There is a question every executive should be able to answer clearly. If a data breach happened tomorrow, whose name would be attached to it?
For many organizations, that question does not have a clear answer. Security sits with the security officer. Or the IT team. Or whoever last touched the system in question. The organizations that do have a clear answer are in a fundamentally different position.