You should be vary wary of any vendor who tells you on-premises should be your default deployment option. Don’t let a vendor position SaaS for just remote offices and remote users. There are reasons for on-premises deployments (cloud aversion syndrome, outbound DLP, data residency) but make sure the reasons are you’re own and not dictated by the vendor. If you can hand off web content security (and email) to SaaS security vendors you can repurpose your limited security resources to more strategic functions like incident detection and response, security architecture, or application security.
The web (and email) gateway vendors haven't done the best job of responding to disruption. FireEye was able to quickly capture market share because they weren't stopping phishing attempts and drive by downloads. FireEye completely disrupted their business and put these companies on the defensive.
I see the email and web gateway vendors behind disrupted once again, this time by the cloud and SaaS applications. The traditional web content security vendors should've owned security for SaaS applications; they have owned web-browsing security for over a decade. Instead, we have seen cloud security startups like Skyhigh Networks and Ionic Security emerge to provide visibility into and control of SaaS applications. I fear that the traditional web content security players have been disrupted again and are holding on to their precious appliances at the expense of their future. Web gateways aren't dead yet, but their day is coming and they will shift to niche deployments. Don't be like Gollum and his precious ring, don't follow your appliances into the lava of Mount Doom.
A special thanks to Peggy Dostie, Kelley Mak, & Claire O'Malley who helped make this Wave possible.