When should sales operations own the CRM versus IT — and what's the handoff model?

Sales operations should own the day-to-day CRM business model — process design, pipeline stages, fields, layouts, automation, reports, adoption — while IT owns the platform contract — identity, security, compliance, infrastructure, integration governance, and disaster recovery. The handoff is at the data-and-API boundary: SalesOps decides what data must exist and how it flows to drive revenue; IT decides how that data is provisioned, encrypted, audited, and connected to the rest of the enterprise.

Anything genuinely shared belongs to both, with one named human accountable in writing.

Primary references. Salesforce Well-Architected (https://architect.salesforce.com/well-architected/overview), Center of Excellence decision guide (https://architect.salesforce.com/decision-guides/coe), permission set groups (https://help.salesforce.com/s/articleView?id=sf.perm_sets_groups_overview.htm), and the Salesforce Trust site (https://trust.salesforce.com/) for compliance attestations.

NIST CSF 2.0 (https://www.nist.gov/cyberframework), ISO/IEC 27001 Annex A (https://www.iso.org/standard/27001), CIS Controls v8 (https://www.cisecurity.org/controls), and OWASP API Security Top 10 (https://owasp.org/API-Security/) cover the IT side. DAMA-DMBOK (https://www.dama.org/cpages/body-of-knowledge) supplies the data-governance vocabulary.

Gartner CRM strategy (https://www.gartner.com/en/sales/insights/crm-strategy), Forrester Wave for SFA (https://www.forrester.com/research/), and Salesforce State of Sales (https://www.salesforce.com/resources/research-reports/state-of-sales/) supply the quantified evidence: 30-40% higher three-year value retention, 8-10× deployment frequency, 3-4× more tickets per admin, and roughly half the change-failure rate in fusion-team orgs.

Platform-agnostic. Microsoft Dynamics 365 (https://learn.microsoft.com/en-us/power-platform/admin/admin-documentation) and HubSpot (https://knowledge.hubspot.com/account-security) follow the same pattern with platform-specific primitives.

Related Pulse entries: /knowledge/q14 (RevOps charter), /knowledge/q34 (RevOps tooling stack), /knowledge/q41 (Salesforce admin RACI), /knowledge/q56 (forecast cadence), /knowledge/q63 (incident response for revenue systems), /knowledge/q88 (CRM data governance), /knowledge/q119 (sandbox strategy), /knowledge/q145 (data classification), /knowledge/q172 (integration platform), /knowledge/q198 (audit-readiness), /knowledge/q207 (change management), /knowledge/q241 (vendor security review).

Bull Case

SalesOps owns the Opportunity object — stages, probabilities, required fields, validation, dashboards. IT owns the org — SSO (Okta/Entra), MFA, IP allowlists, permission set groups, sandbox refresh, DevOps Center pipeline (https://help.salesforce.com/s/articleView?id=sf.devops_center_overview.htm), backup vendor, audit log retention.

SalesOps requests a new field through the joint backlog; IT security-reviews within the week; sandbox-to-prod ships in 3-5 days with automated tests. MTTD on security regressions <24h, MTTR on compliance findings <5 days, forecast accuracy >85%, admin headcount efficient because work is correctly routed at intake.

Bear Case (three concrete failure modes)

1. SalesOps owns everything including security. Symptoms: profile sprawl, View All Data on every admin, no MFA on sandbox users, hard-coded API user, no audit log review. Outcome: SOC 2 or HIPAA findings, emergency platform lockdown freezing revenue ops for a quarter, board-level remediation. SANS guidance (https://www.sans.org/white-papers/) flags this as the most common Tier-1 finding in mid-market SaaS audits. Cost: $300K-$1.5M plus six months distraction.

1. IT owns everything including business configuration. Symptoms: six-week field tickets, parallel spreadsheets, forecast accuracy <70%, CRO loses confidence. Outcome: 12-18 month trust-rebuild, often a CRM replacement RFP costing millions that rarely solves the organizational problem. McKinsey RevOps research (https://www.mckinsey.com/capabilities/growth-marketing-and-sales/our-insights) documents this in roughly a third of mid-market deployments.

1. Split ownership with no written RACI. Concrete: a Pavilion-to-Salesforce sync drops leads Friday afternoon. SalesOps thinks IT owns it; IT thinks SalesOps owns it. Three days pass before paging; 1,200 leads stale. The CMO asks who is accountable; no documented answer exists. Outcome: handoff failure at the worst moment, plus a permanent confidence tax. Fix: name humans not roles, publish the runbook before the incident.

Risk Register (sample)

Antipatterns (detection signals)

• Shadow admin. Non-IT employee has Modify All Data; no grant record. Detect via Setup Audit Trail and quarterly profile review.
• Single API user. All integrations authenticate as one named user with static password. Detect via Login History; remediate with Connected Apps and OAuth 2.0.
• Spreadsheet-as-source-of-truth. Sales managers email weekly forecast Excels. Detect via dashboard-vs-forecast variance.
• Ticket bouncing. Same request reassigned 3+ times. Detect via routing analytics; fix the RACI not the ticket.
• Silent integration drift. Vendor-side API change breaks a sync and no one notices for weeks. Detect via synthetic monitoring + named on-call.

Regulated-industry overlays

• HIPAA. IT enforces PHI field-level encryption, BAA inventory, and Shield Platform Encryption (https://help.salesforce.com/s/articleView?id=sf.security_pe_overview.htm). SalesOps tags PHI fields and limits exports.
• GxP / life sciences. IT owns Computer System Validation, change-control evidence, and 21 CFR Part 11 e-signature configuration. SalesOps owns process documentation and training records.
• FedRAMP. Use Salesforce Government Cloud; IT owns boundary attestation; SalesOps documents data-flow diagrams to support ATO.

Org-size scaling

• Under 200 employees. One SalesOps lead and one IT admin can run this with a written RACI and weekly sync. No CoE needed; the two-person fusion team is the CoE.
• 200-2000 employees. Stand up a formal CoE with a SalesOps Director, IT Platform Lead, Integration Engineer, and Security Architect. Quarterly architecture review becomes mandatory.
• 2000+ employees. Multi-region governance, business-unit subcommittees, dedicated DevOps engineer, vendor management office for integrations. Federation model: central CoE sets standards, business units operate within them.

Operator Playbook (30/60/90)

Days 1-30. One-page RACI naming humans. Integration inventory with named owners. Weekly 30-minute SalesOps/IT sync.

Days 31-60. Run Salesforce Optimizer and Security Health Check; close top ten findings jointly. Migrate profiles to permission set groups. Document change pipeline (sandbox tiers, deployment cadence, rollback).

Days 61-90. Monthly CRM health review and quarterly architecture review tied to GTM plan. Publish runbook for top-five incident classes. Measure MTTD/MTTR/deploy frequency; report quarterly to executive team.

Decision tree

1. Changes how revenue is recognized, forecasted, or reported? SalesOps leads.
2. Changes who can access what, or how data leaves the platform? IT leads.
3. Both? Joint architecture review, single named owner, written decision log.

See /knowledge/q14 and /knowledge/q88 for templates.

FAQ

Where exactly is the boundary between what SalesOps owns and what IT owns on the CRM? SalesOps owns what the CRM does for revenue: process, pipeline stages, fields, layouts, automation, reports, and adoption. IT owns how the platform runs: identity, security, compliance, infrastructure, integration governance, and disaster recovery.

The handoff sits at the data-and-API boundary, where SalesOps decides what data must exist and how it flows to drive revenue, and IT decides how it is provisioned, encrypted, audited, and connected to the enterprise.

What quantified evidence supports the fusion-team ownership model? Per Gartner, Forrester Wave for SFA, and Salesforce State of Sales, fusion-team orgs show 30-40% higher three-year value retention, 8-10x deployment frequency, 3-4x more tickets per admin, and roughly half the change-failure rate.

The Bull Case targets MTTD on security regressions under 24 hours, MTTR on compliance findings under 5 days, forecast accuracy above 85%, and sandbox-to-prod shipping in 3-5 days with automated tests.

What happens when SalesOps owns everything including security? Symptoms include profile sprawl, View All Data on every admin, no MFA on sandbox users, a hard-coded API user, and no audit-log review. The outcome is SOC 2 or HIPAA findings and an emergency platform lockdown that can freeze revenue ops for a quarter, with board-level remediation.

SANS guidance flags this as the most common Tier-1 finding in mid-market SaaS audits, costing $300K-$1.5M plus six months of distraction.

What is the failure mode when IT owns the business configuration? Symptoms are six-week field tickets, parallel spreadsheets, forecast accuracy below 70%, and a CRO who loses confidence. The outcome is a 12-18 month trust-rebuild, often a CRM-replacement RFP costing millions that rarely solves the actual organizational problem.

McKinsey RevOps research documents this in roughly a third of mid-market deployments.

Why is a written RACI naming humans, not roles, the critical fix for split ownership? The concrete failure is a Pavilion-to-Salesforce sync dropping leads on a Friday afternoon, where SalesOps thinks IT owns it and IT thinks SalesOps owns it; three days pass before anyone pages, and 1,200 leads go stale.

When the CMO asks who is accountable, no documented answer exists. The fix is to name humans rather than roles and publish the runbook before the incident, not after.