Evaluating modern network and security options without getting lost in SASE hype

By Rob Graham, Head of Networks at Securecom

Author Introduction

Talking to New Zealand IT leaders, the struggle to separate genuine innovation from marketing noise is real. Terms like SASE are everywhere, but differentiating a unified platform from a “stitched together” portfolio is difficult. Here is how to cut through the hype and define evaluation criteria that deliver real outcomes.

Outline

  • Defining modern network security beyond acronyms.
  • Identifying common evaluation traps and myths.
  • Core decision criteria for NZ organisations.
  • Choosing between managed service or DIY.
  • Structuring a meaningful pilot or POC.
  • Aligning internal teams for decision making.

Key Takeaways

  • Avoid “stitched together” multi-vendor solutions.
  • Prioritise single-pass architecture for performance.
  • Ensure local New Zealand data plane capacity.
  • Evaluate the operating model, not just tech.
  • Test user experience, not just security features.
  • Bridge the gap between NetOps and SecOps.

Introduction

By the time you reach the shortlisting phase of a network transformation project, the market can feel overwhelming. Global vendors, local telcos, cloud providers, and niche security specialists all describe their offerings using identical language. Terms like SASE (Secure Access Service Edge), SSE (Security Service Edge), SD-WAN, and Zero Trust are sprinkled through nearly every pitch.

For New Zealand IT leaders, this presents a specific problem: how do you differentiate between a genuine, converged platform and a “stitched together” portfolio of acquired products? The stakes are high. Choosing the wrong architectural pattern can result in poor user experience, latent traffic, and security gaps that are difficult to close.

Furthermore, many mid-sized organisations in New Zealand are resource-constrained. They often cannot afford the large internal SecOps and NetOps teams required to integrate and run complex multi-vendor solutions. This article cuts through the marketing noise to help you define evaluation criteria that focus on outcomes – identity-driven access, cloud-native security, and performance for hybrid work – helping you find a partnership model that fits your reality.

What “Modern Network and Security” Really Means

Before evaluating vendors, it is critical to strip away the acronyms and agree on what a modern architecture must achieve.

In the past, “modernising” meant buying a faster MPLS circuit or a bigger firewall. Today, it means inverting the architecture. The goal is no longer to connect sites to data centres; it is to connect users to applications.

A truly modern solution should deliver three non-negotiable capabilities:

  1. Convergence: Networking (SD-WAN) and security (SSE) should not just be bundled; they should be unified. This means one policy engine and one view of the world, not two separate consoles that need to be manually synchronised.
  2. Identity-Centricity: Access should be based on who the user is and the context of their device, not which office port they are plugged into. This is the core of Zero Trust.
  3. Direct-to-Cloud Performance: Traffic destined for the internet or SaaS should go there directly from the user’s device or the branch edge, without being hair-pinned back through a central data centre.

Common Evaluation Traps and Marketing Myths

When you begin your Request for Information (RFI) or initial vendor discussions, be wary of these common traps that can derail your project.

The “Platform” Myth

Many vendors claim to offer a “single platform” SASE solution. However, under the hood, many of these are patchwork quilts of different acquisitions. One vendor might have bought an SD-WAN company last year and a Cloud Security company this year.

If the solution requires you to log into different consoles for the network and the security, or if the “single agent” is actually two pieces of software wrapped in one installer, you are likely looking at a “stitched together” solution. This often leads to the “swivel chair” management problem, increasing the risk of misconfiguration.

The “Pop-Up” PoP

For New Zealand organisations, geography matters. Some global vendors boast thousands of Points of Presence (PoPs) but may not have full compute capacity in New Zealand. They might offer an “on-ramp” locally, but then backhaul your traffic to Sydney or the US for heavy security inspection (like SSL decryption).

This introduces latency that frustrates users. When evaluating, ask specifically: “Does your New Zealand PoP perform full security inspection locally, including TLS decryption, without leaving the country?”.

Core Decision Criteria for NZ Organisations

To create a shortlist that will actually deliver value, you need to move beyond feature checklists. Here are the architectural criteria that matter most for mid-market NZ enterprises.

1. Single-Pass Architecture

In a legacy setup, traffic might pass through a firewall, then a web filter, then a DLP scanner. Each “hop” adds latency.

A modern SASE evaluation should prioritise Single-Pass Architecture. This means the traffic is opened (decrypted) once, inspected by all security engines (malware, data loss, web filtering) simultaneously, and then re-encrypted. This is the only way to achieve high security without killing user productivity.

2. The “Power of One” Agent

Endpoint fatigue is real. Your users do not want another agent on their laptops. Look for a solution that offers a single, lightweight client that handles everything: Zero Trust access to private apps, secure web gateway functions, and endpoint data protection.

If a vendor asks you to deploy one agent for VPN and another for Web Security, you are moving backward, not forward.

3. Data Residency and Compliance

With privacy regulations tightening, knowing where your data is inspected and logged is vital. Ensure your provider can guarantee that logs and inspected traffic remain within the Australia/New Zealand region if required by your compliance mandates.

4. Digital Experience Management (DEM)

When a remote user complains that “Teams is slow,” how do you fix it? In a direct-to-internet model, you lose the visibility you had with MPLS.

Therefore, a critical evaluation criterion is Digital Experience Management. The solution must provide hop-by-hop visibility from the user’s device, across the internet, to the application. This allows your team (or your partner) to instantly see if the issue is the home Wi-Fi, the ISP, or the SaaS provider.

Operating Model: Managed Service vs. Do-It-Yourself

One of the most significant decisions you will make in this stage is not technical, but operational. Who is going to run this?

The Skill Gap Reality

Modern SASE platforms are powerful, but they represent a paradigm shift. Writing policies for a Cloud Access Security Broker (CASB) or configuring Data Loss Prevention (DLP) requires a different skillset than managing a port-based firewall.

Many mid-sized organisations underestimate the learning curve. This often leads to a “deployment stall,” where the technology is bought but only 10% of the features are turned on because the internal team lacks the time or expertise to configure the rest.

The Managed Advantage

For many NZ businesses, the “sweet spot” is a co-managed or fully managed model. This involves selecting a partner who acts as the single point of accountability—handling the telco relationships, the SD-WAN hardware, and the cloud security policy tuning.

When evaluating partners, look for those with:

  • Local Level 1/2 Support: Can you talk to an engineer in your time zone?
  • Integrated Telco Capabilities: Can they manage the underlay (fibre/internet) as well as the overlay (SASE)?
  • Proven Migration Blueprints: Do they have a standard methodology for moving off MPLS?.

Structuring a Meaningful Pilot

Don’t rely on a generic demo. To truly de-risk your decision, you need a Proof of Concept (POC) that reflects your reality.

Do not:

  • Run the POC only in the IT department.
  • Test only with unencrypted traffic.
  • Focus only on “blocking” capabilities.

Do:

  • Include Real Users: Deploy the agent to a non-technical pilot group (e.g., HR or Finance) to test the actual user experience.
  • Test the “Coffee Shop” Scenario: Have a user work from a public Wi-Fi connection and access a private internal app. Does it feel seamless?.
  • Break the Network: Simulate a primary link failure at a branch and watch how the SD-WAN fails over for voice vs. email traffic.
  • Inspect Encrypted Traffic: Turn on SSL inspection for the pilot group. This is where performance issues usually hide. If the vendor’s cloud cannot handle the load, you will see it here.

Building Consensus: Bridging NetOps and SecOps

Finally, evaluation is a team sport. SASE converges networking and security, which often forces two siloed teams to collaborate for the first time.

  • The Network Team cares about uptime, latency, and ease of deployment.
  • The Security Team cares about visibility, data protection, and access control.

If these teams evaluate vendors separately, you will end up with a disjointed solution. The CIO or project lead must bring them together to agree on a shared scorecard. The winning solution should be one that makes the network team’s life easier (by automating routing) while giving the security team deeper control (by inspecting that routed traffic).

Next Steps

To move from confusion to clarity, take these practical steps this week:

  1. Create your “Must-Have” Checklist: Create a one-page document categorising your requirements into “Must-Have” (e.g., Single-pass architecture, NZ data residency, Managed Support) versus “Nice-to-Have.”
  2. Define your Pilot Group: Identify 10-20 users across different departments and one branch office to serve as your test bed.
  3. Challenge your Shortlist: Ask your potential providers specifically about their “single agent” claims and their local support structure in New Zealand.

By focusing on these architectural and operational fundamentals, you will avoid the “hype cycle” and select a partner capable of delivering a secure, high-performance network for the long term.

TotalNET Zero Trust Blog Series

Are you ready to simplify and secure your network for AI, cloud and hybrid work?

  1. Is your network holding the business back from AI, Cloud and Hybrid Work?
  2. Building the business case to modernise your network with SASE
  3. Evaluating modern network and security options without getting lost in SASE hype
  4. How to de-risk your SASE decision with one accountable NZ provider
  5. Beyond SASE Go-Live: Operating and Optimising a Modern, Secure Network in the AI Era

 

About the Author:

Rob Graham – Head of Networks, Securecom

Bringing 20 years of experience in the New Zealand telecommunications industry. Specialising in leadership, architecture, and operations, Rob is passionate about innovative network deliveries and obsessed with customer experience. He helps Kiwi businesses navigate the shift to modern, resilient connectivity solutions.

Email: rob.graham@securecom.co.nz

Ready to modernise secure access?

Book a TotalNET Zero Trust assessment workshop and receive a clear, ROI-driven roadmap to simplify your network and security stack.

"*" indicates required fields