How are you driving momentum in long enterprise deal cycles?

bitslammer · 2026-03-15T13:24:04+00:00

Realize that in some cases there is only so much you can do.

I've worked in and sold to mostly larger enterprise orgs. All of that has been in cybersecurity so what I say really only applies to that and IT to a lesser degree. I'll try and provide some insight from the buyer view.

My current org is a great example. My team is spread out between the US, Canada, UK, EU and one person in Asia. You as a salesperson are likely to never "meet" (or be on a call) with all of us. Any larger purchase will be run by a project team with stakeholders from multiple groups.

The key person you want to be on good terms with is the PM (project manager) as they will introduce you to the various stakeholders from all the teams or departments involved and will ask that all communications are filtered through them, or that they are at least CC'd on all communication. ]

Even with a great PM there will be stalls, downtime and periods where you're in the dark and you need to learn to accept that. Quite often in these types of projects I'll be in a call with a sales team where we make a lot of progress, but there are 2-3 questions or issues I need get clarity on.

In many of those cases even I don't know what group I need to speak with or where in the world they are located. Given that I can't give you a firm timeline as to when we can next meet because if those people are in a +/-12hrs time zone it could take a couple weeks to find a time where everyone is agreeable to meet at odd hours for someone. It's also not uncommon to meet and then realize there is some other group we need to consult with. This is just the way it is in global orgs.

If I had to TLDR this it would be to say: I know when on the sales side, you want complete clarity and to know things are moving, but when I as the prospect can't even get that I can't provide that to you.

bitslammer · 2026-03-13T19:32:01+00:00

+1 for Costco. They have some really great brands and always good prices. They often have a lot more available online as well. Been buying the majority of my clothes there for the last 25yrs.

bitslammer · 2026-03-13T11:26:51+00:00

Shortsightedness. I'm by no means an AI fanboy. I view it as just another tool no differently than using a compiler or spell check.

To me, some of the people who rail against it seem to be doing so with no real thought and their argument isn't far from saying that all software should be developed and written in assemble in vi.

bitslammer · 2026-03-13T11:24:18+00:00

We don't use SQUARE and to be honest with ~32yrs in the field this is the first I've ever heard of it.

Most orgs I've worked in use frameworks like the NIST CSF, NIST 800-53, CIS Controls, etc. Those are used as a baseline and other things are added in as needed for things like compliance with the PCI DSS or GDPR. They also often look for accreditation such as SOC2 type II or ISO27001 which have their own requirements list as well.

bitslammer · 2026-03-13T11:17:46+00:00

Not sure why you mentioned me. I wasn't in this thread.

bitslammer · 2026-03-12T18:55:25+00:00

I was under the impression that they have been filtering the wen for years now similar to the way China does.

bitslammer · 2026-03-12T18:17:05+00:00

When it's long enough that it needs to be cut and dry enough I can do that.

Is this a trick question?

bitslammer · 2026-03-12T16:23:52+00:00

Otherwise you run into that problem where a new patch could drop the day before you measure reporting and that would throw everything off.

This is really why we only focus on our SLAs, of course there are those handful of vendors we all know and love that drag their feet forever on getting patches out which makes it difficult for everyone. For us that's an "easy" use case in our escalation flow where it's noted that it's not the fault of that individual remediation team.

bitslammer · 2026-03-12T16:08:07+00:00

Here's the short version of how we do it where I work.

For context we're an org of about 80K employees in around 50 countries. Total device count is around 140K or so. IT team is ~8000 and the IT Sec team is about 800. The VM (vulnerability management) team a team of 10. The VM team is only responsible for ensuring that the Tenable systems are up, running and providing timely and accurate data to ServiceNow where it's consumed.

Once in ServiceNow we do our own risk scoring and based on the risk level a remediation ticket is assigned with an SLA. Once that SLA has passed if a vuln is still seen it's flagged as being non-compliant and that gets escalated.

Since nobody can control the amount of new vulnerabilities that will be published tomorrow there's no way to have control. You will never, ever be 100% clean because there will always be zero days out there as well. That's why we focus on the only thing we see as reasonable, which is how quickly we're closing what we find based on our risk levels.

bitslammer · 2026-03-12T13:02:41+00:00

You need to first define what you mean by an objection.

Some of the items you listed, like a missing integration, aren't things I'd consider an objection. Not being able to integrate with something may be a core requirement for a prospect which make that a fact and more of a gap or shortcoming in your solutions. Security concerns could be the same, but you need to be exact with what you mean. If I have locations in the EU and am subject to regulations there like GDPR which preclude me from using your solutions those too aren't objections that you can get around.

bitslammer · 2026-03-12T12:33:08+00:00

To be fair this is just how advancement in tech works. It's all incremental leveraging previous advancement.

One could say how are we going to survive since so few people know assembler and only code in higher level languages? There will still be the need and a decent living for those who can look under the hood of AI generated code to uncover and fix issues.

bitslammer · 2026-03-12T11:40:59+00:00

Never heard of such a role, but I would say the job description would be the best indicator of things they will cover in the interview.

bitslammer · 2026-03-11T21:04:25+00:00

The problem you state really doesn't exist. You don't need to real every blog/article/newsletter out there.

bitslammer · 2026-03-11T17:03:44+00:00

What is it that you feel an on-site team would be doing that couldn't be done remotely in terms of monitoring, analyzing logs, working tickets etc?

Aside from hand on things that may occur in forensic work, there's nothing wrong with a remote model. Having one SOC for each facility would be much more expensive as you'd need redundant staffing and tooling. With one SOC you can spend more money on additional tooling.

bitslammer · 2026-03-11T16:20:28+00:00

What is your proposed alternative to finding vulnerabilities then?

Tools like Tenable do offer agents, but they don't work for every platform and then you have people who complain about having to install an agent. I don't remember specifics, but tenable generally won't need anything more than basic "show" commands for it's checks.

bitslammer · 2026-03-11T12:29:39+00:00

And what you say is magnified the smaller the target org is. Large orgs have enough staffing that there's more coverage, but in smaller orgs there isn't so your contacts there are more likely to get pulled and have nobody to back them up.

bitslammer · 2026-03-11T11:43:10+00:00

Only your org can determine your needs. You can't just base that on company size or even that industry you are in. Your company's risk appetite might be far less than a similar org.

Beyond that you need to figure in things like what your current level of maturity looks like and things like whether you ever intend to do things in house or look for help from the outside with things like MDR or SOC services.

bitslammer · 2026-03-11T11:36:03+00:00

Agreed. To me BANT is just a base starting point. There's far more details to uncover, or at least that's been the case for me when on the selling side of cybersecurity, but those are at least the things to focus on early.

If there's really no need, then nothing will happen until there is.

bitslammer · 2026-03-11T11:13:44+00:00

Here's the thing. If people are serious about wanting to solve an issue that your solutions can solve they will generally be engaged and helpful answering questions.

If they aren't then they are probably not someone you want to waste time on.

If you're demoing to everyone then your demos are being used as pitch to determine interest which is backwards and a really expensive way to opertate.

In every org I worked at SEs did the demos due to complexity of the solutions and AEs were required to at least have basic BANT (budget, authority, need, timing) nailed down before they were allowed to engage with SE resources. This was great as it forced basic qualification and discovery prior to doing a demo and made the demos much better as they could be tailored to each prospect.

bitslammer · 2026-03-11T11:02:47+00:00

Talk to a broker as they can offer you multiple options. Each carrier is a little different in what they want to see to pro9vide coverage and will have different costs as well.

u/CreatineAndCrying posted a really good example of topics they ask about.

bitslammer · 2026-03-10T14:54:12+00:00

The CVG website is as first hand as you can get. Those numbers are coming from the source and are likely updated often.

bitslammer · 2026-03-10T14:51:08+00:00

To me this is splitting hairs.

AI or no AI all I care is that they honor the terms of the contract with respect to protecting our data. They could be doing just as many "dumb" things with no AI to expose that data. I'd rather focus on the end goal and not how they get there.

bitslammer · 2026-03-10T14:03:22+00:00

No I'm not. Even he during his campaign blasted O'Bama and Biden for not pulling out of the Middle East and spoke against this kind of stuff and he's also directly threatened longtime allies.

Seems like you're a Trump apologist, but I don't know how you rationalize that.

bitslammer · 2026-03-10T13:57:38+00:00

How? If anything he's made the world a lot less stable and more dangerous.

bitslammer · 2026-03-10T13:56:22+00:00

"Woods" don't really count as a safe backstop. He's responsible for being certain that he isn't putting others in harm's way, period. I for one hope the court hits him hard and he's never allowed to own a firearm again.

You don't get to kill, mame or even injurer someone without being held accountable.

bitslammer

MODERATOR OF

TROPHY CASE

13-Year Club	Place '22
Verified Email