Software-defined wide area networking (SD-WAN) enables dynamic network policy control over a large distributed network via network updates. To be practical, network updates must be both consistent, i.e., free of transient errors caused by updates to multiple switches, and secure, i.e., free of errors caused by faulty or malicious members of the control plane. Besides, these properties must incur minimal overhead to controllers and switches. We present Cicero: a ConsIstent seCurE pRactical cOntroller for SD-WAN updates. Consistency is provided through a novel update scheduler in conjunction with a distributed transactional protocol while security is preserved by replicating the control plane and authenticating updates with an adaptive threshold cryptographic scheme. We ensure practicality by providing a mechanism for scalability through the definition of independent network domains and exploiting parallelism of network updates both within and across domains. Extensive experiments show Cicero imposes minimal switch burden and scales to large networks running multiple network applications all requiring concurrent network updates imposing at worst a 16% overhead on short-lived flow completion and negligible overhead on anticipated normal workloads.