Board members should be able to ask simple questions and get honest answers.
Often, I get engaged in security discussions with people who are on corporation boards or steering commitees. Your article touches on the common concerns I often hear from them. When they ask me for any guidance on what to watch or ask about, I tell them to first look into the organization infrastructure regarding security.
If the organization does not have the necessary infrastructure necessary to implement and properly maintain security controls, no security control will function as it should. Security is not a one man shop and installing a security relevant application alone does not ensure security risk is mitigated. It takes a team of people, each with training and appropriate accesses and resources, to ensure a security program is implemented and maintained properly.
Often, to keep things simple, I provide these folks a list of the PM controls from NIST 800-53. For those of you not familiar with this control family, here is a quick summary list
PM-1 Information Security Program Plan
PM-2 Senior Information Security Officer
PM-3 Information Security Resources
PM-4 Plan of Action and Milestones Process
PM-5 Information System Inventory
PM-6 Information Security Measures of Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorization Process
PM-11 Mission/Business Process Definition
PM-12 Insider Threat Program
PM-13 Information Security Workforce
PM-14 Testing, Training, and Monitoring
PM-15 Contacts with Security Groups and Associations
PM-16 Threat Awareness Program
Other than PM-15 any board member should be able to ask about how the above control items are implemented within the organization. Always remember that any security framework is subject to consideration for the organization business model, maturity, size, and any regulatory requirements. Where a control makes sense, it should exist. Where it doesn't make sense, it should be documented as to why that is.
There is much more to each control, so if you are a board member or on a top level steering committee, I suggest you visit the NIST site and get a copy of 800-53 (currently release 4) and look through the PM family of controls for specifics. If the CEO or CISO cannot provide answers to questions regarding PM controls, then there may be an opportunity for improvement, or at least an opportunity for enlightenment.
Is the NIST 800-53 framework the end-all, beat-all approach?
No... not likely. But it isn't a bad start.