Nothing is Certain Except Death, Taxes… and SASE

Coined by Gartner in 2019, the SASE label applies to a model in which networking and cybersecurity are fully converged and delivered as a unified cloud service.

In January of this year, Dell’Oro issued a press release with the title “Single-Vendor SASE to Dominate Market Growth as Enterprises Favor One-Stop Solutions.” In it, Mauricio Sanchez, Sr. Director, Enterprise Security and Networking at Dell’Oro states “SASE is not a trend; it’s the future of enterprise connectivity and security.” [1]

It’s a bold claim, but one that’s hard to argue with. After all, why wouldn’t enterprises love the idea of converged cybersecurity and networking delivered as a cloud service? They’ve had more than two decades of experience with cloud-based “as-a-Service” solutions replacing one complex on-premise system after another. Why wouldn’t they want and expect the same for networking and security?

Not convinced? Check the numbers. Gartner estimates the SASE market grew 35% to reach $9 billion in 2023, and forecasts a compound annual growth rate of 29% for the period 2021-2026, with spending expected to hit $25 billion by 2027. [2] Similarly, Dell’Oro Group finds global SASE spending surged 31% to hit $8.4 billion in 2023, marking the third consecutive year of growth above 30%.[3]

These figures should be enough to convince you that you need to do some deep thinking about whether you should evolve your offer to SASE, or give serious thought to how your solution can best complement SASE platforms. Still not sure? Okay. Let’s review three other sets of numbers. First, let’s look at the SASE-related acquisitions and internal investments vendors have made on the road to bringing a single-vendor, fully unified SASE solution to market.

Since January 2023, the sums invested in SASE-related acquisitions have reached stratospheric levels. Notable among these acquisitions are the following (note: not all are officially completed yet):

• $69 Billion: Broadcom acquires VMware
• $14 Billion: HPE acquires Juniper Networks
• $600 Million: Palo Alto Networks acquires Talon Cyber Security
• $500 Million: HPE acquires Axis Security
• $490 Million: Check Point acquires Perimeter 81
• (Undisclosed): Cradlepoint (part of Ericsson) acquires Ericom

Other vendors successfully raised substantial new funds to accelerate their transition to unified SASE, including the following notable rounds:

• $401 Million: Netskope (Jan 2023), convertible notes
• $238 Million: Cato Networks (2023), additional investment ($773M to date)
• $150+ Million: Netskope (as of June 2023), investment in its private cloud infrastructure for SASE
• $120 Million: Versa (2022)

Next, as a result of these internal investments and acquisitions, since Q3 2023, the number of single-vendor, fully unified SASE solution providers jumped from 8 (according to Gartner) and 9 (according to Forrester under their SASE-equivalent Zero Trust Edge label) to 17 as of June 2024.

This represents a doubling of the number of single-vendor SASE providers, with vendors like iBoss, Barracuda, Sophos, Huawei and Citrix adding or evolving components in a way that is compatible with single-vendor SASE. (Disclaimer: the SASE market is so dynamic this list will no doubt have expanded by the time you read this article…)

The two halves of the SASE paradigm may be fully integrated to form a single SASE solution

The chart below illustrates the transition paths vendors have taken on their way to single-vendor SASE. This includes whether they originated from the networking or security side or both, and whether acquisitions were used to achieve a single vendor offer.

* Cato & Open Systems had what was essentially a single-vendor SASE offer before the term was coined. Fun activity: check out their 2015/2106 websites on the Internet Archives Wayback Machine. (If you don’t ever visit this site, you need to fix that. It’s a gold mine.) Exium was founded in 2019 with a SASE offer built on 5G standards. It was initially called Intelligent Cybersecurity Mesh and was sometimes referred to as “secure 5G NaaS”.

The first takeaway is that although the barriers to entry for single-vendor SASE are not negligible given the functional scope required and the need for a large global network of regional PoPs, I still think we can expect this number to double again by this time next year.

This is especially true given the diversity of vendors making interesting SASE moves, such as Content Delivery Network (CDN) providers – including the CDN arms of the cloud computing giants, and providers of Multi-Cloud Networking (MCN), Network-as-a-Service (NaaS), Zero Trust/ZT Network Access (ZTNA), and Private 5G/WWAN solutions.

It is also interesting to note that the list of single-vendors SASE vendors in the chart above is relatively balanced in terms of the SASE origin point, and by relative size in terms of headcount, with 5 under 1k employees (the smallest being under 50!), 4 at 1-5k, 3 at 5-10k, and 5 at 10k+.

Therefore, for vendors wishing to transition to single-vendor SASE, a second takeaway is that you shouldn’t let size and starting point deter you. And you should keep in mind that vision, an adventurous spirit, and determination can take you a long way. (For inspiration, check out the leaps made by the founders of the three SASE-before-SASE-existed vendors: Florian Gutzwiller (Open Systems), Farooq Khan (Exium) and Shlomo Kramer (Cato Networks).)

A third takeaway (as noted in my RSAC 2024 article in The Fast Mode) is that every vendor in networking or cybersecurity needs a SASE strategy, whether it be a plan for 1) transitioning to SASE or 2) ensuring your product offers a high value complement to SASE platforms. And by that, I mean valuable enough to hold its own as a standalone offer in an era of large, converged security and networking platforms – or to serve as an irresistible acquisition target for such platform vendors.

Finally, as also noted in the RSAC article, the fourth takeaway is that single-vendor SASE vendors need to reflect on how far they wish to go in expanding the capabilities of their platforms versus partnering. SASE vendors have recently been adding extended functions like Email Security, Enterprise Browsers, Digital Experience Management (DEM), and Extended Threat Detection and Response (XDR). For now (at least), other major systems like Identity & Access Management (IAM), Endpoint Protection, Cloud Workload Protection, Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR) have remained largely separate. Beyond functional components, vendors would be wise to also consider whether a verticalization strategy would be useful as SASE competition heats up.