Security teams have traditionally measured success by speed. How quickly did we return the security questionnaire? How many hours did we save this month? 

Those numbers are useful, but they only tell part of the story. 

At high-growth companies, Infosec and GRC teams need to look beyond time saved. They're shifting focus to bigger questions. How is security affecting the company’s ability to grow? How do we tie our impact to revenue?

Let’s use Zapier as an example. 

Zapier is one of the largest automation platforms in the world, serving 3.4 million customers including companies like Calendly, Zendesk, Lyft, and Dropbox.

While their enterprise pipeline was growing fast, their three-person GRC team was drowning. Manually answering security questionnaires was eating up 60% of their day-to-day and despite their best efforts, important deals were stalling at the security review stage.

The GRC team had become the "revenue cap" for the enterprise sales team.

Six months later, and they’ve automated most of the process. After rebuilding their security review system, the math changed entirely:

  • 75% less time spent on questionnaires
  • 3x increase in reviews completed
  • ~1.5 FTE capacity created without growing the team

Here’s a simple framework you can use to measure security’s impact and build a stronger case for automation.

“Revenue Capacity” and the Three Numbers That Matter

Most teams calculate “time saved" when reporting on how they've automated customer security reviews and answering security questionnaires. This is fine, but incomplete. If you want leadership to pay attention, you need to measure revenue capacity.

Here’s a practical way to identify and quantify the shift away from manual work and how that can impact the business:

1. Time Cost Reduced & Cost

Security professionals are highly-skilled and often highly compensated. Relegating them to copy-paste work minimizes their impact (and likely, engagement).

Start by measuring your team’s time spent on reactive questionnaire work.

Multiply that delta by the hourly cost of the team. That gives you the labor efficiency gained by reducing reactive work.

 At Zapier, review work dropped from 50-60% of the team’s time to 10-15%.

Calculation: [(Hours per questionnaire) × (Questionnaires per month)] divided by (Total team capacity - # of hours/mo) × (Hourly rate of GRC staff)

2. The Revenue Cap (Throughput Constraint)

This matters most at the executive level. When review demand exceeds review capacity, deals wait and the gap between the two creates a constraint on how much enterprise revenue can move forward. 

Before automating their customer security review work, Zapier's GRC team could only process 5 questionnaires a month. If Sales brought in eight enterprise deals, three would sit in a queue. Enterprise expansion was hamstrung by GRC's bandwidth, not Sales throughput.

Multiply constrained volume by average deal size to measure the revenue constraint. That’s the cap.

Now Zapier’s team handles 3x the volume of questionnaires.

Calculation:  (Review Demand - # deals a month that require a security review) - (# Reviews Completed) x (Average Contract Value) = Stalled Revenue ($)

3. Capacity Created

Beyond throughput and efficiency, Zapier also recovered bandwidth stuck in low-leverage work.

With automation, 80% of security questions are resolved without GRC’s involvement. Zapier reclaimed roughly 1.5 employees’ worth of bandwidth without additional headcount. That's time back for new programs, certifications, and creating proactive security content.

Strategic trust-building work like that compounds into more time back on future questionnaires.

Calculation:  Review Time Reduction x Team Size

How to report on the impact of automating customer security reviews

Efficiency alone doesn’t impress the Board. Revenue impact does. When review throughput increases, revenue delay shrinks and more enterprise deals can move through security each month.

That’s how operational efficiency turns into measurable growth impact.

The Simple Reporting Framework

To better report on the impact your infosec/GRC team has made by automating the customer security review and questionnaire workflow, use this framework:

 Time Cost Reduced + Throughput Gained + Capacity Created


Time Cost captures efficiency. Throughput captures new revenue opportunities. Capacity captures bandwidth and leverage.

Together, they show how security is accelerating growth and enabling sales to move faster.

Start Measuring Growth, Not Activity

Customer trust either scales with your business or caps it. As Annie Stankiewicz, Zapier’s GRC Program Manager, puts it:

"We’ve shifted from chasing questionnaires to running a scalable, automated trust program that keeps up with growth."

If your team measures success by how busy they are, you’re measuring the wrong thing. The real metric is whether your trust program clears the path for revenue.

What's next?

Does your current process cap your revenue?

If so, check out Conveyor's Security Questionnaire Automation and Agentic Trust Center solutions to automate your work and deliver more impact to your org.