Security through obscurity: fact or fallacy?

What is the biggest cyberthreat of tomorrow?

About eight years ago, early in my days in the security community, at an event we were attending (long before the coronavirus cancelled them all) I remember hearing a saying: ‘security through obscurity’. I was unaware of this statement’s significance or how this adage has shaped the mindsets of some security professionals today. I think it's something we need to explore.

In my role as a security consultant, I see that the real value I can add in the security industry is understanding what my clients' real needs are, and helping them to achieve these. However, often I see those narratives and mindsets seem to really influence the type of cybersecurity architecture organizations adopt. Let's face it: if they didn't, what really does?

As subjective as the statement ‘security through obscurity’ is, when looking at how this concept has been applied in practice, I’ve observed how industry professionals place many different hurdles (products) from differing vendors throughout the entire cybersecurity architecture. Essentially what this points to is the assumption that the more diverse the vendors and products throughout the entire cybersecurity architecture are, the better. On the surface this may seem logical, but is it? What are the tradeoffs and what are the real outcomes that this 'obscure' approach really gives us? Let's explore further.

Firstly, organizations I talk to nowadays are more often looking to consolidate parts of their cybersecurity architecture to simplify things, eliminating overlaps within the cybersecurity architecture itself, reducing the number of vendors they have to constantly deal with, and scaling down the amount of noise in the environment.

Secondly, sharing threat intelligence across your entire cybersecurity architecture can only provide better defense capabilities, as opposed to having siloed products from different vendors, sprawled across the cybersecurity architecture that serves no intercommunication capability. For example, if I have a modern firewall and an antivirus solution from two different vendors, and an endpoint in my network is being attacked, would my firewalls really know about the attack taking place? And if they had this capability, could the endpoint have been attacked in the first place? It makes you question how the obscure approach is serving its purpose in securing an organization's assets, in comparison to a consolidated approach that delivers shared threat intelligence and shared security capabilities across the entire cybersecurity architecture.

Obviously there are many scenarios we can propose, but the point I’m making is that the power of security isn’t derived from obscurity alone. It come from understanding what needs to be protected and identifying the best way to achieve this through people, process and technology. Therefore, what purpose does the ‘security through obscurity’ adage provide us?

Security through obscurity: fact or fallacy? I call fallacy.

Therefore, when looking to deliver cyberbreach prevention methodology throughout cybersecurity architecture we need to look at the bigger picture. We need to identify how we can achieve better outcomes by implementing 21st century thinking and new innovations, instead of falling on old adages that present us with new problems to solve.