Each CIO faces the identical query proper now: how do you safe an AI-powered, distributed workforce with out including extra complexity to an already overloaded workforce? Cisco IT confronted that query—and constructed the reply. In 12 months, Cisco IT decreased assist desk instances by 18%, reduce safety incident charges to close zero, and eradicated 20+ legacy VPN choices—all whereas securing AI adoption at scale. Right here’s how they did it, based on the engineers.
In earlier blogs, we explored the strategic crucial behind Cisco’s shift to a Zero Belief structure and examined the organizational blueprint that guided our phased migration to a unified Safety Service Edge (SSE) platform. Whereas these views outlined the ‘why’ and the ‘how’ of our high-level transformation, we’re pulling again the curtain on the engineering actuality. Because the lead engineers behind this transition, we’ve spent the final yr transferring from a fragmented, hardware-heavy mannequin to a unified, cloud-native SSE material. Right here, we share the technical classes discovered from the entrance strains, the challenges of dismantling legacy infrastructure, and the way we re-engineered our safety stack to help a contemporary, AI-ready workforce.
Managing tens of 1000’s of units throughout a worldwide workforce with ageing, end-of-life infrastructure wasn’t simply an operational grind—it was a technical bottleneck that created vital safety debt. We have been spending extra time ‘stitching’ disparate {hardware} elements collectively than we have been on strategic safety posture. We wanted to maneuver away from the ‘box-by-box’ administration mannequin towards a unified, software-defined material.
We knew we needed to shift towards an as-a-service mannequin. Manually stitching collectively numerous community elements created safety gaps that hindered visibility and elevated our mean-time to decision (MTTR) for incident remediation.
The evolution to SSE
Our SSE transition built on our earlier Zero Belief Entry (ZTA) journey. Whereas ZTA secured our distributed workforce, our SSE migration scaled that basis right into a unified, frictionless expertise by way of the Safe Entry cloud-delivered platform.
Breaking free from the “operational grind”
Our earlier answer relied on relied on twelve international places and disparate {hardware}. We discovered ourselves at a crossroads: both put money into a expensive tech refresh of our ageing, finish of life (EOL) infrastructure or pivot to a cloud-delivered mannequin. We selected the latter to future-proof our acquisition tenants and higher help our distributed workforce, whereas simplifying operations, enhancing the person expertise, and rising safety.
The variety of elements within the service chain was the true problem. We had so many packing containers stitched collectively. Now, with a single platform, we now have best-of-breed Cisco merchandise working in a single unified material.
Determine 1: Architecting SSE as-a-service: Transitioning from self-managed, on-premise infrastructure to an built-in ‘As-a-Service’ mannequin.
How we took a unified strategy
We constructed upon our current funding in Cisco Id Companies Engine (ISE) to take care of seamless authentication for VPN, proving that our SSE transformation enhances—somewhat than discards—foundational safety.
We unified our ecosystem to evolve our platform strategy:
- Assurance (Cisco ThousandEyes): Bridged visibility gaps throughout owned and unowned networks to make sure seamless connectivity.
- Observability (Splunk): Centralized logs to show uncooked information into actionable insights, drastically decreasing Imply Time to Decision (MTTR).
- Networking (Catalyst SD-WAN): Built-in backhaul tunnels into the SSE material, purpose-built for enterprise-to-cloud connectivity.
- Collaboration (Webex): Ensured collaboration stays safe and high-performing, no matter person location.
The “crawl, stroll, run” methodology
We practiced a “crawl, stroll, run” methodology. We didn’t simply flip a change; we phased the rollout, iterating by way of proof-of-concepts. Once we hit a roadblock, we didn’t simply work round it; we partnered with our enterprise models to construct that characteristic into the product—a win for our inside operations and a win for each buyer who will use that characteristic sooner or later.
Instance options we deployed embody:
- VPN Modernization: We wanted to sundown ageing infrastructure and simplify the person expertise. By transitioning from 20+ legacy choices to 2, we enabled an “auto-select” functionality the place the consumer robotically latches onto the closest SSE point-of-presence. This eliminated the guesswork for our international workforce, considerably decreasing assist desk instances.
- Zero Belief Entry: We wanted a frictionless option to allow our client-based ZTA service. By transferring to certificate-based auto-enrollment, coverage is now consumed straight from the consumer. Customers merely click on the ZTA-enabled utility, and they’re in. The consequence was a surge of requests from our workforce so as to add much more purposes to the platform.
- Generative AI Safety: We wanted to intelligently intercept policy-enabled Gen-AI purposes and steer them to the cloud for visibility and coverage enforcement. We deployed this by way of the Cisco Safe Shopper Umbrella roaming module. This was crucial to rising our safety posture and enhancing visibility, making certain we’re successfully defending Cisco’s delicate information.
The ‘Buyer Zero’ benefit
We handled our inside deployment as a reside lab. By submitting over 100 technical characteristic requests, our IT workforce acted as a crucial suggestions loop for the product engineering groups. We weren’t simply customers; we have been co-developers.
This collaborative engineering partnership allowed us to bake our operational necessities straight into the platform’s roadmap, making certain the ultimate product was constructed for the complexities of a contemporary enterprise.
Intentional friction: The important thing to stronger safety
In our pursuit of a seamless expertise, we discovered a counterintuitive engineering lesson: not all friction is unhealthy. With regards to GenAI safety, ‘frictionless’ generally is a safety vulnerability. We architected a ‘velocity bump’—a deliberate man-in-the-middle inspection level—to permit for real-time Knowledge Loss Prevention (DLP) evaluation. It’s an intentional design trade-off: we sacrifice a millisecond of latency for an enormous acquire in information integrity.
Once we rolled out our Generative AI (GenAI) safety, we didn’t purpose for a superbly “frictionless” expertise. As Huber explains, we deliberately launched a “velocity bump.”
It was a balancing act. We have been doing one thing higher for the corporate, even when it precipitated minor rising pains.
By performing “man-in-the-middle” inspection, we selectively intercepted utility flows to supply information loss prevention (DLP).
We weren’t attempting to cease individuals from utilizing GenAI, we have been simply ensuring we paused to evaluate the appliance and guarantee we weren’t leaking delicate information. As a result of customers understood the ‘why,’ we’ve seen almost zero tickets—an incident fee of simply 0.04%.
Measurable outcomes: Much less clicking, extra technique
Since then, we’ve seen an 18% quarterly lower in assist desk instances and a whole lot of inquiries resolved autonomously by way of AI-driven help fashions, permitting our engineers to deal with technique somewhat than ticket triage. Our IT operators now spend much less time “stitching collectively” packing containers and extra time on strategic planning.
Determine 2: Affect of AI-driven help on ZTA workflows post-SSE enablement, demonstrating an 80% autonomous decision fee and a discount in handbook ticket triage.
Determine 3: Comparability of help case volumes between legacy VPN providers and the SSE transition, illustrating a major discount in ticket load post-migration.
Determine 4: Historic case quantity traits post-SSE VPN deployment, displaying an preliminary spike in person schooling inquiries adopted by a sustained, constant decline.
We’re not simply managing packing containers; we’re managing outcomes. By empowering our workforce to attach securely and seamlessly from any location, we guarantee the environment is prepared for no matter comes subsequent — whether or not it’s AI-driven workloads or the evolving wants of a distributed workforce.
Classes discovered as buyer zero
For those who’re contemplating an analogous transfer, make sure to:
- Prioritize scaled adoption and cross-functional collaboration.
- Construct a workforce throughout IT, Safety, and Enterprise models — don’t work in silos.
- Safe government sponsorship early.
- Lastly, don’t wait. For those who’re managing ageing {hardware}, use these classes to pivot to a proactive posture earlier than you start your journey.
Discover extra:
Are you able to modernize your safety and improve observability? Contact your account consultant to debate how Cisco SSE options will help your group.
