---
id: "action-evaluate-cyber-executives"
type: "action-item"
source_timestamps: ["§ What boards should do:"]
tags: ["executive-oversight", "incident-response"]
related: ["framework-board-cyber-engagement", "question-executive-evaluation-metrics"]
action: "Assess cybersecurity leadership capability through real crises or simulated cyber incident exercises."
outcome: "Identification of effective vs. ineffective cybersecurity executives, leading to stronger leadership."
speakers: ["Jeffrey Proudfoot", "Stuart Madnick"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# Evaluate Cyber Executives Under Pressure

## Action

Assess cybersecurity leadership capability through **real crises or simulated cyber incident exercises**.

## Detail

Boards should treat actual cyber incidents — or simulated **cyber fire drills** — as invaluable opportunities to observe how cybersecurity executives respond under pressure. If leadership falls short or fails to communicate effectively during these crises, the board should consider **leadership changes**. This is the stress-test complement to [[framework-board-cyber-engagement]].

## Expected outcome

Identification of effective versus ineffective cybersecurity executives, leading to stronger leadership.

## Open tension

The authors do not specify *objective* criteria for "falling short" versus "communicating effectively" — an unresolved gap captured in [[question-executive-evaluation-metrics]].
