---
id: "question-executive-evaluation-metrics"
type: "open-question"
source_timestamps: ["§ What boards should do:"]
tags: ["executive-leadership", "metrics"]
related: ["action-evaluate-cyber-executives"]
resolutionPath: "Development of a standardized rubric for boards to grade CISO/security executive performance during tabletop exercises and live incident response."
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# What Metrics Define a 'Strong' Cyber Executive Under Pressure?

## Open question

What **specific, objective metrics** distinguish a cybersecurity executive who is "falling short" from one who is "communicating effectively" under crisis pressure?

## Context

The authors advise boards to evaluate executives during crises or simulated fire drills ([[action-evaluate-cyber-executives]]) but provide no objective criteria for the judgment. The exact threshold at which a board should initiate a **leadership change** therefore remains subjective.

## Suggested resolution path

Development of a standardized rubric for boards to grade CISO / security-executive performance during tabletop exercises and live incident response.
