A security plan must specify who (what organization) is responsible for implementing and managing the controls that will meet the requirements laid out in the security plan. This also means specifying who (what organization) is responsible should security fail. Because all employees have a role to play in making security successful (regularly changing passwords, applying security patches, etc), some companies want to say "Everyone is responsible for security", and not assign overall responsibility to a particular organization. Why is this a bad idea?