Each CIO faces the identical query proper now: how do you safe an AI-powered, distributed workforce with out including extra complexity to an already overloaded staff? Cisco IT confronted that query—and constructed the reply. In 12 months, Cisco IT decreased assist desk instances by 18%, reduce safety incident charges to close zero, and eradicated 20+ legacy VPN choices—all whereas securing AI adoption at scale. Right here’s how they did it, in response to the engineers.
In earlier blogs, we explored the strategic crucial behind Cisco’s shift to a Zero Belief structure and examined the organizational blueprint that guided our phased migration to a unified Safety Service Edge (SSE) platform. Whereas these views outlined the ‘why’ and the ‘how’ of our high-level transformation, we’re pulling again the curtain on the engineering actuality. Because the lead engineers behind this transition, we’ve spent the final yr transferring from a fragmented, hardware-heavy mannequin to a unified, cloud-native SSE cloth. Right here, we share the technical classes realized from the entrance strains, the challenges of dismantling legacy infrastructure, and the way we re-engineered our safety stack to assist a contemporary, AI-ready workforce.
Managing tens of 1000’s of gadgets throughout a world workforce with growing old, end-of-life infrastructure wasn’t simply an operational grind—it was a technical bottleneck that created important safety debt. We had been spending extra time ‘stitching’ disparate {hardware} parts collectively than we had been on strategic safety posture. We would have liked to maneuver away from the ‘box-by-box’ administration mannequin towards a unified, software-defined cloth.
We knew we needed to shift towards an as-a-service mannequin. Manually stitching collectively varied community parts created safety gaps that hindered visibility and elevated our mean-time to decision (MTTR) for incident remediation.
The evolution to SSE
Our SSE transition built on our earlier Zero Belief Entry (ZTA) journey. Whereas ZTA secured our distributed workforce, our SSE migration scaled that basis right into a unified, frictionless expertise by way of the Safe Entry cloud-delivered platform.
Breaking free from the “operational grind”
Our earlier resolution relied on relied on twelve international places and disparate {hardware}. We discovered ourselves at a crossroads: both put money into a expensive tech refresh of our growing old, finish of life (EOL) infrastructure or pivot to a cloud-delivered mannequin. We selected the latter to future-proof our acquisition tenants and higher assist our distributed workforce, whereas simplifying operations, enhancing the person expertise, and growing safety.
The variety of parts within the service chain was the true problem. We had so many packing containers stitched collectively. Now, with a single platform, we now have best-of-breed Cisco merchandise working in a single unified cloth.
Determine 1: Architecting SSE as-a-service: Transitioning from self-managed, on-premise infrastructure to an built-in ‘As-a-Service’ mannequin.
How we took a unified strategy
We constructed upon our present funding in Cisco Id Companies Engine (ISE) to keep up seamless authentication for VPN, proving that our SSE transformation enhances—reasonably than discards—foundational safety.
We unified our ecosystem to evolve our platform strategy:
- Assurance (Cisco ThousandEyes): Bridged visibility gaps throughout owned and unowned networks to make sure seamless connectivity.
- Observability (Splunk): Centralized logs to show uncooked information into actionable insights, drastically decreasing Imply Time to Decision (MTTR).
- Networking (Catalyst SD-WAN): Built-in backhaul tunnels into the SSE cloth, purpose-built for enterprise-to-cloud connectivity.
- Collaboration (Webex): Ensured collaboration stays safe and high-performing, no matter person location.
The “crawl, stroll, run” methodology
We practiced a “crawl, stroll, run” methodology. We didn’t simply flip a swap; we phased the rollout, iterating by proof-of-concepts. Once we hit a roadblock, we didn’t simply work round it; we partnered with our enterprise models to construct that function into the product—a win for our inner operations and a win for each buyer who will use that function sooner or later.
Instance options we deployed embody:
- VPN Modernization: We would have liked to sundown growing old infrastructure and simplify the person expertise. By transitioning from 20+ legacy choices to 2, we enabled an “auto-select” functionality the place the consumer routinely latches onto the closest SSE point-of-presence. This eliminated the guesswork for our international workforce, considerably decreasing assist desk instances.
- Zero Belief Entry: We would have liked a frictionless method to allow our client-based ZTA service. By transferring to certificate-based auto-enrollment, coverage is now consumed straight from the consumer. Customers merely click on the ZTA-enabled software, and they’re in. The end result was a surge of requests from our workforce so as to add much more purposes to the platform.
- Generative AI Safety: We would have liked to intelligently intercept policy-enabled Gen-AI purposes and steer them to the cloud for visibility and coverage enforcement. We deployed this by way of the Cisco Safe Consumer Umbrella roaming module. This was crucial to growing our safety posture and enhancing visibility, making certain we’re successfully defending Cisco’s delicate information.
The ‘Buyer Zero’ benefit
We handled our inner deployment as a dwell lab. By submitting over 100 technical function requests, our IT staff acted as a crucial suggestions loop for the product engineering groups. We weren’t simply customers; we had been co-developers.
This collaborative engineering partnership allowed us to bake our operational necessities straight into the platform’s roadmap, making certain the ultimate product was constructed for the complexities of a contemporary enterprise.
Intentional friction: The important thing to stronger safety
In our pursuit of a seamless expertise, we realized a counterintuitive engineering lesson: not all friction is unhealthy. In terms of GenAI safety, ‘frictionless’ generally is a safety vulnerability. We architected a ‘velocity bump’—a deliberate man-in-the-middle inspection level—to permit for real-time Information Loss Prevention (DLP) evaluation. It’s an intentional design trade-off: we sacrifice a millisecond of latency for a large acquire in information integrity.
Once we rolled out our Generative AI (GenAI) safety, we didn’t goal for a wonderfully “frictionless” expertise. As Huber explains, we deliberately launched a “velocity bump.”
It was a balancing act. We had been doing one thing higher for the corporate, even when it brought about minor rising pains.
By performing “man-in-the-middle” inspection, we selectively intercepted software flows to offer information loss prevention (DLP).
We weren’t making an attempt to cease folks from utilizing GenAI, we had been simply ensuring we paused to evaluate the applying and guarantee we weren’t leaking delicate information. As a result of customers understood the ‘why,’ we’ve seen practically zero tickets—an incident fee of simply 0.04%.
Measurable outcomes: Much less clicking, extra technique
Since then, we’ve seen an 18% quarterly lower in assist desk instances and lots of of inquiries resolved autonomously by AI-driven assist fashions, permitting our engineers to give attention to technique reasonably than ticket triage. Our IT operators now spend much less time “stitching collectively” packing containers and extra time on strategic planning.
Determine 2: Influence of AI-driven assist on ZTA workflows post-SSE enablement, demonstrating an 80% autonomous decision fee and a discount in guide ticket triage.
Determine 3: Comparability of assist case volumes between legacy VPN providers and the SSE transition, illustrating a big discount in ticket load post-migration.
Determine 4: Historic case quantity tendencies post-SSE VPN deployment, displaying an preliminary spike in person training inquiries adopted by a sustained, constant decline.
We’re now not simply managing packing containers; we’re managing outcomes. By empowering our workforce to attach securely and seamlessly from any location, we guarantee the environment is prepared for no matter comes subsequent — whether or not it’s AI-driven workloads or the evolving wants of a distributed workforce.
Classes realized as buyer zero
In the event you’re contemplating an identical transfer, you should definitely:
- Prioritize scaled adoption and cross-functional collaboration.
- Construct a staff throughout IT, Safety, and Enterprise models — don’t work in silos.
- Safe govt sponsorship early.
- Lastly, don’t wait. In the event you’re managing growing old {hardware}, use these classes to pivot to a proactive posture earlier than you start your journey.
Discover extra:
Are you able to modernize your safety and enhance observability? Contact your account consultant to debate how Cisco SSE options might help your group.
