Chapter 10: Explaining It to the Client: Business Case, ROI, and Decision Framework

Learning Objectives

Pre-Reading Check — Telling the Value Story

1. What is described as the single most powerful financial narrative for Cisco Secure Access?

2. In the Expected Annual Loss model, which two factors does Secure Access reduce?

3. Which analogy is used to explain Zero Trust / ZTNA segmentation to a business audience?

4. According to the AWS Marketplace listing cited, consolidation delivers management/protection time savings of up to:

5. How is the user-experience story best positioned to an executive?

1. Telling the Value Story

Before any spreadsheet, you need a narrative. Executives buy stories that reduce their anxiety, and only later validate those stories with numbers. Cisco Secure Access has three value stories that map directly to three executive anxieties: too many vendors, too much risk, and too many complaints from the workforce.

Key Points

Consolidation and vendor reduction

Cisco Secure Access is the cloud-delivered successor to Cisco Umbrella plus AnyConnect, collapsing ZTNA, SWG, CASB, DLP, RBI, FWaaS, and VPNaaS into one SSE subscription with a single policy construct. The typical "as-is" enterprise runs a sprawl: a standalone proxy, a separate CASB, standalone DLP, VPN concentrators and clients, and hardware firewalls at the branch edge — each with its own console, renewal cycle, and support contract. The analogy that lands with executives is the cable bundle: one bill, one console, one throat to choke.

Animation 1 — Vendor sprawl collapses into one SSE platform
Standalone SWG Separate CASB Standalone DLP VPN Concentrators Branch Firewalls Cisco Secure Access Single Console + Unified Policy ZTNA / SWG / CASB / DLP RBI / FWaaS / VPNaaS
Five vendor point-products (left) each carry their own console, renewal, and support contract. Arrows show them consolidating into a single Cisco Secure Access SSE subscription (right) with one console and one policy — the "cable bundle" narrative.

Figure 10.1: Vendor sprawl consolidated into one SSE platform

graph TD subgraph AS_IS["As-Is: 4-5 Vendor Point-Product Sprawl"] SWG["Standalone SWG / Proxy"] CASB["Separate CASB"] DLP["Standalone DLP"] VPN["VPN Concentrators + Clients"] FW["Branch Hardware Firewalls"] end subgraph TO_BE["To-Be: One SSE Subscription"] PLATFORM["Cisco Secure Access
Single Console + Unified Policy
ZTNA / SWG / CASB / DLP / RBI / FWaaS / VPNaaS"] end SWG --> PLATFORM CASB --> PLATFORM DLP --> PLATFORM VPN --> PLATFORM FW --> PLATFORM

Consolidation attacks the sprawl on several fronts: license and support savings (one subscription replaces 60–100% of point-product spend), hardware and data-center savings (decommissioned appliances free rack, power, cooling), and operational overhead savings (fewer contracts, one policy, up to 30% time savings).

Risk reduction and Zero Trust outcomes

The second story reframes Secure Access from a cost item into an insurance policy against breaches. It reduces risk on two axes: lowering the probability of a breach (threat protection, DNS-layer controls, CASB/DLP, MFA) and lowering the impact when one occurs (per-app ZTNA segmentation limits lateral movement). The business translation is a hotel with keycard doors: in the old VPN model one stolen key opened every room; in ZTNA each keycard opens exactly one room. You quantify this with a model risk teams already trust:

Expected Annual Loss (EAL) = Probability of a Breach per Year × Average Breach Impact

The methodology matters as much as the number: it parallels Forrester's Total Economic Impact (TEI) approach, grounding breach-probability reductions in expert interviews and benchmarks rather than invention.

User experience and productivity

The third story wins hearts: Secure Access makes the workforce's day better. Legacy architectures backhaul internet and SaaS traffic over MPLS to a central data center and hairpin it back out, degrading performance. Secure Access replaces that with direct, per-app access (no forced full-tunnel backhaul) and frictionless identity (SSO, strong MFA, passwordless — fewer help-desk tickets). The analogy is airport security line versus TSA PreCheck: verified identity, a fast lane to the gate you are authorized for, and screening that is more secure because it is context-aware. Three minutes saved per user per day across thousands of users compounds into millions of dollars of recovered capacity, even after heavy discounting.

Post-Reading Check — Telling the Value Story

1. What is described as the single most powerful financial narrative for Cisco Secure Access?

2. In the Expected Annual Loss model, which two factors does Secure Access reduce?

3. Which analogy is used to explain Zero Trust / ZTNA segmentation to a business audience?

4. According to the AWS Marketplace listing cited, consolidation delivers management/protection time savings of up to:

5. How is the user-experience story best positioned to an executive?

Pre-Reading Check — ROI and Tier Selection

1. In a TCO business case, why separate "hard" cost drivers from "soft" ones?

2. Which statement about the Essentials tier is correct?

3. Which capability is added by Advantage but NOT included in Essentials?

4. Using the worked example (Annual net benefit $1.2M, initial investment $300K), the payback period is approximately:

5. What is the "hybrid tier deployment" cost-control move?

2. ROI and Tier Selection

A story opens the door; numbers close it. This section builds the quantitative half of the business case — the TCO comparison, the payback and ROI formulas with a fully worked example, and the framework for choosing the right license tier and budget per user.

Key Points

TCO vs. stacked point products

The core financial argument is an "as-is" versus "to-be" TCO comparison. Build the baseline by cataloging every cost the current stack incurs, then model Secure Access replacing or shrinking those line items.

Cost categoryAs-is (stacked point products)To-be (Cisco Secure Access)Driver of savings
Security licensingSeparate SWG, CASB, DLP, VPN, FW licenses/supportOne SSE subscriptionConsolidation replaces 60–100% of point-product spend
Hardware & data centerVPN/SWG appliances, CASB/DLP servers, rack, power, coolingCloud-delivered; appliances decommissionedRetire on-prem security hardware
Network (MPLS/VPN)MPLS backhaul of internet/SaaS traffic; VPN concentratorsDirect-to-cloud edge via SSE; VPNaaS/ZTNACircuit downgrades + appliance retirement
Staff / operationsFTEs managing separate consoles and policiesSingle console, single policy, AI-assisted policyUp to 30% time savings on management tasks
Incident & risk costHigher breach probability and impactLower EAL via threat controls + ZTNA containmentReduced probability and impact

Always separate hard drivers (hardware, licenses, MPLS, FTE time) from soft drivers (productivity, agility, reputational risk). Present hard savings as the core and soft savings as heavily discounted — this discipline signals you are not padding the numbers.

Essentials vs. Advantage decision framework

The license tier drives per-user cost, so tier selection is budget selection. The crucial framing is that Essentials is a full SSE baseline, not a crippled tier. Both tiers include SWG, DNS security, CASB, ZTNA/VPNaaS, FWaaS (L3–4 Cloud Delivered Firewall), Digital Experience Monitoring, and sandboxing. Advantage layers advanced threat and data protection on top.

CapabilityEssentialsAdvantage
SWGWeb proxy, URL/content filtering, web app controls+ Layer-7 app visibility/control over thousands of apps
DNS securityIncluded (internet-wide visibility, on/off network)Included (same, paired with advanced controls)
CASBApp discovery, risk scoring, blocking, SaaS controls+ enforcement via DLP, IPS, and L7 controls
ZTNA / VPNaaSSecure private access with posture assessment+ combine with IPS/DLP for stricter access policy
FWaaSCloud Delivered Firewall, Layer 3–4 controls+ IPS for deep inspection of decrypted traffic
RBIRisky websites onlyAny website, policy-driven isolation
DEM (Experience Insights)IncludedIncluded (same feature set)
Sandboxing~500 samples/day quotaUnlimited + full malware analytics console
DLPNot multimode; relies on CASB/SWG controlsMultimode DLP across web, SaaS, email
IPSNot includedIncluded (blocks exploits, inspects decrypted traffic)
DimensionLean Essentials when…Lean Advantage when…
Size / complexity300–3,000 users, few sites, mainly SaaS + internet access5,000–50,000+ users, many sites, large private-app estate, multi-cloud
Security maturityEarly SSE adoption, limited SOC, want to consolidate simplyMature SOC with threat hunting, XDR/SIEM, Talos integration
ComplianceMinimal regulatory pressure, or DLP/IPS already covered elsewhereSOC 2 / ISO 27001 / HIPAA and especially finance, government, healthcare
Use casesCore secure internet + basic private accessNeed inline IPS, multimode DLP, RBI-everywhere, high-volume sandboxing
Animation 2 — Tier-selection decision flow branches to Advantage, Essentials, or Hybrid
Choose package, then choose tier Strict compliance, IPS/DLP, large/complex, or mature SOC? Yes No Lean Advantage Lean Essentials full SSE baseline Hybrid deployment Advantage for high-risk, Essentials elsewhere
One decision node folds the four dimensions (compliance, advanced controls, size/complexity, SOC maturity). "Yes" leans Advantage; "No" leans Essentials — the full SSE baseline. When risk is not uniform across users, both feed a Hybrid deployment that aligns spend with risk.

Figure 10.3: Essentials vs. Advantage tier-selection decision framework

flowchart TD START["Choose package
then choose tier"] --> Q1{"Strict compliance?
SOC 2 / ISO 27001 / HIPAA
finance / gov / healthcare"} Q1 -->|Yes| ADV["Lean Advantage"] Q1 -->|No| Q2{"Need inline IPS,
multimode DLP, or
RBI-everywhere?"} Q2 -->|Yes| ADV Q2 -->|No| Q3{"Large / complex?
5,000+ users, many sites,
large private-app estate"} Q3 -->|Yes| ADV Q3 -->|No| Q4{"Mature SOC with
threat hunting +
XDR/SIEM/Talos?"} Q4 -->|Yes| ADV Q4 -->|No| ESS["Lean Essentials
full SSE baseline"] ADV --> HYBRID{"Uniform risk
across users?"} ESS --> HYBRID HYBRID -->|No| MIX["Hybrid: Advantage for
high-risk segments,
Essentials elsewhere"] HYBRID -->|Yes| UNIFORM["Single tier for all"]

A powerful cost-control move is the hybrid tier deployment: license Advantage only for high-risk segments (finance, R&D, executives, privileged access) and Essentials for lower-risk users. This avoids an "all or nothing" budget decision and often reflects real risk distribution better than a uniform tier.

Sizing and budgeting per user — worked ROI example

Cisco's DNS-only entry point is inexpensive — often about $2–4 per user — covering all devices with no agent. Full SSE requires agents, tunnels, and higher-tier licensing but is generally cost-competitive with Zscaler and cheaper than Prisma Access. The worked example below is illustrative — replace figures with the client's real data.

Item (5,000-user enterprise)Value
Initial deployment (professional services, migration)$300,000 (one-time)
Annual Secure Access subscription$500,000
Annual hard savings (licenses + hardware + MPLS + FTE)$850,000
Annual modeled risk reduction$250,000
Annual productivity gains (already discounted)$600,000

The formulas:

Applying them: Total annual benefit = $850K + $250K + $600K = $1.7M; Annual net benefit = $1.7M − $500K = $1.2M; Payback = $300K ÷ $1.2M ≈ 0.25 years (~3 months); 3-year ROI = (($1.2M × 3) − $0.3M) ÷ $0.3M × 100 ≈ 1,100%.

Animation 3 — ROI payback: accumulating benefits cross the payback line
$ Investment → Accumulating annual net benefit ($1.2M/yr) Invest $300K ~$300K ~3 mo Yr 1 Yr 2 Yr 3 Payback line ($300K) Paid back in ~3 months
The one-time $300K investment (orange) rises first. Then accumulating annual net benefit ($1.2M/yr, green) builds bar by bar. Benefits cross the dashed payback line almost immediately — roughly three months — after which everything is return, yielding ~1,100% three-year ROI.

Figure 10.2: ROI calculation flow — from annual benefits to payback and ROI

flowchart TD HARD["Hard Savings: 850K/yr
licenses + hardware + MPLS + FTE"] RISK["Modeled Risk Reduction: 250K/yr"] PROD["Productivity Gains: 600K/yr
already discounted"] HARD --> BENEFIT["Total Annual Benefit = 1.7M"] RISK --> BENEFIT PROD --> BENEFIT SUB["Annual Subscription Cost: 500K"] BENEFIT --> NET["Annual Net Benefit = 1.7M - 500K = 1.2M"] SUB --> NET INVEST["Initial Investment: 300K one-time"] NET --> PAYBACK["Payback = 300K / 1.2M
approx 0.25 yr (~3 months)"] INVEST --> PAYBACK NET --> ROI["3-Year ROI = ((1.2M x 3) - 300K) / 300K x 100
approx 1,100%"] INVEST --> ROI

A sub-four-month payback aligns with Cisco's real LTM case study (TCO reduction at 80,000+ users in under four months). Always finish with a sensitivity analysis: show that even if productivity gains are only 50% of estimate and risk reduction is halved, the project stays ROI-positive.

Post-Reading Check — ROI and Tier Selection

1. In a TCO business case, why separate "hard" cost drivers from "soft" ones?

2. Which statement about the Essentials tier is correct?

3. Which capability is added by Advantage but NOT included in Essentials?

4. Using the worked example (Annual net benefit $1.2M, initial investment $300K), the payback period is approximately:

5. What is the "hybrid tier deployment" cost-control move?

Pre-Reading Check — Objections and Competitive Positioning

1. In the consensus competitive positioning, which vendor is described as having the "deepest, data-centric CASB/DLP"?

2. How should Cisco's Gartner Magic Quadrant position (typically Challenger/Visionary) be handled with a client?

3. A client says "We already have DLP and IPS from other vendors." What is the best response?

4. What is the unifying principle across every objection rebuttal?

5. Which is the correct structure of the five-part implementation proposal?

3. Objections and Competitive Positioning

No enterprise deal closes without competition and pushback. This section arms you with an honest competitive comparison, ready responses to the objections you will actually hear, and the structure of the proposal that turns agreement into a signature.

Key Points

Comparison with Zscaler, Netskope, Palo Alto

Credibility with a technical buyer requires honesty about where Cisco leads and where it does not.

DimensionCisco Secure AccessZscalerNetskopePalo Alto Prisma Access
PositioningIntegrated SSE, Cisco-centricBest-of-breed SSESingle-vendor SASE, data-centricNGFW-in-cloud, single-vendor SASE
ArchitectureDNS + SWG/proxy + Cloud FW + ZTNAPure cloud proxyProxy overlay, single-pass Zero Trust EngineFull L7 NGFW in cloud
PoP / coverageGlobal, density trails ZscalerBroadest PoP footprintNewEdge private backboneAWS + GCP hyperscale
CASB / DLP depthCompetent, integrated with UmbrellaStrongDeepest, data-centric ("Layer 8")Strong, NGFW-integrated
FWaaS / inspectionCloud FW + IPS (Advantage)Mature for web; weaker non-webIntegrated, basic-to-intermediateDeepest — all ports/protocols
DEMThousandEyesZDXPresent, less emphasizedADEM (full visibility)
PricingCost-competitive; ~$2–4/user DNS entryPremiumMid-to-highMost expensive, bandwidth-based
DeploymentEasiest via DNS-firstPerformant but complex steeringRich but complex policyMost complex; needs BGP/routing expertise
Best fitCisco SD-WAN/ISE/Secure Client shopsGlobal remote, multi-vendor networksData-sensitive SaaS governancePalo Alto NGFW-standardized hybrid orgs

Cisco's genuine differentiators: agentless DNS-layer entry that protects IoT and unmanaged devices in minutes at ~$2–4/user; tight integration with Cisco SD-WAN, Identity Services Engine, and Secure Client; high-performance mobile ZTNA via MASQUE/QUIC; and ThousandEyes for digital experience monitoring.

External market context — Gartner Magic Quadrant (SSE). Zscaler and Netskope are consistently Leaders, Palo Alto (Prisma Access) is also in the Leader quadrant, and Cisco typically appears as a Challenger or Visionary. This is external market context, not a supplied-source fact. The honest way to handle it: acknowledge Cisco's analyst position, then pivot to the integration, cost, and speed-to-value advantages a Cisco-centric shop realizes in practice.

Common objections and responses

Prepare rebuttals in advance. Each pairs an objection you will hear with a response grounded in the research.

ObjectionResponse
"Essentials already has SWG, CASB, ZTNA, FWaaS — why pay for Advantage?"Agree Essentials is a full baseline, not crippled. Advantage is about advanced risk/compliance: IPS for exploit blocking, multimode DLP, unlimited sandboxing, RBI-everywhere. Run a joint risk/compliance review — if existing IPS/DLP does not cover user-to-cloud traffic, Advantage fills the gap.
"We already have DLP and IPS from other vendors."Map the coverage. Data-center IPS often does not see user-to-SaaS traffic that bypasses the corporate network; endpoint/email DLP misses web/SaaS exfiltration. Advantage puts data and threat policy directly in the SSE path. If coverage is genuinely equivalent, recommend Essentials and revisit later.
"Advantage looks expensive."Frame against the separate DLP/IPS/sandboxing licenses and infrastructure it replaces, plus lower operational complexity. Use a phased/hybrid approach — Advantage for high-risk users, Essentials elsewhere — so not every user pays the premium.
"We're worried about TLS decryption and IPS latency hurting UX."Both tiers include TLS decryption managed by Cisco's cloud, and DEM/Experience Insights is included in both. Apply IPS/DLP selectively via risk-based policy. For performance-sensitive clients, baseline with Essentials + DEM, then pilot Advantage on subsets.
"We just want simple DNS security, not full SSE."Recommend DNS Defense Essentials — DNS-layer security with internet-wide visibility in minutes, any company size. Explain the growth path: start with DNS Defense, migrate to Secure Access Essentials when SWG/ZTNA needs emerge.
"Why not just do nothing / incremental upgrades?"Show that legacy VPN + MPLS + multiple point products keeps TCO high, UX poor, and risk elevated — and gets worse as users and apps become more distributed, exactly the problem the SASE/SSE architecture addresses.

The unifying principle across every rebuttal: do not oversell. When the client genuinely has equivalent coverage, recommend the lower tier and preserve your credibility. That honesty is what makes them believe you when you say they do need Advantage.

Building the implementation proposal

The proposal is where the story and the numbers become a document a client can approve. Structure it in five parts:

  1. Executive summary (one page). Current challenges, proposed solution (Secure Access SSE), and headline metrics: investment, annual benefits, payback, multi-year ROI. Cite the LTM case study as precedent.
  2. Baseline and assumptions. Document as-is costs and risks, separate hard from soft, and label customer-provided versus benchmark/modeled numbers.
  3. Financial model. A multi-year table resolving to Annual Net Benefit, Payback, and ROI %.
  4. Sensitivity analysis. Show the project stays ROI-positive under conservative assumptions.
  5. Phased deployment plan. Phase 1 — SWG + CASB + ZTNA for remote users while keeping existing VPN/MPLS; Phase 2 — retire VPN appliances, reduce MPLS, extend FWaaS and DLP coverage. Note coexistence with existing IdPs and MFA (including Cisco Duo).

Figure 10.4: Five-part proposal structure into a phased deployment

flowchart LR P1["1. Executive Summary
headline metrics"] --> P2["2. Baseline &
Assumptions"] P2 --> P3["3. Financial Model
multi-year"] P3 --> P4["4. Sensitivity
Analysis"] P4 --> P5["5. Phased
Deployment Plan"] P5 --> PH1["Phase 1: SWG + CASB + ZTNA
for remote users
keep existing VPN/MPLS"] PH1 --> PH2["Phase 2: Retire VPN appliances,
reduce MPLS, extend
FWaaS + DLP coverage"]

A phased plan is persuasive precisely because it does not demand a "big bang." It lets the client capture early wins — often DNS-layer protection that deploys in minutes — build internal confidence, and fund later phases partly from the savings of earlier ones. That is the arc of a proposal that gets signed.

Post-Reading Check — Objections and Competitive Positioning

1. In the consensus competitive positioning, which vendor is described as having the "deepest, data-centric CASB/DLP"?

2. How should Cisco's Gartner Magic Quadrant position (typically Challenger/Visionary) be handled with a client?

3. A client says "We already have DLP and IPS from other vendors." What is the best response?

4. What is the unifying principle across every objection rebuttal?

5. Which is the correct structure of the five-part implementation proposal?

Your Progress

Answer Explanations