Chapter 10: Explaining It to the Client: Business Case, ROI, and Decision Framework
Learning Objectives
Frame the value of Cisco Secure Access for a business audience — consolidation, risk reduction, and user productivity — rather than a feature list.
Build a tier-selection and ROI decision framework for a client, including a defensible TCO comparison, payback and ROI formulas, and a worked financial example.
Handle common objections and position Secure Access against competitors (Zscaler, Netskope, Palo Alto Prisma Access), and assemble a client-ready implementation proposal.
Pre-Reading Check — Telling the Value Story
1. What is described as the single most powerful financial narrative for Cisco Secure Access?
2. In the Expected Annual Loss model, which two factors does Secure Access reduce?
3. Which analogy is used to explain Zero Trust / ZTNA segmentation to a business audience?
4. According to the AWS Marketplace listing cited, consolidation delivers management/protection time savings of up to:
5. How is the user-experience story best positioned to an executive?
1. Telling the Value Story
Before any spreadsheet, you need a narrative. Executives buy stories that reduce their anxiety, and only later validate those stories with numbers. Cisco Secure Access has three value stories that map directly to three executive anxieties: too many vendors, too much risk, and too many complaints from the workforce.
Key Points
Consolidation is the lead financial story: one SSE subscription and one console replace a four-to-five-vendor stack (SWG, CASB, DLP, VPN, branch firewalls), cutting license, hardware, and vendor-management costs — with up to 30% operational time savings.
Risk reduction is an insurance narrative: use Expected Annual Loss (EAL = probability × impact); Secure Access lowers probability via threat/identity controls and lowers impact via ZTNA segmentation.
User experience wins hearts: per-app direct access and frictionless identity remove VPN pain, improve SaaS performance, and recover measurable productivity while increasing security.
Ground your risk numbers in a recognized methodology (Forrester TEI style) so a skeptical CFO cannot dismiss them as vendor optimism.
Anchor with a real reference: a large enterprise reported TCO reduction and secured 80,000+ users in under four months.
Consolidation and vendor reduction
Cisco Secure Access is the cloud-delivered successor to Cisco Umbrella plus AnyConnect, collapsing ZTNA, SWG, CASB, DLP, RBI, FWaaS, and VPNaaS into one SSE subscription with a single policy construct. The typical "as-is" enterprise runs a sprawl: a standalone proxy, a separate CASB, standalone DLP, VPN concentrators and clients, and hardware firewalls at the branch edge — each with its own console, renewal cycle, and support contract. The analogy that lands with executives is the cable bundle: one bill, one console, one throat to choke.
Animation 1 — Vendor sprawl collapses into one SSE platform
Five vendor point-products (left) each carry their own console, renewal, and support contract. Arrows show them consolidating into a single Cisco Secure Access SSE subscription (right) with one console and one policy — the "cable bundle" narrative.
Figure 10.1: Vendor sprawl consolidated into one SSE platform
Consolidation attacks the sprawl on several fronts: license and support savings (one subscription replaces 60–100% of point-product spend), hardware and data-center savings (decommissioned appliances free rack, power, cooling), and operational overhead savings (fewer contracts, one policy, up to 30% time savings).
Risk reduction and Zero Trust outcomes
The second story reframes Secure Access from a cost item into an insurance policy against breaches. It reduces risk on two axes: lowering the probability of a breach (threat protection, DNS-layer controls, CASB/DLP, MFA) and lowering the impact when one occurs (per-app ZTNA segmentation limits lateral movement). The business translation is a hotel with keycard doors: in the old VPN model one stolen key opened every room; in ZTNA each keycard opens exactly one room. You quantify this with a model risk teams already trust:
Expected Annual Loss (EAL) = Probability of a Breach per Year × Average Breach Impact
The methodology matters as much as the number: it parallels Forrester's Total Economic Impact (TEI) approach, grounding breach-probability reductions in expert interviews and benchmarks rather than invention.
User experience and productivity
The third story wins hearts: Secure Access makes the workforce's day better. Legacy architectures backhaul internet and SaaS traffic over MPLS to a central data center and hairpin it back out, degrading performance. Secure Access replaces that with direct, per-app access (no forced full-tunnel backhaul) and frictionless identity (SSO, strong MFA, passwordless — fewer help-desk tickets). The analogy is airport security line versus TSA PreCheck: verified identity, a fast lane to the gate you are authorized for, and screening that is more secure because it is context-aware. Three minutes saved per user per day across thousands of users compounds into millions of dollars of recovered capacity, even after heavy discounting.
Post-Reading Check — Telling the Value Story
1. What is described as the single most powerful financial narrative for Cisco Secure Access?
2. In the Expected Annual Loss model, which two factors does Secure Access reduce?
3. Which analogy is used to explain Zero Trust / ZTNA segmentation to a business audience?
4. According to the AWS Marketplace listing cited, consolidation delivers management/protection time savings of up to:
5. How is the user-experience story best positioned to an executive?
Pre-Reading Check — ROI and Tier Selection
1. In a TCO business case, why separate "hard" cost drivers from "soft" ones?
2. Which statement about the Essentials tier is correct?
3. Which capability is added by Advantage but NOT included in Essentials?
4. Using the worked example (Annual net benefit $1.2M, initial investment $300K), the payback period is approximately:
5. What is the "hybrid tier deployment" cost-control move?
2. ROI and Tier Selection
A story opens the door; numbers close it. This section builds the quantitative half of the business case — the TCO comparison, the payback and ROI formulas with a fully worked example, and the framework for choosing the right license tier and budget per user.
Key Points
Build the TCO case as "as-is vs. to-be" across five categories: security licensing, hardware/data center, network (MPLS/VPN), staff/operations, and incident/risk cost.
Separate hard from soft savings — present hard savings as the core, soft (productivity, agility) as heavily discounted supplements.
Essentials is a complete SSE baseline; Advantage adds IPS, multimode DLP, RBI-everywhere, unlimited sandboxing, and full L7 control.
Choose the tier per package along size/complexity, security maturity, compliance, and use cases — offer a hybrid deployment to align spend with risk.
The formulas: Annual Net Benefit = Benefits − Costs; Payback = Investment ÷ Annual Net Benefit; ROI% = ((Sum of Net Benefits over N years) − Investment) ÷ Investment × 100.
Always finish with a sensitivity analysis showing the project stays ROI-positive under conservative assumptions.
TCO vs. stacked point products
The core financial argument is an "as-is" versus "to-be" TCO comparison. Build the baseline by cataloging every cost the current stack incurs, then model Secure Access replacing or shrinking those line items.
Cost category
As-is (stacked point products)
To-be (Cisco Secure Access)
Driver of savings
Security licensing
Separate SWG, CASB, DLP, VPN, FW licenses/support
One SSE subscription
Consolidation replaces 60–100% of point-product spend
MPLS backhaul of internet/SaaS traffic; VPN concentrators
Direct-to-cloud edge via SSE; VPNaaS/ZTNA
Circuit downgrades + appliance retirement
Staff / operations
FTEs managing separate consoles and policies
Single console, single policy, AI-assisted policy
Up to 30% time savings on management tasks
Incident & risk cost
Higher breach probability and impact
Lower EAL via threat controls + ZTNA containment
Reduced probability and impact
Always separate hard drivers (hardware, licenses, MPLS, FTE time) from soft drivers (productivity, agility, reputational risk). Present hard savings as the core and soft savings as heavily discounted — this discipline signals you are not padding the numbers.
Essentials vs. Advantage decision framework
The license tier drives per-user cost, so tier selection is budget selection. The crucial framing is that Essentials is a full SSE baseline, not a crippled tier. Both tiers include SWG, DNS security, CASB, ZTNA/VPNaaS, FWaaS (L3–4 Cloud Delivered Firewall), Digital Experience Monitoring, and sandboxing. Advantage layers advanced threat and data protection on top.
Capability
Essentials
Advantage
SWG
Web proxy, URL/content filtering, web app controls
+ Layer-7 app visibility/control over thousands of apps
DNS security
Included (internet-wide visibility, on/off network)
Included (blocks exploits, inspects decrypted traffic)
Dimension
Lean Essentials when…
Lean Advantage when…
Size / complexity
300–3,000 users, few sites, mainly SaaS + internet access
5,000–50,000+ users, many sites, large private-app estate, multi-cloud
Security maturity
Early SSE adoption, limited SOC, want to consolidate simply
Mature SOC with threat hunting, XDR/SIEM, Talos integration
Compliance
Minimal regulatory pressure, or DLP/IPS already covered elsewhere
SOC 2 / ISO 27001 / HIPAA and especially finance, government, healthcare
Use cases
Core secure internet + basic private access
Need inline IPS, multimode DLP, RBI-everywhere, high-volume sandboxing
Animation 2 — Tier-selection decision flow branches to Advantage, Essentials, or Hybrid
One decision node folds the four dimensions (compliance, advanced controls, size/complexity, SOC maturity). "Yes" leans Advantage; "No" leans Essentials — the full SSE baseline. When risk is not uniform across users, both feed a Hybrid deployment that aligns spend with risk.
Figure 10.3: Essentials vs. Advantage tier-selection decision framework
flowchart TD
START["Choose package then choose tier"] --> Q1{"Strict compliance? SOC 2 / ISO 27001 / HIPAA finance / gov / healthcare"}
Q1 -->|Yes| ADV["Lean Advantage"]
Q1 -->|No| Q2{"Need inline IPS, multimode DLP, or RBI-everywhere?"}
Q2 -->|Yes| ADV
Q2 -->|No| Q3{"Large / complex? 5,000+ users, many sites, large private-app estate"}
Q3 -->|Yes| ADV
Q3 -->|No| Q4{"Mature SOC with threat hunting + XDR/SIEM/Talos?"}
Q4 -->|Yes| ADV
Q4 -->|No| ESS["Lean Essentials full SSE baseline"]
ADV --> HYBRID{"Uniform risk across users?"}
ESS --> HYBRID
HYBRID -->|No| MIX["Hybrid: Advantage for high-risk segments, Essentials elsewhere"]
HYBRID -->|Yes| UNIFORM["Single tier for all"]
A powerful cost-control move is the hybrid tier deployment: license Advantage only for high-risk segments (finance, R&D, executives, privileged access) and Essentials for lower-risk users. This avoids an "all or nothing" budget decision and often reflects real risk distribution better than a uniform tier.
Sizing and budgeting per user — worked ROI example
Cisco's DNS-only entry point is inexpensive — often about $2–4 per user — covering all devices with no agent. Full SSE requires agents, tunnels, and higher-tier licensing but is generally cost-competitive with Zscaler and cheaper than Prisma Access. The worked example below is illustrative — replace figures with the client's real data.
Animation 3 — ROI payback: accumulating benefits cross the payback line
The one-time $300K investment (orange) rises first. Then accumulating annual net benefit ($1.2M/yr, green) builds bar by bar. Benefits cross the dashed payback line almost immediately — roughly three months — after which everything is return, yielding ~1,100% three-year ROI.
Figure 10.2: ROI calculation flow — from annual benefits to payback and ROI
flowchart TD
HARD["Hard Savings: 850K/yr licenses + hardware + MPLS + FTE"]
RISK["Modeled Risk Reduction: 250K/yr"]
PROD["Productivity Gains: 600K/yr already discounted"]
HARD --> BENEFIT["Total Annual Benefit = 1.7M"]
RISK --> BENEFIT
PROD --> BENEFIT
SUB["Annual Subscription Cost: 500K"]
BENEFIT --> NET["Annual Net Benefit = 1.7M - 500K = 1.2M"]
SUB --> NET
INVEST["Initial Investment: 300K one-time"]
NET --> PAYBACK["Payback = 300K / 1.2M approx 0.25 yr (~3 months)"]
INVEST --> PAYBACK
NET --> ROI["3-Year ROI = ((1.2M x 3) - 300K) / 300K x 100 approx 1,100%"]
INVEST --> ROI
A sub-four-month payback aligns with Cisco's real LTM case study (TCO reduction at 80,000+ users in under four months). Always finish with a sensitivity analysis: show that even if productivity gains are only 50% of estimate and risk reduction is halved, the project stays ROI-positive.
Post-Reading Check — ROI and Tier Selection
1. In a TCO business case, why separate "hard" cost drivers from "soft" ones?
2. Which statement about the Essentials tier is correct?
3. Which capability is added by Advantage but NOT included in Essentials?
4. Using the worked example (Annual net benefit $1.2M, initial investment $300K), the payback period is approximately:
5. What is the "hybrid tier deployment" cost-control move?
Pre-Reading Check — Objections and Competitive Positioning
1. In the consensus competitive positioning, which vendor is described as having the "deepest, data-centric CASB/DLP"?
2. How should Cisco's Gartner Magic Quadrant position (typically Challenger/Visionary) be handled with a client?
3. A client says "We already have DLP and IPS from other vendors." What is the best response?
4. What is the unifying principle across every objection rebuttal?
5. Which is the correct structure of the five-part implementation proposal?
3. Objections and Competitive Positioning
No enterprise deal closes without competition and pushback. This section arms you with an honest competitive comparison, ready responses to the objections you will actually hear, and the structure of the proposal that turns agreement into a signature.
Key Points
Be honest about the field: Zscaler leads on scale/PoP footprint, Netskope on data-centric CASB/DLP, Prisma on inspection depth. Cisco wins on native integration, agentless DNS entry, mobile ZTNA, and cost.
Flag Gartner's MQ (Cisco as Challenger/Visionary) as external context and pivot to the practical wins for an existing Cisco estate.
Pre-load objection→rebuttal pairs; the strongest tactic is honesty — offer Essentials or a phased/hybrid deployment when coverage already exists.
Reserve Advantage for genuine gaps in user-to-cloud IPS/DLP that competitors' data-center/endpoint stacks miss.
Structure the proposal in five parts and de-risk with a start-small-grow-later phased rollout, anchoring credibility in the LTM precedent.
Comparison with Zscaler, Netskope, Palo Alto
Credibility with a technical buyer requires honesty about where Cisco leads and where it does not.
Dimension
Cisco Secure Access
Zscaler
Netskope
Palo Alto Prisma Access
Positioning
Integrated SSE, Cisco-centric
Best-of-breed SSE
Single-vendor SASE, data-centric
NGFW-in-cloud, single-vendor SASE
Architecture
DNS + SWG/proxy + Cloud FW + ZTNA
Pure cloud proxy
Proxy overlay, single-pass Zero Trust Engine
Full L7 NGFW in cloud
PoP / coverage
Global, density trails Zscaler
Broadest PoP footprint
NewEdge private backbone
AWS + GCP hyperscale
CASB / DLP depth
Competent, integrated with Umbrella
Strong
Deepest, data-centric ("Layer 8")
Strong, NGFW-integrated
FWaaS / inspection
Cloud FW + IPS (Advantage)
Mature for web; weaker non-web
Integrated, basic-to-intermediate
Deepest — all ports/protocols
DEM
ThousandEyes
ZDX
Present, less emphasized
ADEM (full visibility)
Pricing
Cost-competitive; ~$2–4/user DNS entry
Premium
Mid-to-high
Most expensive, bandwidth-based
Deployment
Easiest via DNS-first
Performant but complex steering
Rich but complex policy
Most complex; needs BGP/routing expertise
Best fit
Cisco SD-WAN/ISE/Secure Client shops
Global remote, multi-vendor networks
Data-sensitive SaaS governance
Palo Alto NGFW-standardized hybrid orgs
Cisco's genuine differentiators: agentless DNS-layer entry that protects IoT and unmanaged devices in minutes at ~$2–4/user; tight integration with Cisco SD-WAN, Identity Services Engine, and Secure Client; high-performance mobile ZTNA via MASQUE/QUIC; and ThousandEyes for digital experience monitoring.
External market context — Gartner Magic Quadrant (SSE). Zscaler and Netskope are consistently Leaders, Palo Alto (Prisma Access) is also in the Leader quadrant, and Cisco typically appears as a Challenger or Visionary. This is external market context, not a supplied-source fact. The honest way to handle it: acknowledge Cisco's analyst position, then pivot to the integration, cost, and speed-to-value advantages a Cisco-centric shop realizes in practice.
Common objections and responses
Prepare rebuttals in advance. Each pairs an objection you will hear with a response grounded in the research.
Objection
Response
"Essentials already has SWG, CASB, ZTNA, FWaaS — why pay for Advantage?"
Agree Essentials is a full baseline, not crippled. Advantage is about advanced risk/compliance: IPS for exploit blocking, multimode DLP, unlimited sandboxing, RBI-everywhere. Run a joint risk/compliance review — if existing IPS/DLP does not cover user-to-cloud traffic, Advantage fills the gap.
"We already have DLP and IPS from other vendors."
Map the coverage. Data-center IPS often does not see user-to-SaaS traffic that bypasses the corporate network; endpoint/email DLP misses web/SaaS exfiltration. Advantage puts data and threat policy directly in the SSE path. If coverage is genuinely equivalent, recommend Essentials and revisit later.
"Advantage looks expensive."
Frame against the separate DLP/IPS/sandboxing licenses and infrastructure it replaces, plus lower operational complexity. Use a phased/hybrid approach — Advantage for high-risk users, Essentials elsewhere — so not every user pays the premium.
"We're worried about TLS decryption and IPS latency hurting UX."
Both tiers include TLS decryption managed by Cisco's cloud, and DEM/Experience Insights is included in both. Apply IPS/DLP selectively via risk-based policy. For performance-sensitive clients, baseline with Essentials + DEM, then pilot Advantage on subsets.
"We just want simple DNS security, not full SSE."
Recommend DNS Defense Essentials — DNS-layer security with internet-wide visibility in minutes, any company size. Explain the growth path: start with DNS Defense, migrate to Secure Access Essentials when SWG/ZTNA needs emerge.
"Why not just do nothing / incremental upgrades?"
Show that legacy VPN + MPLS + multiple point products keeps TCO high, UX poor, and risk elevated — and gets worse as users and apps become more distributed, exactly the problem the SASE/SSE architecture addresses.
The unifying principle across every rebuttal: do not oversell. When the client genuinely has equivalent coverage, recommend the lower tier and preserve your credibility. That honesty is what makes them believe you when you say they do need Advantage.
Building the implementation proposal
The proposal is where the story and the numbers become a document a client can approve. Structure it in five parts:
Executive summary (one page). Current challenges, proposed solution (Secure Access SSE), and headline metrics: investment, annual benefits, payback, multi-year ROI. Cite the LTM case study as precedent.
Baseline and assumptions. Document as-is costs and risks, separate hard from soft, and label customer-provided versus benchmark/modeled numbers.
Financial model. A multi-year table resolving to Annual Net Benefit, Payback, and ROI %.
Sensitivity analysis. Show the project stays ROI-positive under conservative assumptions.
Phased deployment plan. Phase 1 — SWG + CASB + ZTNA for remote users while keeping existing VPN/MPLS; Phase 2 — retire VPN appliances, reduce MPLS, extend FWaaS and DLP coverage. Note coexistence with existing IdPs and MFA (including Cisco Duo).
Figure 10.4: Five-part proposal structure into a phased deployment
A phased plan is persuasive precisely because it does not demand a "big bang." It lets the client capture early wins — often DNS-layer protection that deploys in minutes — build internal confidence, and fund later phases partly from the savings of earlier ones. That is the arc of a proposal that gets signed.
Post-Reading Check — Objections and Competitive Positioning
1. In the consensus competitive positioning, which vendor is described as having the "deepest, data-centric CASB/DLP"?
2. How should Cisco's Gartner Magic Quadrant position (typically Challenger/Visionary) be handled with a client?
3. A client says "We already have DLP and IPS from other vendors." What is the best response?
4. What is the unifying principle across every objection rebuttal?
5. Which is the correct structure of the five-part implementation proposal?