Making the case for SASE

Practical advice to gain buy-in from the C-suite

How do you convince executives to invest in a new complex security strategy?

It’s a question with no simple answer. Despite security becoming a C-level priority in most organizations, executives often hesitate to support security projects that require significant resources and organizational change.

This is the unenviable situation many security leaders find themselves in when planning SASE adoption.

Whether or not security leaders use the term SASE, or Secure Access Service Edge, many are already advocating within their organizations for the practices SASE calls for. Yet those practices — like adopting Zero Trust security, securing employee Internet browsing, and moving firewalls and WAN connectivity to the cloud — require collaboration and financial support from across the organization. New vendors must be found and evaluated, and existing ones repurposed or replaced. Employees organization-wide may need to learn new security processes.

These requirements can bring a fair amount of skepticism from non-security executives. Some may believe existing security measures already provide sufficient protection, and hesitate to support any resource-intensive changes. Others may underestimate SASE’s urgency and want to push the project further down the road.

Effective security leaders know they must overcome some level of resistance to drive SASE adoption and better protect their organization. When talking with other executives about SASE, security leaders will find success with the following practices:

• Explain SASE’s broader business benefits in addition to describing how it reduces risk.

• Prove SASE’s return on investment by presenting data on the financial benefits of Zero Trust security and network transformation.

• Offer concrete next steps, including an action plan of what changes you want to make first and how they’ll happen.

Here’s what these practices can look like in action.

Explaining SASE’s broader business benefits

Any discussion about SASE must of course include the security threats it can help prevent. Security leaders should help other executives understand risks that emerge when corporate network traffic transits the public Internet, and explain how SASE can help protect the organization from those risks.

But the conversation shouldn’t stop there. The reason? Even if executives believe in the problems SASE can address, they may not believe SASE itself is the answer. When presented with the many logistical hurdles of SASE adoption, executives may want to rely on simpler and immediate, but potentially less-effective solutions, like expanding VPN use and tacking on point security solutions in the cloud.

To make their arguments even stronger, security leaders must also explain how SASE adoption can drive broader business objectives. Consider arguments like the following:

• Remote worker efficiency: Many executives are curious how remote work impacts the organization’s overall efficiency. Security leaders should help them understand how traditional remote work security tools become unreliable during broad, continuous use, and how SASE can help. For example, describe how ditching VPNs reduces latency and connectivity outages. Or how unifying security services on a single cloud platform eliminates delays as traffic ‘trombones’ between different point security solutions.

• Smoother contractor onboarding: Third-party contractors and service providers are often hired for urgent, high-priority projects. Yet as security leaders know, onboarding those contractors can be cumbersome from an IT perspective. (The same can be true for newly acquired companies.) Help executives understand how SASE makes it easier to quickly onboard much-needed third-party support by letting contractors use their own devices, and by giving IT and security teams a single platform from which to manage and monitor network access.

• IT team efficiency: As many as 62% of IT teams say they are understaffed, which can prevent the organization from tackling a variety of strategic projects. Security leaders can help executives understand how SASE will free up IT capacity once it’s implemented. For example, with SASE, IT will no longer have to: provision VPN licenses, patch and troubleshoot network security hardware, or respond to support tickets when remote security tools break a website experience.

When having these conversations, security leaders should strive for simplicity and hold themselves to a “no vendor names, no acronyms” rule. It’s easy to miss how much jargon creeps into discussions about security strategy. Each unnecessary buzzword and vendor name is like a speed bump, distracting the audience from an argument’s true substance. (“SASE” may be the exception to this rule, but you should still define the term and use it sparingly.)

Proving the financial benefits of SASE adoption

Conversations about SASE with executives will inevitably address the financial costs of SASE adoption. These costs can appear onerous in the short term since SASE requires new vendor partnerships and may demand new IT skill sets.

To balance out executive anxiety about these costs, security leaders must be ready to prove that SASE can also save the organization money.

Some of these savings can come in the form of attack prevention and mitigation. For example, SASE practices can make attacks less costly for their target. According to IBM’s Cost of a Data Breach Report, organizations with mature Zero Trust adoption levels pay less to recover from data breaches. Mature Zero Trust organizations pay an average of $3.28M per breach compared to $5.04M for organizations without a Zero Trust strategy.

In addition, security leaders can bolster the broad business benefits outlined in the previous section by calculating the specific savings of simplifying complex IT processes. Consider ROI examples like:

• Reducing IT support tickets. SASE removes the need for one-off remote access tools like VPNs, which tend to be unreliable and latency-heavy. When users don’t have to deal with a VPN client on their device, organizations start to see a big drop in the amount of time they spend addressing access-related tickets, with some reporting up to an 80% reduction in time spent on user issues.

• Shortening employee onboarding time. An example of this is replacing legacy remote access approaches like VPN and IP-based controls. Organizations like eTeacher Group report that they spend less time onboarding new users, reducing the amount of time it takes to grant access to a new user by as much as 60%.

• Eliminating extra hardware costs. Security hardware — like network firewalls and DDoS mitigation boxes — always incurs costs beyond its sticker price. Installation, warranties, repairs, and patch management all impose additional expenditures and require IT resources to manage. Eliminating those costs by moving network security to the cloud can create additional savings.

Finally, SASE can create more favorable financial conditions in the long run by reducing burdensome capital expenditures on networking hardware. Since SASE services are delivered entirely from the cloud, they use a standard cloud subscription model. This model frees up cash flow that can be used to fund other high-priority investments.

Offering concrete next steps

Helping executives understand SASE’s business benefits and financial impact will go a long way towards convincing them to get on board. But they’ll also want to understand what SASE adoption looks like in practice.

Security leaders need to be prepared to answer this question in detail. This means preparing a hypothetical SASE adoption plan that includes specific steps and timelines, resource requirements, and estimated costs. Some of these specifics will vary wildly between organizations. But consider the following ‘first steps’ as a starting point:

1. Phase-out VPN for third-party access: Move consultants and contract employees over to a modern authentication service, and let them sign in to applications with existing accounts or one-time passwords. In addition to simplifying onboarding processes, this makes it so third-parties can’t abuse the carte blanche network access that VPNs provide.

2. Adopt a Zero Trust security posture for remote work: Use an authentication and access management service which follows the ‘never trust, always verify’ approach — by checking remote workers’ identities every time they access an application, and tracking all of their requests. This gives you better control over a high-risk employee group.

3. Retire the VPN for remote access: As in Step 1, move remote workers over to a modern authentication service such as SSO. This makes it harder for attackers to move laterally using compromised devices or VPN credentials.

4. Consolidate Zero Trust security tools as contracts renew: It’s rarely possible to replace existing secure web gateways, browser isolation tools, and cloud access security brokers all at once. As contracts expire, add those services to a single SASE platform and gain the efficiency of managing them from one place.

5. Adopt a Zero Trust security posture for office locations: Require employees to authenticate through the Zero Trust platform even when they are within a traditional network perimeter. This helps stop data loss, protects employees from threats on the public Internet, and prevents lateral movement by attackers.

Evangelizing security priorities for the long term

Security isn’t just a job for the security team alone. The more invested c-suite executives are in security projects, the safer the whole organization becomes.

SASE, and the sweeping societal changes which make it necessary, are an excellent opportunity for security leaders to foster this investment. Tying SASE to broader business benefits, proving its ROI, and laying out a concrete action plan aren’t easy — and won’t land after a few isolated conversations. But if security leaders are consistent and confident in acting out these best practices, they’ll foster a broad security awareness which will benefit them and their teams in the future as well.

In addition, learn how Cloudflare delivers SASE and Zero Trust by exploring our Cloudflare One platform. It places identity-based security controls, firewall, WAN-as-a-Service and other SASE features on a unified network that’s close to users everywhere on Earth, helping them quickly and securely connect to any enterprise resource. And all of these are built from scratch to work together out of the box, helping security teams simplify SASE adoption.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

• Why pitching SASE to the C-suite requires a unique approach

• Strategies for describing SASE’s benefits to non-technical audiences

• Ideal first steps in SASE adoption

Related resources

• Getting started with SASE: A guide to secure and streamline your network infrastructure

• Infographic: The ROI of Zero Trust

• Whitepaper: The death of hardware boxes

• Forrester Opportunity Snapshot: Zero Trust