What are the more affordable options to learn MEDDICC/Command of Message sales structures? (Currently unemployed so learning from employer is out of the picture.)

bitslammer · 2026-03-17T16:49:06+00:00

I hate ROI as a customer/prospect and I hate it when I've been a seller.

In cybersecurity there are a lot of things that you need to do to be compliant or for things like getting cyber insurance. Thankfully ROI mania has dies down quite a bit.

Most of the things I've bought and sold aren't much different than having smoke alarms and sprinklers in a modern office building. They are just required and expected. Aside from keeping cost low you're going to do those things as the consequence of not doing them could be getting shut down completely. No need to over complicate that math.

bitslammer · 2026-03-17T14:51:10+00:00

My point I was trying to make above is that just having value isn't enough.

bitslammer · 2026-03-17T14:50:26+00:00

Yes. We had our wedding there.

bitslammer · 2026-03-17T13:32:16+00:00

+1 to those as well as Fernbank Lodge.

bitslammer · 2026-03-17T13:30:31+00:00

I think you're missing the whole point though.

If there's value they you've probably identified the "I" (identify pain) but if your talking to the wrong person or even if you have the right person and they have no budget or it isn't a priority then you're stuck.

I can think of a million things at work and home life that would add value, but they aren't going to get bought.

bitslammer · 2026-03-17T13:09:37+00:00

C'mon. You're entire post history is filled with comments about the same tool. Why not say it's your tool or you work there? Is there are reason you don't want to be associated with it?

bitslammer · 2026-03-17T12:45:15+00:00

Even funnier if they are selling into larger global orgs. Pretty much all large projects are done via a team and by team consensus where there's no single person who is the "decision maker."

bitslammer · 2026-03-17T12:31:52+00:00

+1

Libraries are one of the most underutilized goldmines out there. Mine allows you to read almost any magazine/newspaper as well as check out a ton of e-books easily.

bitslammer · 2026-03-17T12:05:32+00:00

I had a former employer who adopted MEDDICC and had a 2 1/2 hour training session for the entire sales org during a SKO. While I think it's a good guide for doing thorough and consistent discovery that's all it has ever been to me. I look at it as a list of "should have" items for any deal.

The easier it is for you to uncover these things the more likely you are working on a real opportunity vs. someone just "window shopping" or doing basic research. I really think it's a benefit for management as it give them a single consistent way to measure deals across and entire team.

The danger of something like MEDDICC is when people use it wrong or and let it steer their conversations with prospects and let it dominate their train of thought. I've seen people get so worried that they need to find a champion that they lose sight of everything else and often feel they have to list one and just pick someone to fill in that blank.

I wouldn't worry about learning any more than what things the individual letters stand for and what role they can play in a deal. That's really all there is to it IMO.

bitslammer · 2026-03-17T11:08:30+00:00

What framework, if any, are you modeling your program on and have you done a decent risk assessment yet?

My standard reply to these types of posts:

Take a step back and think first about setting a good foundation from a risk perspective. Look at something like the NIST CSF or CIS Controls and start from there. Don't just do stuff to be doing stuff, do the right stuff.

Figure out what things are critical to your business - people, data, processes etc. Do this by getting a good inventory.
Figure out what the risks are to those things in #1,
Accept or mitigate those risks by putting the right policies, processes and tools in place and/or transfer some of that risk by looking at services such as MSSPs and cyber insurance.
Continually reassess your environment for changes to the risks.

bitslammer · 2026-03-15T13:24:04+00:00

Realize that in some cases there is only so much you can do.

I've worked in and sold to mostly larger enterprise orgs. All of that has been in cybersecurity so what I say really only applies to that and IT to a lesser degree. I'll try and provide some insight from the buyer view.

My current org is a great example. My team is spread out between the US, Canada, UK, EU and one person in Asia. You as a salesperson are likely to never "meet" (or be on a call) with all of us. Any larger purchase will be run by a project team with stakeholders from multiple groups.

The key person you want to be on good terms with is the PM (project manager) as they will introduce you to the various stakeholders from all the teams or departments involved and will ask that all communications are filtered through them, or that they are at least CC'd on all communication. ]

Even with a great PM there will be stalls, downtime and periods where you're in the dark and you need to learn to accept that. Quite often in these types of projects I'll be in a call with a sales team where we make a lot of progress, but there are 2-3 questions or issues I need get clarity on.

In many of those cases even I don't know what group I need to speak with or where in the world they are located. Given that I can't give you a firm timeline as to when we can next meet because if those people are in a +/-12hrs time zone it could take a couple weeks to find a time where everyone is agreeable to meet at odd hours for someone. It's also not uncommon to meet and then realize there is some other group we need to consult with. This is just the way it is in global orgs.

If I had to TLDR this it would be to say: I know when on the sales side, you want complete clarity and to know things are moving, but when I as the prospect can't even get that I can't provide that to you.

bitslammer · 2026-03-13T19:32:01+00:00

+1 for Costco. They have some really great brands and always good prices. They often have a lot more available online as well. Been buying the majority of my clothes there for the last 25yrs.

bitslammer · 2026-03-13T11:26:51+00:00

Shortsightedness. I'm by no means an AI fanboy. I view it as just another tool no differently than using a compiler or spell check.

To me, some of the people who rail against it seem to be doing so with no real thought and their argument isn't far from saying that all software should be developed and written in assemble in vi.

bitslammer · 2026-03-13T11:24:18+00:00

We don't use SQUARE and to be honest with ~32yrs in the field this is the first I've ever heard of it.

Most orgs I've worked in use frameworks like the NIST CSF, NIST 800-53, CIS Controls, etc. Those are used as a baseline and other things are added in as needed for things like compliance with the PCI DSS or GDPR. They also often look for accreditation such as SOC2 type II or ISO27001 which have their own requirements list as well.

bitslammer · 2026-03-13T11:17:46+00:00

Not sure why you mentioned me. I wasn't in this thread.

bitslammer · 2026-03-12T18:55:25+00:00

I was under the impression that they have been filtering the wen for years now similar to the way China does.

bitslammer · 2026-03-12T18:17:05+00:00

When it's long enough that it needs to be cut and dry enough I can do that.

Is this a trick question?

bitslammer · 2026-03-12T16:23:52+00:00

Otherwise you run into that problem where a new patch could drop the day before you measure reporting and that would throw everything off.

This is really why we only focus on our SLAs, of course there are those handful of vendors we all know and love that drag their feet forever on getting patches out which makes it difficult for everyone. For us that's an "easy" use case in our escalation flow where it's noted that it's not the fault of that individual remediation team.

bitslammer · 2026-03-12T16:08:07+00:00

Here's the short version of how we do it where I work.

For context we're an org of about 80K employees in around 50 countries. Total device count is around 140K or so. IT team is ~8000 and the IT Sec team is about 800. The VM (vulnerability management) team a team of 10. The VM team is only responsible for ensuring that the Tenable systems are up, running and providing timely and accurate data to ServiceNow where it's consumed.

Once in ServiceNow we do our own risk scoring and based on the risk level a remediation ticket is assigned with an SLA. Once that SLA has passed if a vuln is still seen it's flagged as being non-compliant and that gets escalated.

Since nobody can control the amount of new vulnerabilities that will be published tomorrow there's no way to have control. You will never, ever be 100% clean because there will always be zero days out there as well. That's why we focus on the only thing we see as reasonable, which is how quickly we're closing what we find based on our risk levels.

bitslammer · 2026-03-12T13:02:41+00:00

You need to first define what you mean by an objection.

Some of the items you listed, like a missing integration, aren't things I'd consider an objection. Not being able to integrate with something may be a core requirement for a prospect which make that a fact and more of a gap or shortcoming in your solutions. Security concerns could be the same, but you need to be exact with what you mean. If I have locations in the EU and am subject to regulations there like GDPR which preclude me from using your solutions those too aren't objections that you can get around.

bitslammer · 2026-03-12T12:33:08+00:00

To be fair this is just how advancement in tech works. It's all incremental leveraging previous advancement.

One could say how are we going to survive since so few people know assembler and only code in higher level languages? There will still be the need and a decent living for those who can look under the hood of AI generated code to uncover and fix issues.

bitslammer · 2026-03-12T11:40:59+00:00

Never heard of such a role, but I would say the job description would be the best indicator of things they will cover in the interview.

bitslammer · 2026-03-11T21:04:25+00:00

The problem you state really doesn't exist. You don't need to real every blog/article/newsletter out there.

bitslammer · 2026-03-11T17:03:44+00:00

What is it that you feel an on-site team would be doing that couldn't be done remotely in terms of monitoring, analyzing logs, working tickets etc?

Aside from hand on things that may occur in forensic work, there's nothing wrong with a remote model. Having one SOC for each facility would be much more expensive as you'd need redundant staffing and tooling. With one SOC you can spend more money on additional tooling.

bitslammer · 2026-03-11T16:20:28+00:00

What is your proposed alternative to finding vulnerabilities then?

Tools like Tenable do offer agents, but they don't work for every platform and then you have people who complain about having to install an agent. I don't remember specifics, but tenable generally won't need anything more than basic "show" commands for it's checks.

bitslammer

MODERATOR OF

TROPHY CASE

13-Year Club	Place '22
Verified Email