Responsibility for security starts at the top (CEO - Chief Executive Officer) and carries down the chain of command to IT Managers, System Administrators, DBAs, Developers, and last but not the least users. There should be in place a training program, (and budget monies) for new employees joining the company at any level (with a requirement for the program to be successfully completed before attempting to perform any job duties).

Further there also must be periodic reviews to analyze any security breaches, and a plan developed to close those "loop holes", with specific assignments at each level of command including a time table for completion of the corrective action required.

I believe it must be a cooperative effort, whole heartedly supported by every individual that has access to data, in any form what so ever, either at the DB level, or handling of say printed management reports.