The Total Economic Impact™ Of Zscaler Private Access (ZPA)

Cost Savings And Business Benefits Enabled By ZPA

A Forrester Total Economic Impact™ Study Commissioned By Zscaler, December 2024

With the rise of remote and hybrid work environments, organizations and their workforces need secure access to corporate applications and protection from malicious actors.¹ Companies moving from perimeter-based defenses to Zero Trust architectures can leverage Zscaler Private Access (ZPA) to replace inherently risky VPN solutions for remote access, reduce their attack surfaces, limit lateral movement, improve productivity, and optimize technology costs.

ZPA is an AI-powered, cloud-native Zero Trust Network Access (ZTNA) solution that delivers Zero Trust access to all users with direct connectivity to private applications while minimizing the attack surface by hiding apps behind the Zscaler’s Zero Trust Exchange. The solution eliminates lateral movement using AI-enabled user-to-app segmentation and protects against sophisticated attacks with integrated traffic inspection and application and data protection.

Zscaler commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying ZPA.² The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of ZPA on their organizations.

Return on investment (ROI)

289%

Net present value (NPV)

$12.17M

Reduced risk of breach

55%

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed five customers with experience using ZPA. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization: a global company with revenues of $13.5 billion and 50,000 employees.

Interviewees said that prior to using ZPA, their organizations leveraged traditional VPN solutions to provide internal employees and third-party users with access to private applications and resources. These legacy VPN solutions provided poor performance and user experiences, increased attack surfaces, had limited segmentation capabilities, and were costly to own and manage. These limitations led to reduced productivity, increased risk of breach, excessive technology costs, and reduced scalability.

By replacing their legacy VPN solutions with ZPA, the interviewees’ organizations adopted a Zero Trust approach to remote access, minimizing their attack surfaces and risk of lateral movement. They also improved the performance of their remote-access infrastructure, leading to better productivity for end users and reduced costs to own and manage remote-access infrastructure. Key results from the investment include security risk mitigation, user productivity savings, operational efficiency improvements, and technology cost optimizations.

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

A 55% reduction in risk of breach. The composite organization reduces its attack surface, minimizes the risk of lateral propagation, tightens overly permissive access policies, and can better inspect traffic and user device posture, reducing the risk of a data breach. Over three years, the composite organization avoids $2.4 million in annualized material breach costs.
Annual productivity savings of 15 hours per remote-access user. ZPA users at the composite experience improved performance and reduced latency, improving productivity. Each remote-access user avoids 1 minute and 45 seconds in waiting time for remote-access connectivity, equating to 15 hours over a year. For the composite organization, the value of the avoided waiting time across its user base totals $10.3 million over three years.
Up to 3,586 hours of IT effort saved. The composite organization significantly reduces management efforts associated with its remote-access infrastructure. IT resources experience time savings related to user deployment, policy management, network management, upgrades and patching, and lateral movement investigation work. Over three years, the recaptured time savings is worth $385,000 for the composite organization.
Up to $1.75 million in annual savings for VPN licensing and infrastructure costs. The composite organization avoids costs for VPN licensing, firewalls, gateways, load balancers, multiprotocol label switching (MPLS) devices, hardware lifecycle management, and supporting solutions, including IPS and DLP. Over three years, the avoided costs total $3.3 million for the composite organization.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

Improved employee experiences (EX) and customer experiences (CX). More reliable and performant access to applications improves the employee experience for both end users and IT resources while also enabling the composite organization to better serve its customers.
Merger and acquisition (M&A) readiness. With ZPA, the composite organization is better positioned to provide network access to employees involved in M&A activities, improving time to productivity and avoiding spend on additional VPN equipment.

IoT and operational technology (OT) security. ZPA enables secure and reliable access to the composite organization’s IoT and OT environments.
Strong vendor support and partnership. Zscaler maintains a strong partnership with the composite organization to ensure success with ZPA by providing responsive support and attentiveness to their needs.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

Internal resource costs related to implementation and training. The composite organization incurs costs for internal implementation labor and training, totaling $88,000 over three years.
Management. Two IT resources dedicate 10% of their time to ongoing management, totaling $89,000 in labor costs over three years.
Zscaler fees. The composite organization incurs $4.9 million in licensing and professional service costs over three years.

The customer interviews and financial analysis found that a composite organization experiences benefits of $16.4 million over three years versus costs of $4.2 million, adding up to a net present value (NPV) of $12.2 million and an ROI of 289%.

“ZPA provides us with all the benefits that you get with ZTNA. With ZPA, I can sleep well at night because I’m not worried about persistent threat actors in my network. Without multifactor authentication, users really cannot get in.”

Director of security architecture and engineering, financial services

“We had tens of thousands of people using our legacy VPNs. Assuming our policies were overly permissive, that extended our network to wherever those folks were. ZPA changes that. Those connections don’t put people on the network. They have to go through Zscaler’s broker, completely removing it from the outside world.”

Director of infrastructure cybersecurity, transportation

Key Statistics

Return on investment (ROI)

289%

Benefits PV

$16.38M

Net present value (NPV)

$12.17M

Payback

<6 months

Benefits (Three-Year)

Security risk mitigation User productivity savings Operational efficiency improvement Technology cost optimization

TEI Framework And Methodology

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment ZPA.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that ZPA can have on an organization.

Due Diligence

Interviewed Zscaler stakeholders and Forrester analysts to gather data relative to ZPA.
Interviews

Interviewed five customers at organizations using ZPA to obtain data about costs, benefits, and risks.
Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.
Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Disclosures

Readers should be aware of the following:

This study is commissioned by Zscaler and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in ZPA.

Zscaler reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Zscaler provided the customer names for the interviews but did not participate in the interviews.

Consulting Team:

Kara Luk

Drivers leading to the ZPA investment

Interviews

Role	Industry	Region	Employees
Director of information security	Advertising	US headquarters, US operations	1,200
Director of security architecture and engineering	Financial services	US headquarters, US operations	1,600
Vice president of information security	Manufacturing	US headquarters, global operations	34,000
Technical director of information security	Transportation	US headquarters, global operations	100,000
Director of infrastructure cybersecurity	Transportation	US headquarters, global operations	103,000

Key Challenges

Before adopting ZPA, the interviewees’ organizations leveraged traditional VPN solutions to provide employees and third parties with access to private applications and resources. Their organizations had highly remote or distributed workforces requiring access to private applications, systems, and/or OT environments. The interviewees noted how their organizations struggled with common challenges, including:

Poor VPN performance. Interviewees noted that their organizations’ legacy VPN solutions backhauled traffic through corporate data centers, introducing latency that impacted user experience and productivity. Furthermore, several interviewees shared that VPN connectivity was often unstable, especially in instances of high traffic volumes. The director of security architecture and engineering at a financial services company said: “The VPN connection was flaky. Whenever a user tried to connect, it was a coin toss as to whether they were lucky [enough] to get a connection on the traditional VPN because so much traffic was hitting the box. The VPN did not have adequate capacity to even service those requests to connect. Advisors started complaining that the connections were dropping and unstable. It was a productivity issue for them that also impacted customer satisfaction.”

Similarly, the vice president of information security at a manufacturing company shared: “All of the VPN concentrators were routing traffic back through the data centers to get people to the apps they needed. Even if a user were in Europe or Asia, they would be routed back through our US data centers to get access. As a manufacturer, the performance hit was something that we couldn’t have. Milliseconds means a lot of money, so that performance impact was holding back our efficiency and productivity.”

“Performance was slow because traffic had to be routed through firewalls to the data center before users could access the applications they needed.”

Vice president of information security, manufacturing

Increased attack surfaces. Interviewees shared that their legacy VPN solutions increased their organizations’ attack surface by exposing their network environments to the internet. The legacy VPN solutions leveraged by their organizations utilized public IP addresses to provide users with access to network resources, creating an entry point for threat actors to target. The director of infrastructure cybersecurity at a transportation company said: “Our VPNs were exposed to the internet. By nature, they sit on the internet and wait for connections. This made each and every one of them available for threat actors to scan and find ways to attack.”

With this broader attack surface, VPN vulnerabilities posed a significant security threat for the interviewees’ organizations. The technical director of information security at a transportation company said: “From a security standpoint, VPNs are under attack. In the past year, there’ve been a few critical vulnerabilities that have led to other companies being compromised.”
Risk of lateral movement. Interviewees shared that their organizations’ legacy VPNs enabled limited segmentation, increasing the risk of attackers moving laterally across the network, from app to app, following compromise. The technical director of information security at a transportation company said, “For employees, we had a wide-open VPN tunnel with not a lot of segmentation and lateral movement blocking.” With an inability to enforce role-based access to specific network resources, users — regardless of their role, job function, or whether they were a third-party or an employee — were typically granted uniform access to applications within the network. The vice president of information security at a manufacturing company said: “Our vendors, suppliers, and customers had their own accounts in our identity management system and were provided with the same VPN access that employees had. If they were a bad actor, they could move laterally around the network. We couldn’t lock things down the way they needed to be locked down with the traditional VPN.”

“We were not enforcing segmentation. Once a user gained access to the network through our traditional VPN, they were on the [entire] network and could see and subsequently move laterally to pretty much anything.”

Vice president of information security, manufacturing

High cost to own and manage infrastructure. Interviewees reported high costs associated with owning and managing VPN infrastructure. The vice president of information security at a manufacturing company shared that managing multiple VPN appliances created high resource demands and noted that it often took an hour to provision and set up a new VPN user. They shared: “We had multiple physical VPN appliances spread across the globe, and each required its own configurations, rules, patches, updates, and maintenance contracts. Any changes that we wanted to implement had to be applied manually to each appliance at every location. We had between four and five people managing 13 boxes globally. In the IT world, that’s an outrageous number. At least a third or more of their time was spent managing boxes and changes when employees or customers needed anything.”

The technical director of information security at a transportation company shared: “The amount of infrastructure that it takes to run a traditional VPN in a global enterprise is expensive. We had dozens of VPN gateways in various data centers across the world. Along with the VPN gateways, we also had to install an intrusion protection system. So, you’ve got all of the licensing costs, annual maintenance, and lifecycle management costs of having to replace that gear every three to four years.”

“The traditional VPN was very expensive from an infrastructure and licensing perspective, as well as the number of support personnel that were required to keep it happy and healthy.”

Technical director of information security, transportation

Limited scalability. Interviewees highlighted that their organizations’ legacy VPN solutions were not scalable due to the manual configuration requirements associated with the VPN appliances; performance bottlenecks, especially during periods of high traffic volumes; and hardware and maintenance costs. These limitations made it difficult for the interviewees’ organizations to meet current and long-term remote-access needs for their employees, customers, and third parties while controlling costs, performance, and security. The director of infrastructure cybersecurity at a transportation company said: “Scalability is when you really start to ramp up how many users you have to support. Our legacy VPN solutions did not scale well.”

“One of our use cases for moving to Zscaler was to balance security and the user experience. With this investment, we had an opportunity to move to a better security bracket, improve the way we handle things like data loss protection, and address requirements from customers.”

Director of information security, advertising

Why Zscaler?

The interviewees’ organizations searched for a solution to address their key challenges and selected Zscaler’s ZPA solution because it offered:

A trusted solution. Interviewees shared that their organizations evaluated ZTNA solutions from several different vendors and chose ZPA because of its proven efficacy and Zscaler’s experience in the ZTNA space. Several interviewees noted that they had utilized either ZPA or other Zscaler products at a prior organization, further demonstrating the value that Zscaler and ZPA could provide their current organizations.
Global edge presence. ZPA leverages Zscaler’s global service edge presence, which comprises 160 globally distributed points of presence, to provide users with fast, direct access to applications and deliver scalability, availability, and performance for the interviewees’ organizations. They shared that this global footprint was a central factor in selecting ZPA. The director of infrastructure cybersecurity at a transportation company said, “Zscaler’s global footprint was very important to us.”
A rich feature set. Interviewees shared that ZPA offered a complete set of features to meet the needs of their organizations. For example, the director of infrastructure cybersecurity at a transportation company said, “The central management console and the fact that it supported our Windows endpoints and mobile use cases was very big for us.”

“We were finally in the market for a full-blown ZTNA remote-access solution, and of course, we evaluated ZPA. It was really a landslide in terms of the choice of technology. Granted, there was some history with them, but in our mind, nobody could compete with them in the space.”

Technical director of information security, transportation

“We did a complete analysis so that we could get a good apples-to-apples comparison across the four different vendors we evaluated. We wanted to make sure that the features, availability, and support fit the needs of our company. Zscaler had the market share, experience, number of years in the market, and hands down a much better and complete product suite than the others did.”

Director of information security, advertising

Composite Organization

Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the five customer interviews, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:

Description of composite. The composite organization is a global company that generates $13.5 billion in annual revenue and has 50,000 employees.

Deployment characteristics. Before adopting ZPA, the composite organization utilized a traditional VPN solution to provide remote application access to employees and third-party users such as contractors, partners, and agencies. It initially deploys the solution to 25,000 internal users and grows the number of internal users by 5% each year of the investment. The composite organization also deploys ZPA to 1,670 users at third-party companies each year.

Key Assumptions

$13.5 billion annual revenue
50,000 employees

Quantified benefit data as applied to the composite

Total Benefits

Ref.	Benefit	Year 1	Year 2	Year 3	Total	Present Value
Atr	Security risk mitigation	$959,957	$959,957	$959,957	$2,879,871	$2,387,271
Btr	User productivity savings	$3,950,100	$4,147,681	$4,355,042	$12,452,823	$10,290,843
Ctr	Operational efficiency improvement	$152,897	$154,957	$157,103	$464,957	$385,095
Dtr	Technology cost optimization	$1,125,000	$1,350,000	$1,575,000	$4,050,000	$3,321,751
	Total benefits (risk-adjusted)	$6,187,954	$6,612,595	$7,047,102	$19,847,651	$16,384,960

Security Risk Mitigation

Evidence and data. On average, interviewees estimated that ZPA reduced the risk of breach by 55%. Interviewees detailed several areas in which ZPA reduced risk exposure and avoided breach-related costs, including:

Reduced attack surfaces. The legacy VPN solutions used by the interviewees’ organizations created an internet-facing entry point into their network environments for cybercriminals to find and target. Interviewees reported that replacing these legacy solutions with ZPA significantly reduced their organizations’ attack surfaces by eliminating this vector, making apps invisible to the internet and preventing unauthorized users from finding and attacking them. With ZPA, users at the interviewees’ organizations established secure connections to their applications through ZPA’s service edge, removing all inbound connectivity and only allowing inside-out connections.

The director of infrastructure cybersecurity at a transportation company said: “With ZPA, our company has no endpoints exposed to the internet, so the attack surface is significantly reduced. Our VPNs were targeted hundreds of times a day from scanning on the internet, so having those things disappear from the internet is huge. Users have to go through Zscaler’s broker to access applications, so we’ve removed visibility from the outside world, which has reduced the attack surface.”

“We will no longer have to open up holes in our firewall and perimeter to enable access. We are not exposing applications or anything to the internet outside of our customer-facing technology.”

Vice president of information security, manufacturing

Restricted lateral movement. Connectivity based on least-privileged access ensured that authorized users at the interviewees’ organizations only gained access to named applications, rather than full access to the network, prohibiting lateral movement between applications or across the network.

The director of security architecture and engineering at a financial services company said, “Lateral propagation is a significant threat vector that Zscaler reduces.” The vice president of information security at a manufacturing company said: “ZPA provides Zero Trust access control. Users can only go to specific systems and are not allowed to access others. They don’t even get to see them. The access control and reduced attack surface decrease risk.”

“Our security already has been eight times better than what we were doing with a VPN.”

Director of Information security, advertising

Decreased overly permissive access. Interviewees shared that ZPA improved their organizations’ ability to enforce segmentation and policies, reducing the overly permissive application access that had been common in their prior environments.

The director of information security at an advertising company said, “The VPN would let you into the whole network segment. For example, if you’re in the finance department, you’d have access to all 256 IP addresses when you’d only need four or five shares. That’s an awful lot of network access for just the four shares that you need. What ZPA does is give you access to those specific shares. That’s it. That’s all you need, and that’s what you get. To a security person, this is very advantageous.”
Performed device posture checking and traffic inspection. Interviewees highlighted that ZPA capabilities, including device posture and traffic inspection, created an additional layer of protection. With device posture evaluation, ZPA could continuously assess the health and security status of devices attempting to access network resources. In addition, ZPA performed complete traffic inspection to minimize the threat of compromised users, active attackers, and web-based attack techniques.

The director of security architecture and engineering at a financial services company said: “Extensive device posture checking is Zero Trust. ZPA checks users’ device posture before they can log in to our network, which is a security benefit.” Similarly, the vice president of information security at a manufacturing company said: “Posture checking is a key factor. In the past with the VPN software, someone could install it on their grandma’s computer and log in. Now with the posture checking, ZPA won’t let you make a connection if you’re not on a company device. It actually validates that you’re on an approved managed device before it lets you make that connection.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In the prior environment with VPN, the composite organization had an 89% likelihood of experiencing one or more breaches per year (held flat year over year for the purpose of this analysis).³
The mean cumulative cost of breaches in the prior environment was $4,847,000.⁴
The percentage of breaches originating from external attacks or incidents involving a third-party business partner is 68%.⁵
Forrester research indicates that 70% of external or third-party-related attacks are addressable with ZPA.
For the composite, the combined prior factors yield $2,053,383 of annualized risk.
With ZPA, the composite reduces the likelihood of breach by 55%.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

The likelihood and associated costs of security breaches per year, which could change over time.
An organization’s security culture and maturity.
The extent and speed with which an organization retires legacy VPN solutions.

Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.4 million.

55%

Reduction in risk of breach

Security Risk Mitigation

Ref.	Metric	Source	Year 1	Year 2	Year 3
A1	Likelihood of experiencing one or more breaches per year	Forrester research	89%	89%	89%
A2	Mean cumulative cost of breaches	Forrester research	$4,847,000	$4,847,000	$4,847,000
A3	Percentage of breaches originating from external attacks or attacks/incidents involving a third-party or business partner	Forrester research	68%	68%	68%
A4	Percentage of external or third-party-related attacks addressable with ZPA	Forrester research	70%	70%	70%
A5	Annual risk exposure addressable with ZPA	A1A2A3*A4	$2,053,383	$2,053,383	$2,053,383
A6	Reduced risk of breach with ZPA	Interviews	55%	55%	55%
At	Security risk mitigation	A5*A6	$1,129,361	$1,129,361	$1,129,361
	Risk adjustment	↓15%
Atr	Security risk mitigation (risk-adjusted)		$959,957	$959,957	$959,957
Three-year total: $2,879,871		Three-year present value: $2,387,271

User Productivity Savings

Evidence and data. Interviewees reported that adopting ZPA improved the performance of their organizations’ remote-access infrastructure, enabling better productivity and user experiences compared to their legacy VPNs. On average, interviewees reported that ZPA saved each remote-access user 1 minute and 45 seconds in waiting time for remote-access connectivity. ZPA improved user productivity by:

Avoiding backhauling of traffic. The legacy VPNs used by the interviewees’ organizations backhauled all remote user traffic to corporate data centers, which were often thousands of miles away from each user, resulting in latency. With traffic routed through gateway appliances, connectivity and performance were further impacted during periods of high traffic. With ZPA, remote-access user traffic is routed through Zscaler’s secure service edge network, reducing performance impacts and improving user experiences for the interviewees’ organizations.

The director of infrastructure cybersecurity at a transportation company said: “The legacy VPNs forced all the traffic to go back to a central location before it gave access to applications. ZPA has proximity, so it sends users directly to where the application is versus going through a central point and then finding the application.”
Driving efficient connectivity with Zscaler’s service edge. ZPA leverages 160 points of presence to direct user traffic and establish connectivity for the interviewees’ organizations. This widely distributed network ensures that traffic takes the shortest and most efficient path to applications to provide fast access. Compared to the legacy VPN solutions used by the interviewees’ organizations, ZPA’s infrastructure maintains optimal performance, even during periods of high traffic.

“The performance and proximity to applications is beneficial. If you are in EMEA, you can jump onto Zscaler’s point of presence in EMEA and go to the point closest to the application. With our legacy VPN, you would have been routed to our India data center regardless of where you were in the world. The performance impact with ZPA was pretty powerful.”

Director of infrastructure cybersecurity, transportation

Reducing login frequency. The legacy VPN solutions utilized by the interviewees’ organizations before ZPA required users to log on and establish connectivity several times a day in order to access applications. With ZPA, users at the interviewees’ organizations are authenticated through their identity providers using their security assertion markup language (SAML) single sign-on (SSO) credentials. Interviewees shared that this protocol rendered ZPA in an “always-on” state, requiring users to authenticate every three to six days instead of multiple times per day with a VPN .

The director of security architecture and engineering at a financial services company explained: “ZPA is always connected. It’s always on. The moment you have authenticated, it’s basically connected. That’s one of the big benefits of ZPA and is improving user satisfaction.” Similarly, the technical director of information security at a transportation company said: “With the VPN, we were doing authentication every 4 hours. Now, we do it every three days because we’ve improved security. It's still multifactor all the time. When ZPA goes to authenticate using SAML, it will recognize the SSO token and let you go about your business. It’s saving minutes compared to the traditional VPN.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In the prior state, each user was required to log in to the legacy VPN two times per day to access required applications.
Each VPN login took 1.75 minutes or 1 minute, 45 seconds.
The composite initially deploys ZPA to 25,000 users. The number of users grows by 5% each year of the investment, totaling 26,250 users in Year 1, 27,563 in Year 2, and 28,941 in Year 3.
With ZPA, users are authenticated through SSO, practically eliminating time spent on logins and waiting time for connectivity. By avoiding two VPN logins and the associated waiting time per day, each user saves 3.5 minutes of waiting time per day, or 15.2 hours over a 260-day working year.
The fully burdened hourly salary of a ZPA user is $44.
Each employee recaptures 25% of time savings toward productive tasks.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

The number of ZPA users.
The performance of an organization’s legacy VPN solution.
The role and salary of each user.
Each user’s ability to recapture time savings toward productive activities.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $10.3 million.

1 minute, 45 seconds

Reduction in waiting time for remote-access connectivity

User Productivity Savings

Ref.	Metric	Source	Year 1	Year 2	Year 3
B1	Internal remote-access users	Composite	26,250	27,563	28,941
B2	VPN logins per day before ZPA	Interviews	2	2	2
B3	VPN waiting time per login avoided with ZPA (minutes)	Interviews	1.75	1.75	1.75
B4	Daily avoided remote-access waiting time per user with ZPA (minutes)	B2*B3	3.50	3.50	3.50
B5	Subtotal: Hours saved per user per year	B4/60*260 working days	15.20	15.20	15.20
B6	Fully burdened hourly salary of a ZPA user	Composite	$44	$44	$44
B7	Productivity recapture	Composite	25%	25%	25%
Bt	User productivity savings	B1B5B6*B7	$4,389,000	$4,608,534	$4,838,935
	Risk adjustment	↓10%
Btr	User productivity savings (risk-adjusted)		$3,950,100	$4,147,681	$4,355,042
Three-year total: $12,452,823		Three-year present value: $10,290,843

Operational Efficiency Improvement

Evidence and data. Interviewees shared that switching from legacy VPNs to ZPA significantly reduced management costs associated with their remote-access deployments. They shared that by adopting ZPA, their organizations reallocated multiple network operations or security personnel to higher-value work. Interviewees noted operational efficiency improvements in the following areas:

Faster remote-access user deployment. Several interviewees noted that ZPA simplified the process of setting up new remote-access users compared to their organizations’ legacy VPNs. They cited that deployment timelines for new users were reduced from hours to days in their prior environments down to minutes with ZPA.

The vice president of information security at a manufacturing company said: “With the original VPN, they had to be provisioned in the identity management system, put into the proper VPN group, and then the network guy had to get them the software they needed to install on their computer. It took at least an hour, whereas today, they can be up and running within 10 minutes, assuming the user’s identity is created as quickly as it’s supposed to.” Similarly, the director of infrastructure cybersecurity at a transportation company shared: “It would take hours to days to get users set up and fully connected before. Now, we can push ZPA from the central management tool at what we call the birth of the device.” The vice president of information security at a manufacturing company also highlighted improved ease of provisioning for third-party users, such as customers requiring access to private applications, explaining: “ZPA supports multiple [identity providers (IdPs)], so we can literally use the customer’s IdP to provision them. This means that we don’t have to create an account for them within our system, and I don’t have to worry if they get terminated at that company.”
Policy management time savings. Interviewees shared that ZPA reduced complexity around creating, implementing, and managing access policies across users. They said that ZPA provided a central console to view and manage policies and AI-driven recommendations around user-to-app segmentation policies to efficiently manage and tune them.

The director of infrastructure cybersecurity at a transportation company reported an estimated 1,000 hours of policy management time savings compared to the organization’s legacy VPN: “With ZPA, we have a single place to administer policies. We know what the policies are, and we can assess, maintain, monitor, and track them for compliance, so that was huge for us.” The vice president of information security at a manufacturing company said: “New users automatically get placed into default groups that determine access rights based on our policies. So we have default groups for all employees, engineers, HR, IT, etc. If you were hired on today into our organization and you’re in IT, you automatically get placed in the IT group and have instant access to 99.9% of everything you’ll ever need.”

“ZPA gives us the ability to have new users placed in the right group automatically, based on their identity, granting them instant access to their applications. This has saved us an estimated 1,000 hours in policy management compared to our legacy VPN. Plus, AI-driven recommendations help us fine-tune overly permissive policies and consolidate groups based on app usage.”

Director of infrastructure cybersecurity, transportation

Network management, upgrading, patching, and troubleshooting. Interviewees shared efficiency improvements and time savings associated with network management and ongoing management activities, including updates and troubleshooting.

The director of security architecture and engineering at a financial services company said: “Upgrades are pushed through the central console. From an engineer productivity standpoint alone, they are not looking at the ZPA console every day. It’s really hands-off in terms of managing the configurations.” The director of infrastructure cybersecurity at a transportation company shared: “We’re saving hundreds of hours on troubleshooting over a year. We have tens of thousands of users. With our legacy VPNs, we were receiving hundreds of tickets per year when users needed troubleshooting or requested access to specific systems. For the most part, all of that is gone now.” Similarly, the vice president of information security at a manufacturing company noted that the number of issue tickets significantly dropped with the adoption of ZPA due to reduced troubleshooting needs from users, improving both IT productivity and user experiences.
Lateral movement investigation work. Interviewees noted that ZPA reduced their organizations’ attack surfaces and restricted lateral movement through improved segmentation. This decreased the likelihood of threat actors gaining access to their networks through compromised endpoints and laterally extending access to other resources or applications. Interviewees shared that past incidents involving persistent threat actors typically required tens of hours of discovery, investigation, and remediation work. By adopting ZPA, the interviewees’ organizations reduced this lateral movement investigation work.

“ZPA has freed up all the people who used to be involved in managing the VPN. Now we have one person who handles it from top to bottom with daily support as needed. ZPA has allowed the networks team to focus on strategic projects as opposed to day-to-day operational work on the VPN.”

Vice president of information security, manufacturing

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

The composite organization deploys ZPA to 1,250, 1,313, and 1,378 new internal remote-access users in Year 1, Year 2, and Year 3, respectively. It also deploys ZPA to 1,670 third-party users each year of the investment.
With the composite organization’s legacy VPN, it required 1 hour to add a new user. With ZPA, this process takes 15 minutes, effectively reducing deployment effort by 75%.
Each year, the composite organization avoids 750 hours in policy management effort; 500 hours of effort for upgrading, patching and troubleshooting work; and 50 hours of lateral threat movement investigation work.
Total IT effort saved with ZPA is 3,490, 3,537, and 3,586 hours in Year 1, Year 2, and Year 3, respectively.
The fully burdened annual cost of an IT resource is $135,000.
Seventy-five percent of IT resource time is recaptured toward productive activities.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

The number of remote and third-party users added each year.
The effort required to add each user in the prior environment.
The amount of time spent configuring and enforcing policies in the prior environment, as well as policy management requirements after the adoption of ZPA.
The amount of time spent on upgrading, patching, and troubleshooting activities in the prior environment.
The frequency of security incidents involving persistent threat actors and remediation efforts in the prior environment.
The roles and fully burdened salaries of IT resources involved in the aforementioned activities.
The extent to which IT resources can recapture saved time toward productive work.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $385,000.

Operational Efficiency Improvement

Ref.	Metric	Source	Year 1	Year 2	Year 3
C1	Internal remote-access users added	Composite	1,250	1,313	1,378
C2	Third-party remote-access users added	Composite	1,670	1,670	1,670
C3	Effort to add a user with VPN (hours)	Interviews	1	1	1
C4	Effort to add a user with ZPA (hours)	Interviews	0.25	0.25	0.25
C5	Subtotal: Time saved on remote-access user deployment (hours)	(C1+C2)*(C3-C4)	2,190	2,237	2,286
C6	Policy management time savings (hours)	Interviews	750	750	750
C7	Upgrade, patching, and troubleshooting time savings (hours)	Interviews	500	500	500
C8	Avoided lateral movement investigation work (hours)	Interviews	50	50	50
C9	Subtotal: IT effort saved with ZPA (hours)	C5+C6+C7+C8	3,490	3,537	3,586
C10	Fully burdened annual cost of an IT resource	Composite	$135,000	$135,000	$135,000
C11	Productivity recapture	Composite	75%	75%	75%
Ct	Operational efficiency improvement	C9(C10/2,080)C11	$169,886	$172,174	$174,559
	Risk adjustment	↓10%
Ctr	Operational efficiency improvement (risk-adjusted)		$152,897	$154,957	$157,103
Three-year total: $464,957		Three-year present value: $385,095

Up to 3,586 hours

Annual IT effort saved with ZPA

Technology Cost Optimization

Evidence and data. Interviewees reported several millions of dollars in cost avoidances for VPN licensing, infrastructure, supporting software, and hardware lifecycle management. The savings are detailed as follows:

Eliminated VPN licensing. By retiring legacy VPN solutions, the interviewees’ organizations avoided licensing costs. For example, the director of information security at an advertising company cited avoided licensing costs of $120,000 for its retired VPN solution.
Reduced supporting infrastructure costs. The most significant area of cost savings reported by interviewees related to supporting infrastructure, including VPN gateways, load balancers, firewalls, and MPLS devices. Interviewees noted that there were additional savings related to ongoing maintenance, repairs, and updates.

The director of infrastructure cybersecurity at a transportation company said: “We’ve saved costs on what I call supporting infrastructure such as gateways, load balancing, and MPLS. We would also have consultants come in and assess the policies on the legacy VPNs, which would cost us about $50,000 a year.” The technical director of information security at another transportation company said, “There’s an annual maintenance cost with the supplier that will go away, and then there will be a cost that we would have had to incur to lifecycle-manage those every three to four years that will go away.”

“We bought the VPN boxes, of course. But then you have to buy supporting licensing for the boxes. We no longer pay the licensing costs, the hardware costs, or the intrinsic resource costs of needing to buy new hardware and taking time out to repair it or update it. All of those costs are just gone.”

Vice president of information security, manufacturing

Consolidated point solutions. Interviewees shared that their organizations decommissioned point solutions used in tandem with their legacy VPNs, driving additional cost savings. The director of information security at an advertising company shared that their organization retired a DLP solution leading to a cost reduction of $130,000 per year. Similarly, the technical director of information security at a transportation company noted that their organization retired a IPS solution that had run alongside legacy VPN concentrators.

“We saved several million dollars over a five-year period based on reducing our traditional VPN infrastructure primarily, along with the IPS, licensing, and lifecycle management of physical appliances, which we no longer have to have.”

Technical director of information security, transportation

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In Year 1, the composite organization avoids $1.25 million in costs for VPN licensing; supporting infrastructure solutions including firewall, VPN concentrators, and load balancers; and security solutions including IPS and DLP.
Avoided costs increase over time as the composite organization grows the number of remote-access users. In Years 2 and 3, annual avoided costs total $1.5 million and $1.75 million, respectively.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

The number of remote-access users.
The cost of remote-access infrastructure utilized before adopting ZPA.
The extent to which existing hardware investments can be recouped or reallocated.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3.3 million.

Technology Cost Optimization

Ref.	Metric	Source	Year 1	Year 2	Year 3
D1	Avoided VPN licensing, firewall, VPN concentrator, load balancer, and IPS costs	Interviews	$1,250,000	$1,500,000	$1,750,000
Dt	Technology cost optimization	D1	$1,250,000	$1,500,000	$1,750,000
	Risk adjustment	↓10%
Dtr	Technology cost optimization (risk-adjusted)		$1,125,000	$1,350,000	$1,575,000
Three-year total: $4,050,000		Three-year present value: $3,321,751

Up to $1.75 million

Reduction in annual licensing and infrastructure costs

Unquantified Benefits

Improved employee and customer experience. Interviewees shared that ZPA improved employee and customer experience by providing more reliable and performant remote access compared to their organizations’ legacy VPNs. Interviewees noted that switching to ZPA freed up IT resources that were previously tasked with managing and configuring remote-access infrastructure to focus on higher-value strategic projects.

The vice president of information security at a manufacturing company reported a reduction in user complaints and tickets, improving the experience of both IT resources and end users: “I’m sure that employee satisfaction has improved because the number of employee complaints has dropped off. There’s basically none. The employee experience has just gotten a thousand times better.” They also shared that ZPA enabled their organization to provide customers with secure remote access to various systems, improving data sharing and the overall customer experience. The director of security architecture and engineering at a financial services company shared that the improved performance and reliability provided by ZPA reduced frustration for the organization’s advisors and enabled them to better serve customers.
M&A readiness. Several interviewees highlighted that ZPA better positioned their organizations to provide network access to employees involved in M&A activities, improving time to productivity and avoiding spend on additional VPN equipment.

The vice president of information security at a manufacturing company said: “We did an acquisition involving roughly 800 employees a handful of years back in Bulgaria. It’s not an easy place to get hardware and things like that. With ZPA, IT had them up and running on day one. I’d estimate it took us about 6 hours.” The director of infrastructure cybersecurity at a transportation company shared: “In the context of mergers and acquisitions, ZPA sets us up well for that. The playbook is there if we need it. We’re prepared to onboard a third party that we’ve purchased. We’re ready for it.”

“We like to grow organically, but also by acquisition. We can have Zscaler up and running and have an M&A piece ready in two weeks. That’s just how easy it is.”

Director of information security, advertising

IoT and OT security. The director of infrastructure cybersecurity at a transportation company noted that ZPA enabled secure access to their organization’s OT and IoT environments. They explained that ZPA created an extra level of security: “OT and IoT type devices, in some cases, are devices that can’t be patched as often as some of the more modern systems, for example. Another aspect is that some of those systems can’t run things like endpoint detection and response (EDR) at that point. The segmentation from ZPA becomes even more important in those cases.”

“Customers want access to everything. They want to see the production floor live, and we now have this ability to let them do that. We can now set up separate systems that collect and provide business data to our customers. We can give them access to those specific systems with the right access controls in place, and we can do it virtually immediately. The customers are thrilled that we can provide that access.”

Vice president of information security, manufacturing

Strong vendor support and partnership. Interviewees mentioned that Zscaler maintained a strong partnership and commitment to their organizations’ success by providing responsive support and addressing customer needs. The director of security architecture and engineering at a financial services company said, “Zscaler has the agility and nimbleness to address customer feedback.”

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement ZPA and later realize additional uses and business opportunities, including:

Scalability and business agility. With the ability to scale user counts more quickly and cost-effectively than legacy VPNs, ZPA helps the interviewees’ organizations adapt to changing business needs. For example, the director of security architecture and engineering at a financial services company shared that to meet its long-term growth objectives, the organization will need to expand its advisor base. The interviewee noted that ZPA positions their organization to do so more easily and cost-effectively compared to their prior VPN.
New features and enhancements. Zscaler continues to release enhancements and new features on ZPA, increasing potential value and return on investment for the interviewees’ organizations. The director of security architecture and engineering at a financial services company said: “One of the biggest benefits that we have started to see of late is basically Zscaler augmenting certain capabilities, including AppProtection and Deception. Deception was added to ZPA, making it fairly easy for us to integrate. From that perspective, we are seeing the benefits [of those capabilities] straightaway, which helps me as a security practitioner. We don’t have to pay for those additional capabilities, need to manage extra hardware to use them, or think about how to provision them.”
Additional value through other Zscaler products. In addition to ZPA, several of the interviewees’ organizations utilized other security service edge (SSE) solutions from Zscaler, including Zscaler Internet Access (ZIA), which provides additional security benefits related to cyber protection, data protection, Zero Trust networking, and risk management.

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).

Quantified cost data as applied to the composite

Total Costs

Ref.	Cost	Initial	Year 1
Etr	Implementation and training	$87,958	$0	$0	$0	$87,958	$87,958
Ftr	Management	$0	$29,700	$29,700	$29,700	$89,100	$73,860
Gtr	Zscaler fees	$33,000	$1,547,885	$1,620,677	$1,697,073	$4,898,635	$4,054,607
	Total costs (risk-adjusted)	$120,958	$1,577,585	$1,650,377	$1,726,773	$5,075,693	$4,216,425

Implementation And Training

Evidence and data. The interviewees’ organizations incurred costs in the following areas:

Implementation labor. Interviewees reported initial implementation timelines ranging from weeks for smaller-scale deployments up to a year. Several internal resources were dedicated to the implementation and rollout process at varying levels of engagement including network engineers, security and infrastructure personnel, project managers, and active directory managers. Interviewees highlighted that it was easy to deploy new users after the initial implementation.
Change management. Two interviewees shared that their organizations also orchestrated communication efforts to ensure that users were aware of the switch to ZPA and provide guidance.
Training. Typically, end users at the interviewees’ organizations did not require dedicated training on ZPA. Interviewees noted that IT resources responsible for ongoing management required one to two weeks to gain familiarity with ZPA, during which they typically referenced free Zscaler Academy training resources.

“I don’t want to oversimplify it, but it really was a pretty stress-free deployment. There was not really any training involved [for users] because everything was going to be the same. They access everything the same way but through the Zscaler client instead."

Vice president of information security, manufacturing

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the initial investment of ZPA for the composite organization:

Four IT resources are dedicated to the implementation of ZPA during the initial period of the investment. Each resource dedicates an average of 300 hours to the implementation.
The fully burdened annual salary of an IT resource is $135,000.
Two IT resources dedicated to ongoing management receive training on ZPA. Each resource participates in 16 hours of training.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

Implementation requirements and complexity.
The internal resources involved in the implementation, how much time each resource dedicates, and the fully burdened salary of each resource.
Training requirements for IT resources and users.
Change management efforts.

Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $88,000.

Implementation And Training

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
E1	Total internal resources dedicated to implementation effort	Interviews	4
E2	Average hours of implementation effort per resources	Interviews	300
E3	Fully burdened annual salary of resources involved in implementation	Composite	$135,000
E4	Subtotal: Implementation	E1E2E3/2,080	$77,885
E5	Number of resources trained on ZPA	Interviews	2
E6	Hours of training	Interviews	16
E7	Subtotal: Training	E5E6E3/2,080	$2,077
Et	Implementation and training	E4+E7	$79,962	$0	$0	$0
	Risk adjustment	↑10%
Etr	Implementation and training (risk-adjusted)		$87,958	$0	$0	$0
Three-year total: $87,958		Three-year present value: $87,958

Management

Evidence and data. Interviewees reported minimal ongoing management requirements for ZPA. The director of security architecture and engineering at a financial services company shared that network security engineers dedicated no more than 12 hours per month to ongoing management efforts, with the primary focus being on tuning policies. The director of infrastructure cybersecurity at a transportation company shared that two resources were fully dedicated to ongoing management, with four supporting resources additionally dedicating less than 20% of their time.

“Once the policies and the connectors are configured, the amount of management overhead on our end is pretty low. That is one of the big benefits that we have with ZPA.”

Director of security architecture and engineering, financial services

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

Two network security resources dedicate 208 hours annually to maintaining ZPA.
The fully burdened annual salary of a network security resource is $135,000.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

Ongoing management requirements.
FTEs dedicated to ongoing management and their actual fully burdened salaries.

Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $74,000.

Management

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
F1	Resources dedicated to maintaining ZPA	Interviews		2	2	2
F2	Hours dedicated to maintaining ZPA per resources	Interviews		208	208	208
F3	Fully burdened annual salary of network security resources	Composite		$135,000	$135,000	$135,000
Ft	Management	F1F2F3/2,080		$27,000	$27,000	$27,000
	Risk adjustment	↑10%
Ftr	Management (risk-adjusted)		$0	$29,700	$29,700	$29,700
Three-year total: $89,100		Three-year present value: $73,860

Zscaler Fees

Evidence and data. The interviewees’ organizations paid fees to Zscaler that comprised implementation services and licensing costs. Licensing costs were determined based on multiple factors, including the number of users, licensing tier, enterprise discounts, and bundling with other Zscaler products. Pricing may vary. Contact Zscaler for additional details.

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

The composite organization incurs $30,000 in professional services fees from Zscaler during the initial period of the investment. It then pays $1,407,168, $1,473,343, and $1,542,794 in discounted licensing fees, in Year 1, Year 2, and Year 3, respectively.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

An organization’s use of Zscaler services and actual costs.
Licensing factors, including licensing tiers, users, discounts, and bundling.

Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $4.1 million.

Zscaler Fees

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
G1	Zscaler fees	Interviews	$30,000	$1,407,168	$1,473,343	$1,542,794
Gt	Zscaler fees	G1	$30,000	$1,407,168	$1,473,343	$1,542,794
	Risk adjustment	↑10%
Gtr	Zscaler fees (risk-adjusted)		$33,000	$1,547,885	$1,620,677	$1,697,073
Three-year total: $4,898,635			Three-year present value: $4,054,607

Consolidated Three-Year Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Total costs Total benefits Cumulative net benefits Initial Year 1 Year 2 Year 3

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

Cash Flow Analysis (Risk-Adjusted Estimates)

	Initial	Year 1	Year 2	Year 3	Total	Present Value
Total costs	($120,958)	($1,577,585)	($1,650,377)	($1,726,773)	($5,075,693)	($4,216,425)
Total benefits	$0	$6,187,954	$6,612,595	$7,047,102	$19,847,651	$16,384,960
Net benefits	($120,958)	$4,610,369	$4,962,218	$5,320,329	$14,771,958	$12,168,535
ROI						289%
Payback						<6 months

Appendix A: Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

Total Economic Impact Approach

Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

PRESENT VALUE (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
NET PRESENT VALUE (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
RETURN ON INVESTMENT (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
DISCOUNT RATE

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
PAYBACK PERIOD

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

APPENDIX C: ENDNOTES

¹ This information is based on content from Forrester’s The Security Service Edge Solutions Landscape, Q4 2023 report, which states: “Businesses are grudgingly accepting the new reality: Knowledge workers, by and large, prefer remote work. Many are compromising with hybrid work — a few days a week in the office and the rest at home. Some smaller organizations have doubled down on virtual work and are entirely remote. In all these cases, the workforce needs secure access to corporate applications and protection from the malicious internet.” Source: The Security Service Edge Solutions Landscape, Q4 2023.

² Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

³ This information is based on a survey of 432 global security decision-makers with network, data center, app security, or security ops responsibilities at companies with more than $1 billion in annual revenue responding to the question, “How many times do you estimate that your organization’s sensitive data was potentially compromised or breached in the past 12 months?” A combined 89% of these respondents replied either “Once,” “Twice,” “3 to 5 times,” “6 to 10 times,” “11 to 25 times,” or “More than 25 times.” Source: Forrester's Security Survey, 2023.

⁴ This information is based on a survey of 350 global security decision-makers with network, data center, app security, or security ops responsibilities at companies with between $1 billion and $24.9 billion in annual revenue responding to the question: “Using your best estimate, what was the total cumulative cost of all breaches experienced by your organization in the past 12 months?” The weighted average cumulative cost reported by the respondents was $4,487,000. Source: Forrester's Security Survey, 2023.

⁵ This information is based on a survey of 830 security decision-makers with network, data center, app security, or security ops responsibilities who have experienced a breach in the past 12 months at companies with $10 million or more in annual revenue. A combined 68% of respondents indicated that sensitive data was potentially compromised or breached in the past 12 months from an “External attack targeting our organization,” “External attack targeting an employee’s home/remote work environment,” or “Attack or incident involving our external ecosystem.” Source: Forrester's Security Survey, 2023.

ABOUT FORRESTER CONSULTING

Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.

© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.

Cookie Settings

This website uses cookies to deliver functionality and enhance your experience. GDPR requires that we obtain your consent before activating these cookies. Please accept the use of cookies or review your cookie settings now.

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.

Executive Summary

Key Findings

Table Of Contents

Key Statistics

289%

$16.38M

$12.17M

<6 months

Benefits (Three-Year)

TEI Framework And Methodology

Due Diligence

Interviews

Composite Organization

Financial Model Framework

Case Study

Disclosures

The ZPA Customer Journey

Drivers leading to the ZPA investment

Interviews

Key Challenges

Why Zscaler?

Composite Organization

Key Assumptions

Analysis Of Benefits

Quantified benefit data as applied to the composite

Total Benefits

Security Risk Mitigation

Security Risk Mitigation

User Productivity Savings

User Productivity Savings

Operational Efficiency Improvement

Operational Efficiency Improvement

Technology Cost Optimization

Technology Cost Optimization

Unquantified Benefits

Flexibility

Analysis Of Costs

Quantified cost data as applied to the composite

Total Costs

Implementation And Training

Implementation And Training

Management

Management

Zscaler Fees

Zscaler Fees

Financial Summary

Consolidated Three-Year Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Cash Flow Analysis (Risk-Adjusted Estimates)

Appendixes

Appendix A: Total Economic Impact

Total Economic Impact Approach

PRESENT VALUE (PV)

NET PRESENT VALUE (NPV)

RETURN ON INVESTMENT (ROI)

DISCOUNT RATE

PAYBACK PERIOD

APPENDIX C: ENDNOTES

ABOUT FORRESTER CONSULTING