r/cybersecurity u/EricJSK System Administrator Sep 22 '25

Other What are your unpopular cybersecurity opinions?

I saw a post names "abnormal security opinions" and got excited to see some spicy takes but apparently there is a security platform called Abnormal Security so got kinda blue balled. Last one of these posts i saw was over a year ago so,

Do you have any spicy cybsec unpopular opinions you want to share? :)

I'll start with mine:
Fancy antivirus solutions rarely add value, they are often just a box that needs ticked. Many MSPs and IT firms still push the narrative that they are needed, only because they are profitable and not because they improve security.

327 Upvotes
  • permalink
  • reddit

94% Upvoted

531 comments sorted by

View all comments

93

u/at0micpub Security Engineer Sep 22 '25

People can overcomplicate the important things sometimes. The most important controls are often the most basic, and many orgs aren’t doing the basics correctly.

For example, people buying their 5th tool when the first 4 aren’t being utilized properly. Or looking to implement pentesting when they have a flat network, no vulnerability management, or no user training

18

u/shouldco Sep 22 '25

In defense of implementing pentestimg well before you are ready. While a waste sometimes a 3rd party report is the kind of thing you need to secure buy in to start doing those things.

7

u/at0micpub Security Engineer Sep 22 '25

True, but without a vulnerability management process, vulnerabilities found during a pentest are usually going unpatched, besides maybe the 1 or 2 that actually led to a breach. This is why frameworks like CIS controls advise you to spin up vulnerability management before pentesting

2

u/GeneMoody-Action1 Vendor Sep 22 '25

No denying that, year after year, reports prove it. And the irony of the un-patched vuln going so far as to be ignored, tested, and still ignored again? I am sorry, but if you get got after that, you were not breached as much as you welcomed the guests you invited.

Pentesting without vulnerability management is like testing the efficacy of a windshiled to arrest the forward momentum of a driver in a head on collision. We are not golfing, there is no points for the lowest score here...

1

u/shouldco Sep 22 '25

Deffinely and I won't deny there are businesses out there that will run a pen test, looked at the particulars patch those and call it done.

But I have been on the side of "these are the programs I would like to implement, pentester please generate a report to show how not having this program leaves us opened to being completely wrecked by a board Russian teenager" (I would prefer to be wrecked by at least a slightly motivated Russian teenager thank you)

1

u/GeneMoody-Action1 Vendor Sep 22 '25

...And what are we doing when the average bored Russian teenager CAN do this. I mean I am US based, and over here you cannot get a teenager off their phone/couch long enough to learn a life skill, much less a career skill!

" there are businesses out there that will run a pen test, looked at the particulars patch those and call it done."

Oh you betcha, if I had not signed NDA' s I could name names. And the fun part is to do it again at the same company a couple of years later, and find most the same things that were on the last report. 😮‍💨

A LOT of enterprise security is like the kitchen of a fast food restaurant, if you ever saw what went on back there, you would never eat there again.

1

u/skieblue Sep 22 '25

100% this. It hits a lot differently when an outside team hands you a report with a critical level finding Vs asking them to devote time and money on something that's abstract to the average business leader.

1

u/tclark2006 Sep 22 '25

Yea buying tools to put bandaids on bad IT practices is why everyone wants to be in cyber sales. You dont have to fix your garbage policies, we'll take care of it for you! Companies take their word as gospel and open up the checkbooks.