A lot of people focus on the external threat, mitigation and management, whereas most of the attacks are actually from the inside. What is your take on internal and external threat management?

Proper Governance
Policy and procedures
Comprehensive Security Awareness program
and proper security measures and tools in Place

To me there are two distinctive differences 1) unknown external and 2) known internal, b/c people are people.

As threats and hack innovations are exponential vs the money that is put on innovation on information security we all are struggling. External threats are categorized from manageable unknown to complete unknown, the later being a threats from another state. You wont know if they are there… I think companies are doing what they can regarding external threats.

The second known and internal threat is a complicated one, as it has to do with people employed within the company. The human factor is a common threats due to the fact of ignorance. Different countries have different laws regarding that regulates how hard u can be on employees. I dont think there is a thing called its "just to... put a vetting/screening or what have you in place". Its about education and awareness on ALL LEVELS in an organisation. A company should put various processes in place to deal we awareness of behaviors regarding assets = information. All new emplyess should go through information security education, current employees should be taking nano web seminars on the subject, its should be mandatory for managers to have a security follow up at the yearly review. Assign a system portfolio owner for each operational unit. Launch a compliance and audit on communication and infrastructure, matching that with processes, review accesses to Ad and applications 2 times a year.

People are people so given that our employees are known and a threat we should be able to minimize this but that is hard to do. Needs commitment and a ongoing systematic approach on awarness.

I disagree most of the attacks are from the inside. I think for most CISOs, insider threat is a small risk compared to external attackers.

With insider threats you can mitigate risk with solid HR vetting policies/requirements, SIEM tool to correlate suspicious activity, proper segregation of duties throughout the organization (not just IT), and DLP that blocks/alerts the movement of data/files between email/folders/environments/USB.

I would argue that internal risks are actually a pretty small amount of the real issues that are occurring. A lot of people confuse the insider risk with, "I clicked on a phish," or "I forgot to label the data correctly," and they label that as insider risk, but it's non-malicious risk. I think the real malicious insider activity, to steal intellectual property, plant a logic bomb, etc. is quite low.

If I'm a non-malicious actor, I click on a link, I open an attachment and something bad happens, that's a failure in technology, not the individual. You could also argue the insider risk is the decision maker who thinks that something is an acceptable risk, when in reality, it's not. When you widen it out to that, you end up with a lot of insider risk. But the malicious side, I think, is quite small.

On the external side of it, we usually talk about threat actors and threat agents. When you look at all of the breaches that are public or non-public for that matter, it's primarily because somebody executed malicious code on the system, was able to take it down to ransomware, weaponize it, or steal data or intellectual property. That's the vast majority of the risk cycle that we're seeing. But the core of almost everything I've ever experienced is execution of malicious code.