Security Through Obscurity
It's long been held that "Security Through Obscurity" is no security at all.
Okay, so that's not exactly true, because of course your password only works because it's secret - obscured from others; your private key only works because it's secret; etc,etc.
But these are all "exceptions that prove the rule" in a real sense - they are strings that you make up, or numbers that you choose randomly - and the knowledge that one password or one private key is little better than another is a part of the public review of the algorithms in question.
There are, unfortunately, many other examples of Security Through Obscurity that people don't realise they are using.
"My operating system / application has far fewer bug reports than yours, so therefore it's more secure," is the example that keeps popping into my mind.
Your OS / app may very well be more secure than my choice, but if the only argument you have can be satisfied by the axiom that "more hackers attack this than any other target", that's not a winning argument.
Recent Apple vulnerabilities showed this - one vulnerability appeared, got some news coverage, and suddenly it was (a very brief) open season on Apple.
If you want to convince me that I have a long-term chance of security success in your environment, you have to tell me why it's:
- technically superior - there are proven useful roadblocks in your environment, that my environment doesn't have (and that I may need).
- procedurally superior - that the developers and providers of your environment have documented and enacted processes that turn flaws around faster and better than the developers and providers of my environment.
- culturally superior - your environment is habitually operated and written for in a manner that mine is not (a.k.a. "Unix users never run as root, Windows users always do")
These items are ranked in order of value - a technical superiority will last and last, a procedural superiority is likely to be detected before it changes for the worse, and cultural superiority relies on groups of people continuing to behave the way they do - if we could rely on that, Wayne Newton would still be on top of the hit parade.
Then you also have to persuade me that I can get the a better job done, with any re-tooling and re-training costs subtracted from the benefit you allege to provide.