Skip Navigation
BlackBerry Blog

The Need For Agile Risk Management

How Traditional Controls Fail Where Learning Systems Succeed

The world of cybersecurity has changed. Cybercriminals today target organizations and unleash a torrent of malicious files and attacks that flood an enterprise until a breach occurs. They have learned to automate the production of malicious code and vary it just enough to create never-before-seen or unknown attacks. Many businesses, whether small, mid-sized, or large, have been infiltrated without detection. Today’s risk management leaders need agile defenses that quickly adapt to these new demands and stay ahead of attacks.

Yet, threats are only part of the story. The ever-changing technology landscape adds complexity for the CISO, CIO, and IT leader.

The 9 Box of Controls Concept

A simple yet powerful framework, the 9 Box of Controls, looks at IT controls, including control types and automation approaches, the overall control architecture, and the significance of control friction on business productivity. It allows people to better assess the value and impact of information security controls on an organization. The concept was introduced with the publication of Managing Risk and Information Security: Protect to Enable and has taken root among IT leaders across industries and geographies. As the concept gets shared with more businesses of every type, it drives security from a tactical conversation into a strategic, evergreen discourse about security spending, resource allocation, and long-term planning.

IT controls consist of any mechanism, policy, or procedure employed by an organization that affects the management processes for risk and security. IT or application controls seek to ensure that software used for processes, such as payroll, document sharing, or remote content access, are properly maintained, used, and protected. The control architecture consists of types of controls and automation levels. The right control architecture enables improved threat management. As new attacks appear, IT can’t stop the bad and allow the good without impacting users.

Control Types

Security controls consist of three primary types:

  • Prevention occurs when an action or control prevents an infection or cyberattack, stopping it before it affects people or the IT environment. Prevention centers on minimizing vulnerability from risk and the potential for harm.
  • Detection identifies the presence of malicious code or files that have entered the environment. Detection focuses on minimizing damage after an incident has occurred.
  • Response is the reaction to the discovery of malicious code. It attempts to remove it after a person or environment has been infected. With the reactive approach, the focus becomes detection and containment.

Control Automation Levels

There are also three primary control approaches:

  • Automated control occurs entirely through machines
  • Semi-automated control involves a level of human intervention
  • Manual controls are managed entirely by hand

The combinations of control types and automation levels comprise the cells of the 9 Box, as shown in the figure below. It represents how risk increases as an organization moves from prevention, to detection, to response. It also illustrates how cost increases as organizations move from automated, to semi-automated, to manual controls.

The development of IT controls and safeguards, as well as the different control automation levels, leads to another issue — control friction. When too many controls are put in place to provide security, the tipping point is reached, resulting in negative impacts.


A New Reality

Enterprises today can successfully use advances in automation, including artificial intelligence, machine learning, and big data, to secure like never before. Organizations need to embrace new capabilities to move forward beyond traditional AV, and the detect and respond model. At the core of these capabilities is ‘the learning model’, which departs from the core foundation of most security vendors today.

A learning system quickly predicts — and prevents — new threats. It also meets the demands of modern, mechanized attacks. The current technology landscape is a world of digital variation and frequency. IT staff cannot detect, respond, and plan for unknown challenges using the manual or semi-manual processes employed by traditional AV vendors. Learning systems, based on AI and machine learning, automatically analyze files, executables, and binaries to halt code before it executes and does harm. That means better threat protection, fewer alerts, more costs savings, reduced layers of control technology, and removal of control friction.        

The Business Case

When you protect to enable the mission using learning systems and the modern application of AI, you do more than provide agile risk management — you provide business value. You bring the strategic benefits of better cybersecurity to every corner of your organization.

  • Streamlined Operations: Eliminate layers of controls and technology, including EPP firewalls, host IPS, data loss prevention (DLP), and encryption
  • Reduce Incidents: Decrease Helpdesk tickets and refocus on strategic plans, including virtualization, cloud security, and IT automation
  • Improve Business Continuity: Secure against attacks targeting your network, credentials, and data, while ensuring service to customers
  • Improve Compliance: Meet government regulations and your internal security protocols with greater protection efficacy


The 9 Box of Control concept helps model where an enterprise is with its security and where it could be, with automation and security fully integrated to change the speed and efficacy of protection. Most importantly, the concept — and the proposed change in philosophy from detect and respond to prevent and protect — elevates security to be fully integrated into your existing IT and business strategy. Why? Because it offers a different paradigm or worldview on risk management, where the upper right box is not the optimum place for the enterprise. In fact, it’s the exact opposite - the lower left.

If an organization implements automated controls with a low degree of control friction that prevents risk, they deliver exactly what the AV industry has no incentive to develop — solutions and services that protect to enable people, data, and the business.

This blog is based on the comprehensive white paper A Radical Approach to Risk Management.

Malcolm Harkins

About Malcolm Harkins

VP Chief Security & Trust Officer at Cylance

As the global CISO at Cylance, Malcolm Harkins is responsible for all aspects of information risk and security, security and privacy policy, and for peer outreach activities to drive improvement across the world in the understanding of cyber risks and best practices to manage and mitigate those risks. Previously, he was Vice President and Chief Security and Privacy Officer at Intel Corp. In that role, Harkins was responsible for managing the risk, controls, privacy, security and other related compliance activities for all of Intel's information assets, products and services.

Jesse Theodore

About Jesse Theodore

NAME is a contributor for Cylance®, who are revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Our technology is deployed on over ten million endpoints and protects hundreds of enterprise clients worldwide including Fortune 100 organizations and government institutions.