Share this
What a Multi-Site Microsegmentation Rollout Actually Looks Like (and Why Most Take Years)
by Charlie Treadwell on Jul 16, 2026 7:39:10 PM
Most of the security leaders I meet have been quoted years to segment their sites, and they’ve stopped believing anyone who promises faster. The honest range is one to three years for most multi-site microsegmentation programs. Then St. Luke’s University Health Network segmented 15 hospitals, 350 practices, and 85,000 devices in 46 days. Both numbers are true.
The gap between them isn’t the software; per-site deployment often takes minutes to hours. The years come from everything around it: change control, site readiness, and the decisions about what to enforce, in what order, on whose sign-off. Deployment is decoupled from policy, and policy from enforcement. An activated site is not a protected site.
Multi-Site Microsegmentation Rollouts by the Numbers (2026):
- Omdia’s 2025 survey of 352 cybersecurity decision makers across healthcare and manufacturing found 99% are implementing or planning microsegmentation, yet only 9% have protected more than 80% of critical systems.
- St. Luke’s University Health Network segmented 15 hospitals, 350 practices, and 85,000 devices in 46 days (published case study).
- Southern Illinois Healthcare reached full wired-network segmentation with three total resources; its proof of concept deployed in under an hour (Taylor Calloni, Cybersecurity Engineer III).
How long does a multi-site microsegmentation rollout really take?
A multi-site microsegmentation deployment usually reaches full enforcement in one to three years, even though a single site can come online in minutes to hours. Software rollout and enforcement run at two speeds, and everyone quotes you the slow one.
Two deployment arcs dominate. Different mechanics, same finish: in both, the tail is organizational.
| Phase | Typical agent-based arc | Identity-based, agentless arc |
|---|---|---|
| Per-site rollout | Install approvals per platform team; per-OS certification | Nothing to install; a site comes online in minutes to hours |
| Policy build | Often rebuilt site by site | Build once, clone with the variables changed |
| Simulation | Passive observation phase; moving out of it takes an executive push | Every policy runs against live traffic before it touches production |
| First enforcement | Larger cutovers, breakage risk concentrated | Incremental, lowest-risk device groups first, rollback one action away |
| Full-estate enforcement | Months to years; the enforcement tail is the long pole | Weeks to quarters per site, sites in parallel; the tail is still organizational |
St. Luke’s lived at the slow end first: five years of trying to architect microsegmentation had stalled. The team then spent about a month preparing infrastructure, deployed Elisity, and completed its major segmentation buckets in roughly 46 days without major outages, against 18-month consultant-heavy quotes. “Within 46 days, we went from no microsegmentation to having all of our microsegmentation completed,” is how Daniel Dopsovic, the health system’s Senior Enterprise Information Security Architect, described it. CISO David Finkelstein had asked for two months; the team beat that by two weeks. The full account is in the 46-day health-system case study.
The slow end deserves the same honesty. In one global manufacturing program, software reached nearly all of roughly 29 sites within six months, while full enforcement ran from month four to month 15. I’ve seen a team activate 70-something sites in four or five months and apply policy at just two or three. Across mature deployments, the steady state is roughly half of all policies enforced, half still in simulation, which sounds like a stalled program until you remember that every enforced policy earned a change window and a sign-off first. Activation is cheap. Enforcement is deliberate. A site count never tells you how much of the estate is protected.
Why do most multi-site segmentation projects take years?
Most multi-site segmentation projects take years because the work that stalls them is organizational, not technical. Omdia’s 2025 survey of 352 cybersecurity decision makers across healthcare and manufacturing found 99% are implementing or planning microsegmentation, yet only 9% have protected more than 80% of critical systems. Nearly everyone starts. Almost no one finishes. My colleague William Toll breaks the survey down in his Omdia manufacturing analysis and digs into why segmentation projects fail with RedSeal’s chief product and technology officer.
What I keep running into:
- Change-control calendars, freezes, and holidays. One global program planned around a year-end freeze, a December furlough, and a summer-only maintenance window. Enforcement waited on the calendar, not the console.
- Single-threaded site experts. When a site’s one expert takes a six-month leave, that site sits until someone rebuilds the plan.
- Asset-inventory surprises. I can’t tell you the number of times a team says it has 50,000 devices and discovery turns up closer to 78,000. One site found roughly 150 OT assets hiding behind unmanaged hardware.
- Network prerequisites. Minimum firmware, controller upgrades, and licensing reboots each need their own window and gate the site behind them.
- Snowflake sites. Teams that rebuild policy from scratch at every location build a years-long rollout by construction.
Agent-based approaches carry extra weight here, and I mean that architecturally, not as a vendor knock. When deployment depends on installing software on endpoints, the friction front-loads: bulk-install approvals from every platform team, certification for every operating system in the fleet, and an agent lifecycle to run at every site for as long as the program lives. Mature platforms now offer agentless tiers for exactly that reason. Every install approval you delete is calendar time you get back.
What’s the fastest way to roll out microsegmentation across multiple sites?
The fastest way to roll out microsegmentation across multiple sites is to deploy every site quickly in learning mode, then run enforcement as a separate, deliberate track behind it. This is the playbook I’d hand a team starting today.
- Pick a template site, not your biggest site. Choose a location your team knows well and can reach easily, so the first pass becomes a reusable pattern. Familiarity matters more than size.
- Deploy in learning mode with nothing to install on endpoints or the network. An identity-based, agentless approach brings a site online passively, in minutes to hours, on the infrastructure you already have. One exception worth naming: the Active Directory integration uses an agent; your network and endpoints stay agentless.
- Build identity-based policy from observed traffic. Let the platform show you real flows, then group assets by what they are and who uses them, not by IP address. Start coarse and refine later.
- Validate with the people who run the site. Sit with the clinical, plant, or facilities engineers who know which flows are normal. They catch the exceptions your observation window missed; skipping this step is how fast rollouts break.
- Enforce incrementally, lowest-risk device groups first. Move policies from simulation to enforcement in small change windows, easy high-traffic groups first and the riskiest last, with rollback one action away. Simulation reports what a policy would have blocked before anything goes live.
- Clone the policy template to the next wave. Once a site enforces cleanly, the next site is the same workflow with the source and destination variables changed. This is what turns a single-site win into a program.
- Run subsequent site waves in parallel. Deploy new sites in learning mode as fast as your change calendar allows, with policy as its own track, so many sites learn while earlier sites enforce. Parallelism is what compresses the calendar.
Site-level speed is real. Southern Illinois Healthcare stood up its Elisity proof of concept in under an hour: deployed on existing access-layer infrastructure, monitoring and blocking. For the procedure itself, see our step-by-step implementation guide.
How do you sequence sites in a multi-site rollout?
You sequence a multi-site rollout by choosing a template site first, ordering device groups from easiest to riskiest, and parallelizing across locations once the pattern holds. Get the first site right and the rest of the estate becomes repetition.
Southern Illinois Healthcare sequenced this way, per its 400-bed deployment story. The pilot started at a daytime-only Cancer Institute, where the team could deploy and fix after hours, then moved to the largest site, worked down to the smallest, and finished with remote clinics. Four hospitals and around 400 beds across 17 to 19 counties ran on three total resources: two network engineers plus one security administrator. That was the whole team.
Wave sizing keeps it manageable: five to 10 similar sites per wave, each attached to an always-in-simulation copy of your policy set, audited, then flipped into enforcement by reassigning a site label. No policy rebuild. At GSK, Security Architect Jeff Binkley reported over 50 locations rolled out in three to four months, a single site in about 15 minutes.
What do the first 30, 60, and 90 days look like?
The first 90 days of a per-site microsegmentation deployment follow a predictable arc: visibility in week one, broad simulation by day 30, partial enforcement by day 60, and mature enforcement, 75 percent coverage or better, by roughly week 12.
Days 0 to 7. Prerequisites do most of the gating: firmware, licensing, time sync, service-account rights, firewall paths. Once those clear, enforcement points come online in small, often evening, windows; visibility appears within days and identity connectors start classifying assets.
Days 7 to 30. Everything runs in simulation against live traffic. Teams review flagged flows daily and widen analytics to a month to catch scheduled jobs like backups. The observation window is criticality math: a day or two for low-risk pairs, six weeks or more for life-safety systems.
Days 30 to 90. Enforcement arrives in waves. Each activation is a scheduled window, an hour or two, with user-acceptance checks before and after and sign-off from application, security, and network owners. I’ve watched sites take four to 11 waves to reach full enforcement. The winning pattern is boring on purpose.
Haleon secured its 24/7/365 pharmaceutical operations on Elisity with “no P1s, no outages, deploying in the environment without hurting the business,” as CISO Edmond Mack put it in the zero-downtime pharmaceutical case study. The business then asked how to move faster. That’s not a promise of zero risk; it’s what a procedural mitigation looks like when it holds.
What goes wrong even in fast rollouts?
Fast rollouts still break. They break in the same handful of places, and none of them are a reason to slow down, only to keep the discipline that makes speed safe.
- Over-scoped first policies. Too much granularity up front slows the whole site. Start coarse and refine once traffic confirms reality.
- Skipping validation with the floor. A device class that never appeared in your observation window, thin-client carts, say, surfaces the day after enforcement. The engineer who runs the floor knows before your data does.
- Under-communicating enforcement dates. A site that hears about its change window a week out will find a reason to slip it. Enforcement is also change-managed in both directions; reverting deserves the same window and rollback plan as activating.
- Assuming site two is identical to site one. Local overrides exist for a reason, like duplicate IP schemas after a merger; absorb the differences instead of fighting them.
- Forgetting that identity sources are now production infrastructure. Once policy depends on identity, directory maintenance and connector limits carry a segmentation blast radius.
A word about “no rip and replace,” a phrase that gets oversold. Identity-based, agentless deployment means no re-IP, no new VLANs, no routing changes. You still configure telemetry on gear you already own: you touch the network, just not your packets or your topology. For an operational hospital, as Bupa’s Group CISO Paul Haywood noted, a full rip and replace “would have been too disruptive.”
Frequently Asked Questions About Multi-Site Microsegmentation Rollouts
What’s the fastest way to roll out microsegmentation across multiple sites?
Deploy every site quickly in learning mode, then run enforcement as a separate track behind it. Pick a template site, build identity-based policy from observed traffic, validate with the site team, enforce lowest-risk groups first, then clone the template across parallel site waves. St. Luke’s University Health Network covered 15 hospitals and 85,000 devices in 46 days.
How do I deploy zero trust segmentation quickly?
Start with identity, not the network. Bring sites online passively in learning mode with nothing to install on endpoints, group assets by identity from real traffic, and run every policy in simulation before enforcing. Enforce incrementally in short change windows, rollback ready. Southern Illinois Healthcare stood up its proof of concept in under an hour.
How long does it realistically take to deploy microsegmentation across multiple sites?
Realistically, one to three years to full enforcement across a large estate, even though each site can be brought online in minutes to hours. Microsegmentation deployment is fast; the enforcement tail is the long pole. At GSK, Security Architect Jeff Binkley reported over 50 locations rolled out in three to four months.
Why do microsegmentation projects take years to finish?
Because the blockers are organizational, not technical: change-control freezes, single-threaded site experts, asset-inventory surprises, network prerequisites, and treating every site as unique. Omdia’s 2025 survey of 352 cybersecurity decision makers across healthcare and manufacturing found 99% are implementing or planning microsegmentation, yet only 9% have protected more than 80% of critical systems.
Can I deploy zero trust segmentation without downtime or maintenance windows?
You can deploy and monitor without downtime, but enforcement still uses short, scheduled change windows. The mitigation is procedural, not a guarantee: simulation shows what a policy would block before it goes live, and rollback stays one action away. Haleon protected its 24/7/365 pharmaceutical operations with no P1 incidents and no outages this way.
How do I roll out microsegmentation without ripping and replacing the network?
Choose identity-based, agentless deployment: no re-IP, no new VLANs, no routing changes, nothing to install on endpoints. You still configure telemetry on gear you already own; you touch the network, just not your packets or your topology. Bupa’s Group CISO Paul Haywood put it plainly: a full rip and replace “would have been too disruptive” for an operational hospital.
Stop measuring your program by how many sites you’ve activated. Activation is the easy half. What matters is how much of what needs protecting is enforced, and that moves at the speed of your change calendar and site conversations. The teams that finish build a small, repeatable, reversible per-site playbook and run it in parallel, wave after wave, until the estate is done.
Further reading:
- How to Implement Microsegmentation in 7 Steps
- St. Luke’s 46-Day Deployment Case Study
- How Southern Illinois Healthcare Secured 400+ Beds
- Microsegmentation in Manufacturing: Omdia Survey Findings
- Why Network Segmentation Projects Fail: A RedSeal CPTO View
- What Is Microsegmentation? Identity-Based Guide
Share this
- June 2026 (4)
- May 2026 (5)
- April 2026 (10)
- March 2026 (6)
- February 2026 (14)
- January 2026 (4)
- December 2025 (4)
- November 2025 (2)
- October 2025 (5)
- September 2025 (4)
- August 2025 (5)
- July 2025 (5)
- June 2025 (5)
- May 2025 (4)
- April 2025 (5)
- March 2025 (6)
- February 2025 (3)
- January 2025 (5)
- December 2024 (4)
- November 2024 (5)
- October 2024 (7)
- September 2024 (5)
- August 2024 (3)
- July 2024 (4)
- June 2024 (2)
- April 2024 (3)
- March 2024 (2)
- February 2024 (1)
- January 2024 (3)
- December 2023 (1)
- November 2023 (1)
- October 2023 (2)
- September 2023 (3)
- June 2023 (1)
- May 2023 (3)
- April 2023 (1)
- March 2023 (6)
- February 2023 (4)
- January 2023 (3)
- December 2022 (7)
- November 2022 (3)
- October 2022 (1)
- July 2022 (1)
- May 2022 (1)
- February 2022 (1)
- November 2021 (1)
- August 2021 (1)
- May 2021 (2)
- April 2021 (2)
- March 2021 (3)
- February 2021 (1)
- November 2020 (2)
- October 2020 (1)
- September 2020 (1)
- August 2020 (3)

No Comments Yet
Let us know what you think