Each CIO faces the identical query proper now: how do you safe an AI-powered, distributed workforce with out including extra complexity to an already overloaded staff? Cisco IT confronted that query—and constructed the reply. In 12 months, Cisco IT lowered assist desk circumstances by 18%, lower safety incident charges to close zero, and eradicated 20+ legacy VPN choices—all whereas securing AI adoption at scale. Right here’s how they did it, in accordance with the engineers.
In earlier blogs, we explored the strategic crucial behind Cisco’s shift to a Zero Belief structure and examined the organizational blueprint that guided our phased migration to a unified Safety Service Edge (SSE) platform. Whereas these views outlined the ‘why’ and the ‘how’ of our high-level transformation, we’re pulling again the curtain on the engineering actuality. Because the lead engineers behind this transition, we’ve spent the final yr shifting from a fragmented, hardware-heavy mannequin to a unified, cloud-native SSE material. Right here, we share the technical classes realized from the entrance strains, the challenges of dismantling legacy infrastructure, and the way we re-engineered our safety stack to help a contemporary, AI-ready workforce.
Managing tens of hundreds of gadgets throughout a world workforce with growing older, end-of-life infrastructure wasn’t simply an operational grind—it was a technical bottleneck that created important safety debt. We have been spending extra time ‘stitching’ disparate {hardware} elements collectively than we have been on strategic safety posture. We wanted to maneuver away from the ‘box-by-box’ administration mannequin towards a unified, software-defined material.
We knew we needed to shift towards an as-a-service mannequin. Manually stitching collectively varied community elements created safety gaps that hindered visibility and elevated our mean-time to decision (MTTR) for incident remediation.
The evolution to SSE
Our SSE transition built on our earlier Zero Belief Entry (ZTA) journey. Whereas ZTA secured our distributed workforce, our SSE migration scaled that basis right into a unified, frictionless expertise through the Safe Entry cloud-delivered platform.
Breaking free from the “operational grind”
Our earlier resolution relied on relied on twelve world places and disparate {hardware}. We discovered ourselves at a crossroads: both put money into a expensive tech refresh of our growing older, finish of life (EOL) infrastructure or pivot to a cloud-delivered mannequin. We selected the latter to future-proof our acquisition tenants and higher help our distributed workforce, whereas simplifying operations, enhancing the consumer expertise, and rising safety.
The variety of elements within the service chain was the actual problem. We had so many packing containers stitched collectively. Now, with a single platform, we now have best-of-breed Cisco merchandise working in a single unified material.
Determine 1: Architecting SSE as-a-service: Transitioning from self-managed, on-premise infrastructure to an built-in ‘As-a-Service’ mannequin.
How we took a unified strategy
We constructed upon our present funding in Cisco Id Providers Engine (ISE) to keep up seamless authentication for VPN, proving that our SSE transformation enhances—quite than discards—foundational safety.
We unified our ecosystem to evolve our platform strategy:
- Assurance (Cisco ThousandEyes): Bridged visibility gaps throughout owned and unowned networks to make sure seamless connectivity.
- Observability (Splunk): Centralized logs to show uncooked information into actionable insights, drastically decreasing Imply Time to Decision (MTTR).
- Networking (Catalyst SD-WAN): Built-in backhaul tunnels into the SSE material, purpose-built for enterprise-to-cloud connectivity.
- Collaboration (Webex): Ensured collaboration stays safe and high-performing, no matter consumer location.
The “crawl, stroll, run” methodology
We practiced a “crawl, stroll, run” methodology. We didn’t simply flip a swap; we phased the rollout, iterating by means of proof-of-concepts. After we hit a roadblock, we didn’t simply work round it; we partnered with our enterprise models to construct that function into the product—a win for our inner operations and a win for each buyer who will use that function sooner or later.
Instance options we deployed embody:
- VPN Modernization: We wanted to sundown growing older infrastructure and simplify the consumer expertise. By transitioning from 20+ legacy choices to 2, we enabled an “auto-select” functionality the place the shopper routinely latches onto the closest SSE point-of-presence. This eliminated the guesswork for our world workforce, considerably decreasing assist desk circumstances.
- Zero Belief Entry: We wanted a frictionless method to allow our client-based ZTA service. By shifting to certificate-based auto-enrollment, coverage is now consumed instantly from the shopper. Customers merely click on the ZTA-enabled utility, and they’re in. The consequence was a surge of requests from our workforce so as to add much more purposes to the platform.
- Generative AI Safety: We wanted to intelligently intercept policy-enabled Gen-AI purposes and steer them to the cloud for visibility and coverage enforcement. We deployed this through the Cisco Safe Shopper Umbrella roaming module. This was essential to rising our safety posture and enhancing visibility, making certain we’re successfully defending Cisco’s delicate information.
The ‘Buyer Zero’ benefit
We handled our inner deployment as a stay lab. By submitting over 100 technical function requests, our IT staff acted as a essential suggestions loop for the product engineering groups. We weren’t simply customers; we have been co-developers.
This collaborative engineering partnership allowed us to bake our operational necessities instantly into the platform’s roadmap, making certain the ultimate product was constructed for the complexities of a contemporary enterprise.
Intentional friction: The important thing to stronger safety
In our pursuit of a seamless expertise, we realized a counterintuitive engineering lesson: not all friction is dangerous. With regards to GenAI safety, ‘frictionless’ is usually a safety vulnerability. We architected a ‘velocity bump’—a deliberate man-in-the-middle inspection level—to permit for real-time Knowledge Loss Prevention (DLP) evaluation. It’s an intentional design trade-off: we sacrifice a millisecond of latency for a large acquire in information integrity.
After we rolled out our Generative AI (GenAI) safety, we didn’t purpose for a superbly “frictionless” expertise. As Huber explains, we deliberately launched a “velocity bump.”
It was a balancing act. We have been doing one thing higher for the corporate, even when it prompted minor rising pains.
By performing “man-in-the-middle” inspection, we selectively intercepted utility flows to supply information loss prevention (DLP).
We weren’t attempting to cease folks from utilizing GenAI, we have been simply ensuring we paused to evaluate the applying and guarantee we weren’t leaking delicate information. As a result of customers understood the ‘why,’ we’ve seen almost zero tickets—an incident price of simply 0.04%.
Measurable outcomes: Much less clicking, extra technique
Since then, we’ve seen an 18% quarterly lower in assist desk circumstances and lots of of inquiries resolved autonomously by means of AI-driven help fashions, permitting our engineers to deal with technique quite than ticket triage. Our IT operators now spend much less time “stitching collectively” packing containers and extra time on strategic planning.
Determine 2: Influence of AI-driven help on ZTA workflows post-SSE enablement, demonstrating an 80% autonomous decision price and a discount in guide ticket triage.
Determine 3: Comparability of help case volumes between legacy VPN providers and the SSE transition, illustrating a big discount in ticket load post-migration.
Determine 4: Historic case quantity developments post-SSE VPN deployment, exhibiting an preliminary spike in consumer schooling inquiries adopted by a sustained, constant decline.
We’re now not simply managing packing containers; we’re managing outcomes. By empowering our workforce to attach securely and seamlessly from any location, we guarantee our surroundings is prepared for no matter comes subsequent — whether or not it’s AI-driven workloads or the evolving wants of a distributed workforce.
Classes realized as buyer zero
In case you’re contemplating an identical transfer, make sure you:
- Prioritize scaled adoption and cross-functional collaboration.
- Construct a staff throughout IT, Safety, and Enterprise models — don’t work in silos.
- Safe govt sponsorship early.
- Lastly, don’t wait. In case you’re managing growing older {hardware}, use these classes to pivot to a proactive posture earlier than you start your journey.
Discover extra:
Are you able to modernize your safety and enhance observability? Contact your account consultant to debate how Cisco SSE options might help your group.
