Sensitive information is sometimes like a loaded weapon someone might randomly stumble upon in a park. For those that have some kind of training with weapons, you can probably think of a dozen things you would and wouldn’t do if you were in this situation. But what if you had never seen this kind of weapon before? Would it become a paperweight on your desk? Maybe a doorstop? Or in an extreme case, earrings? Maybe you see peers treating these weapons the same way and all the sudden it becomes acceptable.

Until one goes off.

Prepare, by Photo Monkey

Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop up in daily discussions. Then when the newness wears off and no other incidents happen, people stop talking about it and go back to doing things the way they did living with the assumption that it was a black swan.

Until it happens again. Then we lather, rinse, and repeat.

Rob Sadowski has a great blog post entitled “Time to Push the Reset Button” that discusses recent events in our industry (go give it a read). There is one really great point that I’ve touched on before which is, “Why do you still feel the need to handle payment card (or other sensitive) data?” I remember one meeting sitting in front of a CIO from a very large company saying, “What business do you have operating a payment processor? You are a retailer! Your core competencies are marketing and supply chain!”

“B-b-b-but… we’ve always done it that way!” This post (same as above) details why that mentality doesn’t work anymore.

Most companies don’t handle risk management very well when it comes to information security because they can’t agree on a way to value data. It’s not entirely their fault, this process isn’t easy at all. Here in the US, some elements of breach recovery is public knowledge through regular SEC filings, but in many places it simply isn’t public. But here’s where risk managers screw up: they equate bits to dollars (somehow), therefore, they will make decisions and set policy using unreliable data.

Instead, risk managers should add a new variable to their formula: C, somewhere in the denominator of their formula (confidence). Large values of C mean we are supremely confident in our estimation of risk, therefore we reduce the unknown element to our formulas. Small values of C mean we really have no idea what we are doing, and it’s time to make it someone else’s problem (outsource). There are too many options available that are both cost-effective, and largely transparent to current business operations (with minor changes in nearly every case) that allow you to handle a plastic facsimile of the loaded weapon instead of the weapon itself.

This post originally appeared on BrandenWilliams.com.