Me: I need information on our drive shredding vendor and procedure.
Security: We don't have a drive shredding vendor. You should install Linux from a USB drive, wipe the drive and then encrypt it before drilling it.
Me: Wot? Why?
Security: You can't trust vendors.
Me: OK, can we hand them over to the PD for melting down?
Security: Wot? How is that secure?
If you are wondering - sending drives to a vendor to shred or a PD to melt is risk mitigation.
Telling end users to install Linux, wipe and then encrypt their drives, then drill them equals - drill the drives (so no one can check the other parts were done) and own the risk of that.
Complexity discourages compliance. 🤷