5 Things CISOs Want to Hear About Secure Access Service Edge (SASE) at the RSA Conference

I’ve been blogging about what the “big 3” topics at this year’s (virtual) RSA conference should be. I started with a blog about XDR, followed by another about zero trust. My final blog of this series looks at what CISOs want to hear about SASE at RSA.

Why SASE? Because:

• Security at the network edge isn’t getting any easier. Sixty-four percent of organizations claim that network security at the edge is much more or somewhat more difficult than it was just 2 years ago due to factors like an increasingly dangerous threat landscape, growing attack surface, and the need for more granular network security policies. Like other security areas, CISOs are moving toward replacing today’s army of security point tools with an integrated platform–in this case, SASE.
• The SD-WAN foundation is already in place. According to ESG research, one-third of organizations already use SD-WAN extensively while another 47% are using it selectively. Since SD-WAN acts as a SASE foundation, it is logical that CISOs are ready to build up from an evolving SD-WAN base.
• SASE supports the transition of security controls to the cloud. Driven by remote workers and an increasing use of IaaS, PaaS, and SaaS, many organizations are migrating security controls to the cloud or deploying hybrid on-premises/cloud-based security technology architectures. ESG research indicates that while one-quarter of organizations report that at least 40% of their network edge security controls are cloud-delivered today, nearly half (48%) of organizations will have at least 40% of their network edge security controls cloud-delivered in 2 years’ time. SASE goes with this flow.

There’s little debate that the SASE train has not only left the proverbial station, but it’s moving down the tracks and gaining speed. Therefore, security pros are ready to conduct a more in-depth SASE investigation. Based on lots of research and conversations, my unquestionably brilliant colleague, John Grady, and I believe CISOs want to hear SASE details at RSA like:

1. Network offerings and flexibility. SASE has the word “secure” in it, but it also represents a true combination of security and networking technologies. Yes, CISOs will focus on security functionality but they will also need to work with CIOs and network engineers on things like multi-transport support, middle mile optimization, global connectivity, failover, etc. Ultimately, SASE must provide high-performance/high-availability secure network connectivity for any user in any location, so CISOs will likely start SASE conversations by talking about secure(?) user connectivity and user productivity rather than geeky network security topics like packet filtering, traffic inspection, and encryption/decryption. Network security vendors must come prepared with business and networking chops, or CISOs will move right past them.
2. Portfolio breadth and future plans. While the definition of SASE is fluid, ESG research indicates that the most important SASE security functions include advanced threat protection, firewalling, encrypted traffic management, DNS-layer security, DLP, VPN, and secure web gateway/web proxy. While organizations will likely want all these services over time, they will start with different combinations for different use cases. CISOs will come to RSA with short-term SASE needs and long-term SASE strategies, so they will want to hear about current products, SASE product roadmaps, partnering programs, and integration options. Like Rome, SASE won’t be built in a day, so CISOs won’t want SASE quick fixes but rather SASE partners capable of working with them over the next 2 to 3 years or more.
3. Management, management, management. CISOs will have a long list here, including central management of networking and security functions, support for role-based access control, detailed logging, personalization (i.e., personal dashboards, reports, etc.), tiered administration, etc. They will also want to include management across on-premises appliances and cloud-based services from a common UI. To support granular business use cases, CISOs also want strong policy management capabilities with enforcement and monitoring across all networking and security functions. Yup, management will be a top consideration for enterprise-class SASE, so CISOs will insist on flexibility and details–not product demos and marketing speak.
4. Professional and managed service. Like XDR and zero trust, SASE is an architecture with lots of piece parts coming together at business and technology layers. Given this, CISOs may want some help from experienced consultants who have built similar solutions for organizations in their industry. Thus, SASE discussions at RSA are likely to pivot toward professional services at some point. Likewise, SASE demands a lot of managed service choices. For example, I may want to maintain on-premises networking/security appliances at corporate HQ, slowly migrate from on-premises appliances to cloud services at large branches in the developed world, and transition to cloud-delivered everything for small branches across the globe. Oh, and I may need different security services at different locations based upon business operations and local regulations. Navigating this hybrid heavy branch/thin branch model can be tricky. CISOs will be asking these questions at RSA, so vendors must be prepared to discuss how homegrown services and/or services partners can help.
5. The intersection of SASE and zero trust. On the security side, SASE will likely start by securing packets–encryption/decryption, packet inspection, filtering, etc. In other words, the short-term focus is on securing network communications. It’s likely that act 2 in the SASE passion play will expand to include securing the endpoints–users, devices, applications, and data. Once this happens, SASE and zero trust intersect to deliver end-to-end security services. Savvy CISOs will come to RSA with a SASE/zero trust Venn diagram in their heads and will want answers on when and how these two programs, which cross security and networking domains, come together.

RSA won’t be perceived as a SASE supermarket, but many organizations see SASE as a business enabler and cost cutter, so they want to move forward quickly. CISOs will have a lot of pressing questions–business questions, networking questions, security questions, and implementation questions–and these are strategic business discussions, not tactical product sales. RSA 2021 could be a transformational event for security vendors that can respond to CISO requirements with the right details, strategies, and guidance.