Where does the buck stop when there’s a security breach?

Is it the IT department’s problem, or does the buck go as far as the C-suite? Opinions are polarised, but it’s more nuanced in the real world