Building the business case to modernise your network with SASE

By Rob Graham, Head of Networks at Securecom

Author Introduction

I see many NZ IT leaders stall on network modernisation due to initial sticker shock. However, the “do nothing” cost of legacy connectivity and hardware is often the more expensive path. It is time to prove the value to Finance. Here is how to build a defensible SASE business case.

Outline

• Overcoming the initial “sticker shock” of modern platforms.
• Baselining the true cost of legacy MPLS networks.
• Quantifying savings from hardware and license consolidation.
• Understanding the three levers of SASE ROI.
• Building a three-year TCO model for finance.
• Valuing “soft” benefits like risk and productivity.
• Using contract renewals as funding triggers.
• Practical steps to start your financial analysis.

Key Takeaways

• Compare new spend against total legacy costs, not zero.
• Legacy MPLS costs increase while performance stagnates.
• Modern architectures can reduce WAN costs by 40%.
• Consolidation retires multiple overlapping security licenses.
• ROI often exceeds 100% over three years.
• Operational efficiency drives significant hidden savings.
• Payback periods are typically under 18 months.
• Timing migration with renewals unlocks immediate budget.

Introduction

Once the operational pain of an ageing Wide Area Network (WAN) and security stack becomes clear, the conversation inevitably shifts from the technical to the financial. The next question from the executive leadership team is almost always the same: “What is this going to cost, and how fast does it pay back?”

For many New Zealand IT leaders, this is where the momentum stalls. On paper, a modern architecture that combines SD-WAN with cloud-delivered security (SASE) and Zero Trust principles can look expensive at first glance. You are often moving from sweated hardware assets to new subscription-based operational expenditure models.

However, the “high sticker price” is often a fallacy based on incomplete data. When you build a rigorous business case, you are not comparing “new spend” against “nothing.” You are comparing it against the burgeoning cost of continuing with inflexible MPLS circuits, ageing hardware firewalls, legacy VPN platforms, and the operational overhead required to keep the lights on.

This article outlines how to baseline your current spend, model the financial impact of a modern architecture, and present a business case that resonates with both technology and finance leaders. 

The “Do Nothing” Cost: Baselining Your Current Spend

The first step in building a defensible ROI model is to accurately quantify the Total Cost of Ownership (TCO) of your current environment. Most organisations underestimate this because the costs are buried across different cost centres, telecommunications, hardware depreciation, software licensing, and external support.

To get a clear picture, you must audit where the money is actually going today. A comprehensive baseline includes:

• Connectivity Costs: Sum the costs of all MPLS circuits. In New Zealand, MPLS is notoriously expensive per megabit compared to business-grade fibre or internet services.
• Hardware Maintenance: Calculate the annual renewal costs for “SmartNet” style support contracts on routers, firewalls, and VPN concentrators across all branches and data centres.
• Security Subscriptions: Tally the license costs for disparate tools such as URL filtering, anti-virus, DLP (Data Loss Prevention), and separate VPN client licenses.
• Operational Load: Estimate the internal effort (FTE hours) spent on patching appliances, managing complex firewall rules, and troubleshooting routing issues.

By aggregating these figures, you often find that the “do nothing” scenario is not a flat line, it is an increasing cost curve that delivers diminishing returns in performance. 

The Three Levers of SASE ROI

When moving to a converged SASE (Secure Access Service Edge) architecture, the Return on Investment typically comes from three distinct levers. A strong business case will quantify each of these.

1. Hard Cost Reduction: The MPLS Exit

The most immediate source of funding for network modernisation is the retirement of MPLS. Independent studies and local market data suggest that migrating from traditional MPLS to SD-WAN over diverse internet links can deliver connectivity savings in the range of 20 to 40 percent.

This is not just about swapping cables; it is about architectural efficiency. Modern SD-WAN allows you to aggregate lower-cost, high-bandwidth internet links (like UFB) to create a robust enterprise network. This shift often results in a fivefold increase in available bandwidth for the same or lower monthly spend, solving user performance complaints without increasing the budget.

2. Vendor and Licence Consolidation

Over the last decade, many mid-sized organisations have succumbed to “tool sprawl”, buying a new point solution for every new threat. You might have one vendor for firewalls, another for web filtering, a third for VPNs, and a fourth for endpoint protection.

A unified SASE approach consolidates these functions into a single cloud-delivered platform. The financial argument here is powerful: you are retiring multiple overlapping hardware appliances and software subscriptions in favour of a single user-based license. This consolidation eliminates hardware refresh cycles (CapEx) and significantly reduces the administrative burden of managing multiple vendor contracts.

3. Operational Efficiency and Risk Avoidance

While “soft costs” are harder to get past a CFO, they are real. A unified platform means your team manages policy from a single dashboard rather than hopping between five different interfaces. This reduces the time to resolve incidents and deploy new sites.

Furthermore, the cost of risk must be factored in. Legacy VPNs with broad network access are a prime target for ransomware. Moving to a Zero Trust architecture significantly reduces the blast radius of a potential breach. While you may not put a specific dollar figure on “avoiding a breach” in the budget forecast, it serves as a critical qualitative factor that supports the financial model. 

Building the 3-Year Model

To win approval, you need to project these costs over a three-year horizon. A one-year view often skews the data due to implementation fees, but the medium-term view tells a compelling story of value.

Your model should present three scenarios:

1. Status Quo: Projecting the costs of MPLS renewals, hardware refreshes, and increased bandwidth requirements using current pricing.
2. Incremental Upgrades: The cost of buying faster MPLS and newer firewalls (often the most expensive option).
3. Modern Transformation: The costs of the new SASE subscription and implementation services, offset by the removal of legacy line items.

Research into SASE and cloud security platforms has shown three-year ROI figures frequently exceeding 100 percent, with payback periods often falling under 18 months. This payback is largely driven by the speed at which legacy recurring costs (MPLS and maintenance) can be turned off. 

Turning Renewals into Opportunities

The most effective way to get this business case signed off is to align it with a compelling event.

• MPLS Contract Renewal: If your telco contract is up for renewal in the next 6-12 months, this is your funding trigger. Refusing to re-sign a long-term MPLS contract releases the budget needed to fund the SD-WAN transition.
• Hardware Refresh: If your branch firewalls or head office concentrators are approaching End of Life, the capital budget earmarked for their replacement can be redirected into the implementation of a cloud-native solution.

By using these existing budget allocations, you frame the project not as “new money,” but as a smarter reallocation of “existing money.” 

Conclusion

Modernising your network is an investment, but staying on legacy infrastructure is a tax on your business’s agility and bottom line. By rigorously baselining your current costs and modeling the savings from connectivity and consolidation, you can build a business case that proves better security and performance is actually the fiscally responsible choice. 

Next Steps

Ready to start building your own business case? Start by gathering the data that will form the foundation of your ROI model.

Run a quick internal audit:

• Collect 12 months of invoices for MPLS, internet circuits, and 4G/5G backups for all sites.
• List all security appliances currently in use, including their annual support contract costs.
• Identify expiry dates for your current telco and software contracts to find your “funding trigger”.
• Estimate the hours your team spends weekly on firewall rules, VPN troubleshooting, and patch management.

Once you have this data, you can begin to map out a “Do Nothing” vs. “Transform” financial comparison. If you require assistance interpreting these numbers or validating the current market rates for connectivity and security, consider reaching out to a specialist partner who can help model these scenarios for you.

TotalNET Zero Trust Blog Series

Are you ready to simplify and secure your network for AI, cloud and hybrid work?

1. Is your network holding the business back from AI, Cloud and Hybrid Work?
2. Building the business case to modernise your network with SASE
3. Evaluating modern network and security options without getting lost in SASE hype
4. How to de-risk your SASE decision with one accountable NZ provider
5. Beyond SASE Go-Live: Operating and Optimising a Modern, Secure Network in the AI Era

About the Author:

Rob Graham – Head of Networks, Securecom

Bringing 20 years of experience in the New Zealand telecommunications industry. Specialising in leadership, architecture, and operations, Rob is passionate about innovative network deliveries and obsessed with customer experience. He helps Kiwi businesses navigate the shift to modern, resilient connectivity solutions.

Email: rob.graham@securecom.co.nz