Security industry 'Spakfilla' doesn’t really work, says Nine Publishing CTO

Selleys Spakfilla is white, gunk that its maker suggests as a fine material with which to fill cracks and holes, indoors or out. Spakfilla can be painted or sanded and is beloved of tradies and weekend DIYers alike.

And, according to Damian Cronan, Chief Technology officer of Nine Publishing (including what was Fairfax Media), it’s also sold by the security industry to patch things up after sloppy application development or infrastructure design efforts.

Speaking on a panel about security best practice at the Akamai Security Summit World Tour in Sydney this week, Cronan said security can’t be fixed if systems aren’t built right.

“Your opportunity is really early in the lifecycle,” he said. “Getting that design work done upfront pays high factor dividends later.”

“There are a lot of security vendors out there that will sell you Spakfilla to put in front of all the cracks and issues that you have,” he added, but warned “The cost of remediating a security issue grows exponentially the further you go down the path. It gets more complex, you get more complex, you have more exposures.”

Cronan, who has previously served as CTO of video streamer Stan and ninemsn, continued “It's better to start with a world if you have that opportunity where you are addressing those needs early and often in the design process or the development process, otherwise you’ll be putting spot fires out.”

Selleys does not recommend Spakfilla as an appropriate material with which to fight fires.

Cronan was joined on the panel by Kate Healy, Telstra’s principal cyber security strategist. Healy said that she believes that security pros are being taken more seriously, but therefore need to become more serious themselves.

Reflecting on her 20-year security career, Healy reflected that “we used to be the nerdy kids back from back in the corner in the back room. No-one really wanted to talk to us.”

Today, she said, senior execs are more likely listen to, or seek out, business-savvy advisors.

“There’s a strong drive for CISOs to have MBAs,” she said, and claimed ten percent of such officers in the Fortune 500 now hold the prized post-graduate degrees.

But she added that IT basics remain crucial, too.

“You need to understand the risk to your environment and the risk to your business. So look at what it is that's going to be critical. Don't try and fix everything, because you're not going to unless you've got unlimited budgets.”

“So focus on the core assets, focus on your core risks. And that's the best way to prioritise.”