"Lots of us say that information security is EVERYONE'S responsibility. While this is sort of true, we use this as a copout more than anything else. The truth is, everyone has information security responsibilities but information security is NOT everyone's responsibility.

See what we did there?

Everyone has information security responsibilities. So, let's start at the top and work our way down. The Board of Directors, the CEO, other C-Levels, etc.

Hey, CISO, what is it that you'd say you do here?
The quality of your answer might say everything we need to know. You either know or you don't.
If you know, share the answer with us (simpler, shorter answers are usually an indication of mastery, just sayin').
If you don't know, that's OK, BUT ONLY IF you don't pretend you do and you seek out the answer.

Now that we got that squared away, MAYBE we can figure out what everyone else's responsibilities are. If we don't get this right, how the hell are we going to hold anyone accountable. If we can't hold anyone accountable, how the hell are we going to get any better?"