Security is not a linear movement, and it doesn’t sit in one department, let alone with one person. Good security requires a holistic approach, and the understanding that you must move the entire organization forward, without forgetting to bring up the rear.
So: Two steps forward, and one back to check that there are no open flanks.
Naturally, day-to-day IT security efforts must be anchored within the IT teams. But the impact of critical security incidents on cost, compliance and brand, means all levels of the business need to have some appreciation of the value of continuous prioritization, identification of weaknesses, and investigation of issues. And end users must be on-boarded to understand their role in keeping the businesses safe.