were gonna go for the IPO.

Yeah, wait, maybe not. Maybe the market said something differently. And now that now we're seeing cyber, increasingly again, go private again, in this case, we, one of the largest or largest cyber acquisition ever. So something for investors, founders, stuff like that to keep in mind.

And really awesome conversation.

Ashish Rajan: Awesome. James, final thoughts, man.

James Berthoty: I won't take Francis' bait to talk about CrowdStrike. I just gotta keep telling this, but the thing I wanna address is I think I see a certain vein of haters saying the 32 billion was like, how is, this is comical.

How'd this happen? And I think that underestimates like Wiz really could, and I'm struggling to use past tense or not. 'cause I, it's still a possibility, but I think this makes it less. But they could have dominated AppSec, CTEM, CloudSec and the SOC and that's the speculative money question that made the acquisition what it was. 'cause they had a clear path to doing that. And I'm sure, they would want me to say, that's still gonna happen. We, [00:50:00] Google's gonna empower, to, whatever. But it I think that's the, I think the valuation was about correct and I think that puts me in a I don't know. Minority majority, maybe silent majority on it.

I don't know.

Ashish Rajan: No, I mean it de definitely impactful though. I think to, to your meme on your just recently report does a good job of explaining what actually the relief that a lot of people may have had because of that announcement. And again, to your point, if it goes through, but if it doesn't go through, might actually be back.

James Berthoty: We're all back to the hatches. Yeah, it's a scary time. Again,

It's gonna backfire at that point. If it doesn't go through, then people may start oh wait, you guys were saying it's gonna be an amazing experience, blah, blah, blah. But I will leave the social handles for all of your online work that you guys do for everyone on the podcast episode as well.

Ashish Rajan: But thank you so much for tuning in, and thank you everyone who tuned in and shared their opinion as well. And I think love the commentary that went on, and thank you for everyone who's going to tune in later on as well. Thanks. Thank you everyone, and we will chat to you on the next live stream at this point.

Thank you so much. Thank you for doing this. Thank you so much for listening [00:51:00] and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv, we are also publishing these episodes on social media as well, so you can definitely find these episodes there. Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do in-depth analysis of different topics within cloud security, ranging from identity, endpoint all the way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow. Thank you so much for supporting, listening and watching. I'll see you next time.

‍