Rick Orloff is a Fortune 1000 CISO and Strategic Advisor at A-LIGN, with over 20 years of experience at companies including Apple and eBay. 

For most of my career, the assumption has been that compliance lives inside the security organization, gets owned by the GRC team, and gets funded out of the security budget. The rest of the business consumes the outcome.  

But I believe every compliance certification is a revenue decision. So, that means your most important compliance stakeholder isn’t your CFO, your board, your engineering team, or your auditor. It’s your Chief Revenue Officer. 

If Sales can’t convert a certification to market share, it’s not worth pursuing

When I’m deciding whether to pursue a new certification, the first conversation I have is with the head of sales. Why? Because if I got alignment from every executive in the company and sales said there was no value, we wouldn’t waste our resources. 

That isn’t a slight to anyone else’s role. Privacy, legal, engineering, and finance all have a stake. But they are recommenders. The certification either does or doesn’t help convert pipeline, and the only person who can answer that question is the person who owns the revenue number. 

The conversation I want to have is two questions long: 

• If we got this certification, would it help you close more deals or protect our market share? 
• If yes, can you put a number on it? 

If sales tells me a new certification is worth $10M in ARR, the rest of the budget conversation becomes simple math.

Two metrics nobody tracks well 

The hard part of that conversation is that most sales organizations don’t have great data on the impact of compliance certifications. Two metrics matter, and almost no one tracks both. 

The first are deals that you lost because you didn’t have a specific certification. That one is at least within reach. Your account executives know which deals fell apart and why. Tracking this helps drive a Return on Investment (ROI) justification to support sales with additional certifications. This should be a ‘required’ field in CRMs.

The second is harder. It’s the deals that never came to the table because you didn’t have the certification. Your AE never saw the opportunity. The prospect’s procurement filter screened you out before anyone made a call. You will never see those names in your pipeline, but they are real, and over time they add up to more lost revenue than the deals you watched die. 

The leaders I’ve worked with who handle this best, build a lightweight discipline into their RevOps practice. They tag lost deals with the missing certification. They survey their AEs quarterly about which certifications prospects are asking for. They look at win rates against competitors who have certifications they don’t. Imperfect data beats no data, and any actionable data you can put in front of your CRO beats a hypothetical guess. 

The budget math gets easier when sales is your advocate 

Once your CRO has a number, the rest of the path is straightforward. 

If a new certification costs $100K and sales says it will generate $10M in ARR, that’s the end of the conversation as far as I’m concerned. I’m putting it in my budget. 

If I don’t have the budget, I’m going to finance and the CFO and bringing my CRO into that conversation. The justification isn’t “the security team wants this.” The justification is “your sales organization thinks this is worth $10M, and the cost of getting there is $100K.” That conversation lands differently than a typical security budget ask, because it has been reframed as a revenue investment with a security team executing it. 

And here’s the part that surprises people: in a healthy organization, you may not need a new budget ask at all. If you’ve already rationalized your audit portfolio, consolidated frameworks under one provider, freed up engineering hours, cut redundant evidence collection, you’ve probably freed up the dollars to self-fund the new certification. That’s what we did in my prior role. The savings from consolidation paid for the next two certifications. No incremental budget required. 

Handling the “Compliance is theater” objection 

If you spend any time around founders or senior engineers, you’ll hear some version of this take: compliance certifications aren’t real security; they’re theater. 

A SOC 2 report isn’t a substitute for an actual security program. A certification doesn’t make you fully secure. The people who think it does are kidding themselves. 

But here’s the part the theater argument misses: the certification isn’t for your security program. It’s for your customer. It exists so the buyer on the other side of the deal can perform their due diligence efficiently and your AE can advance the pipeline. The certification is a procurement artifact that pays for itself in cycle time and deal velocity. 

When an engineer tells me compliance is theater, I don’t argue. I explain that without certifications, every customer would be asking to effectively perform their own audits, speak with stakeholders, and impact a large number of people. Having a trusted third-party auditor certify us using a comment control framework is incredibly efficient for all of us. That framing puts compliance in its right context: necessary, valuable, and not the same thing as security. 

Five questions to bring to your next CRO conversation 

The right place to start is with your CRO. Here are five questions I’d recommend before kicking off a new audit: 

• Which certifications are prospects asking for that we don’t have today? 
• Of the deals we’ve lost in the last twelve months, how many cited a missing certification? 
• Among the certifications on our roadmap, which would move the most pipeline? 
• Do you have regulatory blockers to your market? 
• Are there geographic or vertical-specific certifications that would open markets we aren’t competing in today? 

Those five questions reframe the audit conversation from a compliance exercise into a growth conversation. They also give your CRO a reason to be in the room when the project is being approved. Security should help drive top-line revenue, not just protect bottom-line costs.

The takeaway 

The security leaders who operate most effectively treat compliance as a revenue function. When you treat it that way, things change. The conversation with the C-suite becomes substantive, and you’re seen as a stakeholder to the entire business. The conversation with your CFO becomes a revenue conversation, not a cost conversation. The conversation with engineering becomes a “we’re doing this to help close deals” conversation, which is a much more durable motivator than “we’re doing this because the auditor asked.” And your own work as a security leader becomes more strategic, because you’re now operating at the intersection of risk and revenue rather than as a cost center. 

The test is simple: are you a transactional security leader or strategically aligned with what’s around the corner? A transactional CISO produces audit reports. A strategically aligned CISO produces revenue. Both jobs are real. One is more interesting, and a lot more valuable. 

Ready to align your compliance program with revenue? 

Talk to A-LIGN about how a consolidated, multi-framework audit program can drive both pipeline and ROI for your organization.