I don't know security law at all but I have always seen CISO equivalent positions to be "Director" level, reporting typically to the CFO or to A C-level of some org who reports to another C-level and so on depending on size and complexity. But you are right in that they're just regular mid level managers, not directly accountable to the board.
"Directors and officers" are a special legal category, basically the highest-ranking people making material decisions about the business day-to-day. They are subject to special reporting requirements, such as having to file paperwork whenever selling or buying stock (which usually needs to happen under a trading plan). They often have specialized contracts, company-provided liability insurance, and a variety of perks you associate with "real" executives at public companies - from corporate jets to eight-figure salaries. We're talking about the CEO, CFO, CTO, and so on.
This is similarly-sounding but completely separate from the "director" job level at a typical tech company, which is basically just a senior manager of a large team or maybe the lead of a mid-size department. Your average CISO is probably in this ballpark, commonly at least 2-3 reporting levels below real C-leadership.
The CISOs I've worked with were usually Directors, or VPs, and in 3 cases so far, lawyers who made it into IS/IT management. Their CISO duties/powers were thin. Head-nods and "let's set up a separate meeting for that" level.
