5 Mistakes You’re Making In Your QBRs (Quarterly Business Reviews)

A compelling Quarterly Business Review (QBR) can instill trust and confidence in the people, processes, and technology that encompass your cybersecurity solution and managed service. As the name implies, a QBR is a point-in-time conversation that covers managed services results for the last quarter. It sets a positive tone for the future relationship. However, a QBR that is overly tactical or technical can relegate you to be seen as simply a product vendor instead of a trusted strategic advisor with solutions that help clients grow revenue and retain customers.

QBRs have a variety of formats from crisp online sessions to face-to-face strategic reviews led by executive teams. Agenda topics for the checkpoint review could include a security assessment, recap of security incidents and remediation recommendations, future roadmap discussions, and insight on client business and technical goals. However, an informal survey highlights that over 50% of Managed Security Service Providers (MSSPs) today do not have formal client QBRs, even though it is a best practice and relatively easy way to demonstrate your added value.

With so much on the line, avoid these five mistakes regarding QBRs:

  1. Not leveraging security frameworks and industry practices.
    It can be a challenge to understand, manage, and reduce cybersecurity risk for you as well as your clients. For example, the NIST Cybersecurity Framework (CSF) is a flexible approach that establishes a common language for government and enterprise alike. Although it is not a required mandate, thousands of organizations of all sizes have adopted its five core functions: Identify, Protect, Detect, Respond, and Recover. The framework helps you determine which security controls are most important to assure critical operations and resiliency. CSF coverage was enhanced in 2019 for supply chain risk management. Use the framework to communicate a current and desired cybersecurity posture for your clients.
  2. Lack of balance across strategic and tactical content.
    Review any action items or internal recommendations from the previous QBR at least two weeks before the upcoming review. Start a new fiscal year off on the right foot by gathering insights into your client’s goals and objectives. Use the audit meeting to ask open-ended questions on topics such as strategic alliances or geographic expansion that may impact cybersecurity plans and compliance mandates. One tip is to directly ask clients what is working and what can be improved.QBR audiences may vary, so content should cover current operations and metrics for more hands-on decision makers as well as risk management topics for executives. Issues that are too focused on day-to-day operations will fail to attract executive attendees, while future-oriented topics and plans may not resonate with IT administrators and hands-on users. One consistent meeting theme: provide an assessment of the client’s current cybersecurity posture and offer areas for improvement in non-technical terms.Outline continuous improvement to date and provide valuable recommendations from your team: Security Operations Center (SOC) analysts, customer success leaders, and your executives who face the same challenges as the client. Be sure to document the review to share with those unable to attend and outline trends over time. Even though they are called quarterly reviews, the timing may be less frequent for smaller clients and more often for larger, more strategic organizations.
  3. Overlooking opportunities to reinforce the purchase decision.
    It is crucial to recap your organization’s differentiation, show that you listened to the client’s challenges, and detail how you solve IT and security problems.  Don’t assume that your competition is standing still or ignoring an opportunity to overturn the purchase decision. The QBR is beyond onboarding, drilling down on support tickets, or a sales presentation disguised as a review, although it will likely result in upsell opportunities.  ||  Your QBRs should involve the same buying committee members who participated in the purchase decision. Share a heartfelt thank you in the review for the opportunity and trust placed in your organization. When it feels appropriate, ask for client introductions to their peers and supply chain partners.
  4. Not linking security outcomes to organizational growth and expansion.
    Tailor the QBR to each client’s unique objectives. Help customers make better cybersecurity decisions faster by putting data in the hands of cross-functional teams. Avoid the temptation to get too technical or provide reams of data instead of trends and the big picture. Make a clear connection between their business success and their IT security success. Share ways for clients to get more out of the existing solution and investment by pointing out unused features, opportunities for webinars and online training, or adopting future product releases that will save time and money.
  5. Focusing on the past rather than the future.
    A well-orchestrated QBR is an opportunity to demonstrate your contribution, reinforce the selection decision, and pave the way for further engagement. Some organizations create a SWOT assessment of a client’s strengths, weaknesses, opportunities, and threats customized to their industry, cybersecurity maturity, security operations, and goals. Another approach is to build in strategy that involves presenting a high-level product roadmap at the QBR. It shows your continued portfolio investment, highlights how external feedback is collected, and enables clients to plan for future updates and technical changes. Use this checkpoint meeting to solicit input and buy-in that can help you garner internal funding and resources for product and process enhancements. You can also point happy clients to peer review sites like G2 and IT Central Station where they can share feedback that benefits other small-to-medium-sized businesses (SMBs) with security and IT selection decisions.


QBRs are capstone events that reinforce your strategic role and business value as an MSSP and create a two-way dialogue that develops “customer stickiness” and loyalty. First and foremost, don’t skip these critical reviews with key clients. Do your homework, be consistent, and provide recommendations and insights. A poorly-planned QBR may undermine the purchase decision and leave clients wondering whether the investment was well made. Best practices for QBRs include:

  • Cover agenda topics that are both strategic and tactical to engage with cross-functional stakeholders.
  • Outline how your clients can leverage industry best practices such as the NIST Cybersecurity Framework to understand and manage risk.
  • Provide informative use cases about security incidents or vulnerabilities that you detected for this specific client or others that you serve.
  • Listen to your clients and make an action plan to address their feedback.

Netsurion delivers advanced threat protection and compliance benefits in a variety of deployment options.

Blog courtesy of Netsurion, which offers the EventTracker security platform. Read more Netsurion guest blogs here.