Every CIO faces the same question right now: how do you secure an AI-powered, distributed workforce without adding more complexity to an already overloaded team? Cisco IT faced that question—and built the answer. In 12 months, Cisco IT reduced help desk cases by 18%, cut security incident rates to near zero, and eliminated 20+ legacy VPN options—all while securing AI adoption at scale. Here’s how they did it, according to the engineers.
In previous blogs, we explored the strategic imperative behind Cisco’s shift to a Zero Trust architecture and examined the organizational blueprint that guided our phased migration to a unified Security Service Edge (SSE) platform. While those perspectives outlined the ‘why’ and the ‘how’ of our high-level transformation, we’re pulling back the curtain on the engineering reality. As the lead engineers behind this transition, we’ve spent the last year moving from a fragmented, hardware-heavy model to a unified, cloud-native SSE fabric. Here, we share the technical lessons learned from the front lines, the challenges of dismantling legacy infrastructure, and how we re-engineered our security stack to support a modern, AI-ready workforce.
Managing tens of thousands of devices across a global workforce with aging, end-of-life infrastructure wasn’t just an operational grind—it was a technical bottleneck that created significant security debt. We were spending more time ‘stitching’ disparate hardware components together than we were on strategic security posture. We needed to move away from the ‘box-by-box’ management model toward a unified, software-defined fabric.
We knew we had to shift toward an as-a-service model. Manually stitching together various network components created security gaps that hindered visibility and increased our mean-time to resolution (MTTR) for incident remediation.
The evolution to SSE
Our SSE transition built on our earlier Zero Trust Access (ZTA) journey. While ZTA secured our distributed workforce, our SSE migration scaled that foundation into a unified, frictionless experience via the Secure Access cloud-delivered platform.
Breaking free from the “operational grind”
Our previous solution relied on relied on twelve global locations and disparate hardware. We found ourselves at a crossroads: either invest in a costly tech refresh of our aging, end of life (EOL) infrastructure or pivot to a cloud-delivered model. We chose the latter to future-proof our acquisition tenants and better support our distributed workforce, while simplifying operations, enhancing the user experience, and increasing security.
The number of components in the service chain was the real challenge. We had so many boxes stitched together. Now, with a single platform, we have best-of-breed Cisco products working in one unified fabric.
Figure 1: Architecting SSE as-a-service: Transitioning from self-managed, on-premise infrastructure to an integrated ‘As-a-Service’ model.
How we took a unified approach
We built upon our existing investment in Cisco Identity Services Engine (ISE) to maintain seamless authentication for VPN, proving that our SSE transformation enhances—rather than discards—foundational security.
We unified our ecosystem to evolve our platform approach:
- Assurance (Cisco ThousandEyes): Bridged visibility gaps across owned and unowned networks to ensure seamless connectivity.
- Observability (Splunk): Centralized logs to turn raw data into actionable insights, drastically reducing Mean Time to Resolution (MTTR).
- Networking (Catalyst SD-WAN): Integrated backhaul tunnels into the SSE fabric, purpose-built for enterprise-to-cloud connectivity.
- Collaboration (Webex): Ensured collaboration remains secure and high-performing, regardless of user location.
The “crawl, walk, run” methodology
We practiced a “crawl, walk, run” methodology. We didn’t just flip a switch; we phased the rollout, iterating through proof-of-concepts. When we hit a roadblock, we didn’t just work around it; we partnered with our business units to build that feature into the product—a win for our internal operations and a win for every customer who will use that feature in the future.
Example features we deployed include:
- VPN Modernization: We needed to sunset aging infrastructure and simplify the user experience. By transitioning from 20+ legacy options to two, we enabled an “auto-select” capability where the client automatically latches onto the nearest SSE point-of-presence. This removed the guesswork for our global workforce, significantly reducing help desk cases.
- Zero Trust Access: We needed a frictionless way to enable our client-based ZTA service. By moving to certificate-based auto-enrollment, policy is now consumed directly from the client. Users simply click the ZTA-enabled application, and they are in. The result was a surge of requests from our workforce to add even more applications to the platform.
- Generative AI Protection: We needed to intelligently intercept policy-enabled Gen-AI applications and steer them to the cloud for visibility and policy enforcement. We deployed this via the Cisco Secure Client Umbrella roaming module. This was critical to increasing our security posture and enhancing visibility, ensuring we are effectively protecting Cisco’s sensitive data.
The ‘Customer Zero’ advantage
We treated our internal deployment as a live lab. By submitting over 100 technical feature requests, our IT team acted as a critical feedback loop for the product engineering teams. We weren’t just users; we were co-developers.
This collaborative engineering partnership allowed us to bake our operational requirements directly into the platform’s roadmap, ensuring the final product was built for the complexities of a modern enterprise.
Intentional friction: The key to stronger security
In our pursuit of a seamless experience, we learned a counterintuitive engineering lesson: not all friction is bad. When it comes to GenAI protection, ‘frictionless’ can be a security vulnerability. We architected a ‘speed bump’—a deliberate man-in-the-middle inspection point—to allow for real-time Data Loss Prevention (DLP) analysis. It’s an intentional design trade-off: we sacrifice a millisecond of latency for a massive gain in data integrity.
When we rolled out our Generative AI (GenAI) protection, we didn’t aim for a perfectly “frictionless” experience. As Huber explains, we intentionally introduced a “speed bump.”
It was a balancing act. We were doing something better for the company, even if it caused minor growing pains.
By performing “man-in-the-middle” inspection, we selectively intercepted application flows to provide data loss prevention (DLP).
We weren’t trying to stop people from using GenAI, we were just making sure we paused to assess the application and ensure we weren’t leaking sensitive data. Because users understood the ‘why,’ we’ve seen nearly zero tickets—an incident rate of just 0.04%.
Measurable outcomes: Less clicking, more strategy
Since then, we’ve seen an 18% quarterly decrease in help desk cases and hundreds of inquiries resolved autonomously through AI-driven support models, allowing our engineers to focus on strategy rather than ticket triage. Our IT operators now spend less time “stitching together” boxes and more time on strategic planning.
Figure 2: Impact of AI-driven support on ZTA workflows post-SSE enablement, demonstrating an 80% autonomous resolution rate and a reduction in manual ticket triage.
Figure 3: Comparison of support case volumes between legacy VPN services and the SSE transition, illustrating a significant reduction in ticket load post-migration.
Figure 4: Historical case volume trends post-SSE VPN deployment, showing an initial spike in user education inquiries followed by a sustained, consistent decline.
We are no longer just managing boxes; we are managing outcomes. By empowering our workforce to connect securely and seamlessly from any location, we ensure our environment is ready for whatever comes next — whether it’s AI-driven workloads or the evolving needs of a distributed workforce.
Lessons learned as customer zero
If you’re considering a similar move, be sure to:
- Prioritize scaled adoption and cross-functional collaboration.
- Build a team across IT, Security, and Business units — don’t work in silos.
- Secure executive sponsorship early.
- Finally, don’t wait. If you’re managing aging hardware, use these lessons to pivot to a proactive posture before you begin your journey.
Explore more:
Are you ready to modernize your security and increase observability? Contact your account representative to discuss how Cisco SSE solutions can help your organization.