Each CIO faces the identical query proper now: how do you safe an AI-powered, distributed workforce with out including extra complexity to an already overloaded group? Cisco IT confronted that query—and constructed the reply. In 12 months, Cisco IT diminished assist desk instances by 18%, minimize safety incident charges to close zero, and eradicated 20+ legacy VPN choices—all whereas securing AI adoption at scale. Right here’s how they did it, based on the engineers.
In earlier blogs, we explored the strategic crucial behind Cisco’s shift to a Zero Belief structure and examined the organizational blueprint that guided our phased migration to a unified Safety Service Edge (SSE) platform. Whereas these views outlined the ‘why’ and the ‘how’ of our high-level transformation, we’re pulling again the curtain on the engineering actuality. Because the lead engineers behind this transition, we’ve spent the final 12 months transferring from a fragmented, hardware-heavy mannequin to a unified, cloud-native SSE cloth. Right here, we share the technical classes discovered from the entrance traces, the challenges of dismantling legacy infrastructure, and the way we re-engineered our safety stack to assist a contemporary, AI-ready workforce.
Managing tens of hundreds of gadgets throughout a worldwide workforce with getting old, end-of-life infrastructure wasn’t simply an operational grind—it was a technical bottleneck that created important safety debt. We have been spending extra time ‘stitching’ disparate {hardware} parts collectively than we have been on strategic safety posture. We would have liked to maneuver away from the ‘box-by-box’ administration mannequin towards a unified, software-defined cloth.
We knew we needed to shift towards an as-a-service mannequin. Manually stitching collectively numerous community parts created safety gaps that hindered visibility and elevated our mean-time to decision (MTTR) for incident remediation.
The evolution to SSE
Our SSE transition built on our earlier Zero Belief Entry (ZTA) journey. Whereas ZTA secured our distributed workforce, our SSE migration scaled that basis right into a unified, frictionless expertise through the Safe Entry cloud-delivered platform.
Breaking free from the “operational grind”
Our earlier resolution relied on relied on twelve world areas and disparate {hardware}. We discovered ourselves at a crossroads: both put money into a pricey tech refresh of our getting old, finish of life (EOL) infrastructure or pivot to a cloud-delivered mannequin. We selected the latter to future-proof our acquisition tenants and higher assist our distributed workforce, whereas simplifying operations, enhancing the consumer expertise, and rising safety.
The variety of parts within the service chain was the true problem. We had so many bins stitched collectively. Now, with a single platform, we’ve got best-of-breed Cisco merchandise working in a single unified cloth.
Determine 1: Architecting SSE as-a-service: Transitioning from self-managed, on-premise infrastructure to an built-in ‘As-a-Service’ mannequin.
How we took a unified method
We constructed upon our current funding in Cisco Id Companies Engine (ISE) to take care of seamless authentication for VPN, proving that our SSE transformation enhances—fairly than discards—foundational safety.
We unified our ecosystem to evolve our platform method:
- Assurance (Cisco ThousandEyes): Bridged visibility gaps throughout owned and unowned networks to make sure seamless connectivity.
- Observability (Splunk): Centralized logs to show uncooked knowledge into actionable insights, drastically lowering Imply Time to Decision (MTTR).
- Networking (Catalyst SD-WAN): Built-in backhaul tunnels into the SSE cloth, purpose-built for enterprise-to-cloud connectivity.
- Collaboration (Webex): Ensured collaboration stays safe and high-performing, no matter consumer location.
The “crawl, stroll, run” methodology
We practiced a “crawl, stroll, run” methodology. We didn’t simply flip a change; we phased the rollout, iterating by means of proof-of-concepts. Once we hit a roadblock, we didn’t simply work round it; we partnered with our enterprise models to construct that characteristic into the product—a win for our inner operations and a win for each buyer who will use that characteristic sooner or later.
Instance options we deployed embody:
- VPN Modernization: We would have liked to sundown getting old infrastructure and simplify the consumer expertise. By transitioning from 20+ legacy choices to 2, we enabled an “auto-select” functionality the place the shopper mechanically latches onto the closest SSE point-of-presence. This eliminated the guesswork for our world workforce, considerably lowering assist desk instances.
- Zero Belief Entry: We would have liked a frictionless technique to allow our client-based ZTA service. By transferring to certificate-based auto-enrollment, coverage is now consumed immediately from the shopper. Customers merely click on the ZTA-enabled utility, and they’re in. The consequence was a surge of requests from our workforce so as to add much more purposes to the platform.
- Generative AI Safety: We would have liked to intelligently intercept policy-enabled Gen-AI purposes and steer them to the cloud for visibility and coverage enforcement. We deployed this through the Cisco Safe Shopper Umbrella roaming module. This was essential to rising our safety posture and enhancing visibility, guaranteeing we’re successfully defending Cisco’s delicate knowledge.
The ‘Buyer Zero’ benefit
We handled our inner deployment as a dwell lab. By submitting over 100 technical characteristic requests, our IT group acted as a essential suggestions loop for the product engineering groups. We weren’t simply customers; we have been co-developers.
This collaborative engineering partnership allowed us to bake our operational necessities immediately into the platform’s roadmap, guaranteeing the ultimate product was constructed for the complexities of a contemporary enterprise.
Intentional friction: The important thing to stronger safety
In our pursuit of a seamless expertise, we discovered a counterintuitive engineering lesson: not all friction is dangerous. With regards to GenAI safety, ‘frictionless’ generally is a safety vulnerability. We architected a ‘velocity bump’—a deliberate man-in-the-middle inspection level—to permit for real-time Information Loss Prevention (DLP) evaluation. It’s an intentional design trade-off: we sacrifice a millisecond of latency for an enormous acquire in knowledge integrity.
Once we rolled out our Generative AI (GenAI) safety, we didn’t intention for a wonderfully “frictionless” expertise. As Huber explains, we deliberately launched a “velocity bump.”
It was a balancing act. We have been doing one thing higher for the corporate, even when it induced minor rising pains.
By performing “man-in-the-middle” inspection, we selectively intercepted utility flows to supply knowledge loss prevention (DLP).
We weren’t making an attempt to cease individuals from utilizing GenAI, we have been simply ensuring we paused to evaluate the applying and guarantee we weren’t leaking delicate knowledge. As a result of customers understood the ‘why,’ we’ve seen practically zero tickets—an incident charge of simply 0.04%.
Measurable outcomes: Much less clicking, extra technique
Since then, we’ve seen an 18% quarterly lower in assist desk instances and lots of of inquiries resolved autonomously by means of AI-driven assist fashions, permitting our engineers to deal with technique fairly than ticket triage. Our IT operators now spend much less time “stitching collectively” bins and extra time on strategic planning.
Determine 2: Affect of AI-driven assist on ZTA workflows post-SSE enablement, demonstrating an 80% autonomous decision charge and a discount in handbook ticket triage.
Determine 3: Comparability of assist case volumes between legacy VPN providers and the SSE transition, illustrating a big discount in ticket load post-migration.
Determine 4: Historic case quantity tendencies post-SSE VPN deployment, exhibiting an preliminary spike in consumer training inquiries adopted by a sustained, constant decline.
We’re now not simply managing bins; we’re managing outcomes. By empowering our workforce to attach securely and seamlessly from any location, we guarantee the environment is prepared for no matter comes subsequent — whether or not it’s AI-driven workloads or the evolving wants of a distributed workforce.
Classes discovered as buyer zero
Should you’re contemplating an identical transfer, remember to:
- Prioritize scaled adoption and cross-functional collaboration.
- Construct a group throughout IT, Safety, and Enterprise models — don’t work in silos.
- Safe govt sponsorship early.
- Lastly, don’t wait. Should you’re managing getting old {hardware}, use these classes to pivot to a proactive posture earlier than you start your journey.
Discover extra:
Are you able to modernize your safety and improve observability? Contact your account consultant to debate how Cisco SSE options will help your group.