Organizations are planning for secure access service edge (SASE) but have questions on how to get from their current state to converged, cloud-delivered networking and security. They’ll be looking for answers at RSA. Credit: BlueBay2014 / Getty Images I’ve been blogging about what should be the “big 3” topics at this week’s (virtual) RSA conference. I started with a blog about XDR followed by another about Zero Trust. My final blog of this series looks at what CISOs want to hear about SASE at RSA. Why SASE? Because:Security at the network edge isn’t getting any easier. Sixty-four percent of organizations claim that network security at the edge is much more, or somewhat more difficult than it was just 2 years ago due to factors like an increasingly dangerous threat landscape, growing attack surface, and the need for more granular network security policies. Like other security areas, CISOs are moving toward replacing today’s army of security point tools with an integrated platform—in this case, SASE. The SD-WAN foundation is already in place. According to ESG research, one-third of organizations already use SD-WAN extensively while another 47% are using it selectively. Since SD-WAN acts as a SASE foundation, it is logical that CISOs are ready to build up from an evolving SD-WAN base.SASE supports the transition of security controls to the cloud. Driven by remote workers and an increasing use of IaaS, PaaS, and SaaS, many organizations are migrating security controls to the cloud or deploying hybrid on-premises/cloud-based security technology architectures. ESG research indicates that while one-quarter of organizations report that at least 40% of their network edge security controls are cloud-delivered today, nearly half (48%) of organizations will have at least 40% of their network edge security controls cloud-delivered in 2 years’ time. SASE goes with this flow.There’s little debate that the SASE train has not only left the proverbial station but it’s moving down the tracks and gaining speed. Therefore, security pros are ready to conduct a more in-depth SASE investigation. Based on lots of research and conversations, my unquestionably brilliant colleague, John Grady, and I believe CISOs want to hear SASE details at RSA like: Network offerings and flexibility. SASE has the word “secure” in it, but it also represents a true combination of security and networking technologies. Yes, CISOs will focus on security functionality but they will also need to work with CIOs and network engineers on things like multi-transport support, middle mile optimization, global connectivity, failover, etc. Ultimately, SASE must provide high-performance/high-availability secure network connectivity for any user in any location, so CISOs will likely start SASE conversations by talking about secure user connectivity and user productivity rather than geeky network security topics like packet filtering, traffic inspection, and encryption/decryption. Network security vendors must come prepared with business and networking chops or CISOs will move right past them. Portfolio breadth and future plans. While the definition of SASE is fluid, ESG research indicates that the most important SASE security functions include advanced threat protection, firewalling, encrypted traffic management, DNS-layer security, DLP, VPN, and secure web gateway/web proxy. While organizations will likely want all these services over time, they will start with different combinations for different use cases. CISOs will come to RSA with short-term SASE needs and long-term SASE strategies, so they will want to hear about current products, SASE product roadmaps, partnering programs, and integration options. Like Rome, SASE won’t be built in a day, so CISOs won’t want SASE quick fixes but rather SASE partners capable of working with them over the next 2 to 3 years or more. Management, management, management. CISOs will have a long list here, including central management of networking and security functions, support for role-based access control, detailed logging, personalization (i.e., personal dashboards, reports, etc.), tiered administration, etc. They will also want to include management across on-premises appliances AND cloud-based services from a common UI. To support granular business use cases, CISOs also want strong policy management capabilities with enforcement and monitoring across all networking and security functions. Yup, management will be a top consideration for enterprise-class SASE so CISOs will insist on flexibility and details—not product demos and marketing-speak. Professional and managed service. Like XDR and zero trust, SASE is an architecture with lots of piece parts coming together at a business and technology layer. Given this, CISOs may want some help from experienced consultants who have built similar solutions for organizations in their industry. Thus, SASE discussions at RSA are likely to pivot toward professional services at some point. Likewise, SASE demands a lot of managed service choices. For example, I may want to maintain on-premises networking/security appliances at corporate HQ, slowly migrate from on-premises appliances to cloud services at large branches in the developed world, and transition to cloud-delivered everything for small branches across the globe. Oh, and I may need different security services at different locations based upon business operations and local regulations. Navigating this hybrid heavy branch/thin branch model can be tricky. CISOs will be asking these questions at RSA so vendors must be prepared to discuss how homegrown services and/or services partners can help. The intersection of SASE and zero trust. On the security side, SASE will likely start by securing packets—encryption/decryption, packet inspection, filtering, etc. In other words, the short-term focus is on securing network communications. It’s likely that act 2 in the SASE passion play will expand to include securing the endpoints—users, devices, applications, and data. Once this happens, SASE and zero trust intersect to deliver end-to-end security services. Savvy CISOs will come to RSA with a SASE/zero trust Venn diagram in their heads and will want answers on when and how these two programs which cross security and networking domains, come together. RSA won’t be perceived as a SASE supermarket, but many organizations see SASE as a business enabler and cost cutter, so they want to move forward quickly. CISOs will have a lot of pressing questions—business questions, networking questions, security questions, and implementation questions—and these are strategic business discussions, not tactical product sales. RSA 2021 could be a transformational event for security vendors that can respond to CISO requirements with the right details, strategies, and guidance. Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe