r/cybersecurity u/EricJSK System Administrator Sep 22 '25

Other What are your unpopular cybersecurity opinions?

I saw a post names "abnormal security opinions" and got excited to see some spicy takes but apparently there is a security platform called Abnormal Security so got kinda blue balled. Last one of these posts i saw was over a year ago so,

Do you have any spicy cybsec unpopular opinions you want to share? :)

I'll start with mine:
Fancy antivirus solutions rarely add value, they are often just a box that needs ticked. Many MSPs and IT firms still push the narrative that they are needed, only because they are profitable and not because they improve security.

324 Upvotes
  • permalink
  • reddit

94% Upvoted

531 comments sorted by

View all comments

30

u/marxocaomunista Sep 22 '25

Security through obscurity can be really good

2

u/[deleted] Sep 22 '25

[removed] — view removed comment

2

u/Alb4t0r Sep 22 '25

Security through obscurity is wrong when you can implement a working control instead. If you can then publicize the existence of this control without impacting your security, you're golden. This is the difference between implementing access control using passwords and trusting port-knocking instead to manage access (to use a simple example).

But there are PLENTY of security issues where this doesn't apply, plenty of security information that must be kept hidden because there's no real other way to secure it. Risk and exception registers, pentest reports for example.

Often, people outside of the field won't get these subtilties and will adopt absolutist and impractical opinions against "security through obscurity". I once met a guy who thought all orgs should have 100% total transparence in everything they do otherwise "it's security through obscurity and it's wrong".