Cyber’s CDA Operating Model – Both Ends Against the Middle

For Cyber security, Cyber's CDA Operating Model is, in practice, both ends operating against the middle.

Both ends of CDA are focused on one thing, and one thing only: appropriate controls to manage the risk of using digital.

In the case of CDA, one of its ends consists of all the activities focused on prevention, while those at the other end are focused on improvement.

Stuck in the middle are all the activities focused on detection.

The effectiveness of any enterprise cyber program is measured by how quickly the turn-around time is from one end of CDA to the other end.

Reducing this time close to zero – which can be approached but like any asymptote is impossible to achieve – is a sine-qua-non for cyber security.

Effective cyber security managers do CDA better than others, and those who keep the dance between its two ends in harmony are among industry leaders.

Cyber's CDA and Operating Models

So, what is an operating model, is it important, and how is CDA as an operating model applicable to Cyber?

Operating models express what is done and by whom in an organization. As such they are like RACI matrices (who is responsible, accountable, consulted and informed) but go beyond this by including the processes – or workflows – between the RACI roles that often - but not always - use digitally-enabled workflows to automate cyber controls up and down a digitally-enabled Eco-Stack from IT infrastructure through end-to-end business procedures.

Cyber operating models summarize all the digital methods, tools, processes and resources used to implement, operate and manage all things cyber. The three cyber operating models in concert - Eco Stack Defense, Cyber Domain Automation, and Operational Data Intelligence - summarize an organization’s business and market drivers, policies, risk appetite and treatments, what is delivered to stakeholders and customers, and the strategy and tactics of what is done, where, when, by whom, and the why and how of cyber security operations. That's a mouthful.

The CDA (Cyber Domain Automation) Operating Model of Cyber security is but one of the three operating models. One operating model is not better than the other, and in truth all three exist simultaneously - to different degrees by level of maturity – in many industrial economies and geographies.

CDA - The Operational Automation of People, Process and Product

The CDA Operating Model consists of three major pillars of activities encompassing day-to-day operations for cyber security, which include:

  • Prevention
  • Detection
  • Improvement

These three activity pillars are further subdivided into eight logical groups of activities that expand on the NIST Cybersecurity framework. The prevent pillar consists of all the activities associated with identification and protection procedures that are implemented for cyber operations. The detect pillar encompasses the three activities of detection, analysis and response in cyber operations. The improve pillar consists of recovery recovery, compliance and management activities of Cyber operations.

Figure 1: Cyber Domain Automation

Cyber Domain Automation


Source: Wellington Research, 2018

The three activity pillars of CDA are separated at two seams, one where boom separates the prevent pillar from the detect pillar, and learn which separates the detect and improve pillars.

  • Boom - occurs whenever cyber compromise occurs: it is called boom because it is when things go “boom!” and has associations with before and after bombs detonate
  • In the Cyber vernacular - boom is when pwnd occurs.
  • Learn - occurs after boom, and usually takes longer than digital for us humans

All the activities, people, processes and automated cyber activities to the left of boom are put in place to "prevent" boom from occurring.

All the activities, peoples, processes and cyber automation in force to the right of boom are put in place to discover boom, understand what it means, what actions can an should be taken immediately, and what can be learned to prevent this and similar booms from recurring in the future.

Learn occurs after the heat of battle, after emergency and incident response occur, and after the dust settles. It is a time of reflection, deeper digging, correlation, understanding and then improving. It is the necessary activity for boom to result in effective change on the left side of learn.

Word-wide CDA Spend Allocations

Based on our on-going research, the average proportion of cyber spend allocated across the three major CDA activities is as follows:

  • Prevent – 37 percent
  • Detect – 40 percent
  • Improve – 23 percent

These spend allocations are averages across the world, and include some minor - and major - differences by geography, industry, size of organization, and level of maturity.

Trends and Cyber Spend Allocation

What is spent in one of the activities of each pillar of CDA by one organization differs from that spent by another. However the overall averages between the pillars is what should be used as a yardstick for spend allocation. Emerging trends in cyber spend allocation - such as more data analytics, machine learning, virtualization, etc. - will influence current spend allocations on CDA pillars.

CDA's activities often have logical, physical, organizational, geographic, legal, operational and regulatory boundaries that result is markedly different spend allocations of CDA activities and pillars. IT outsourcing (ITO), business process outsourcing (BPO), managed - fixed fee - security services (MSS), and a variety of subscription services all influence CDA spend allocations. As a service continues to increase in use will result in different spend allocation profiles across CDA's pillars.

We fully expect the allocation of spend across the three major pillars of CDA and service categories will differ in the future.

We will uncover and analyze the other two primary Cyber operating models – Eco Stack Defense and Operational Data Intelligence – in future research.

In the meantime, reach out to us with questions and we wish you the best in improving the effectiveness of your cyber efforts.

Related Research

Cyber Security Operating Models and Cyber Effectiveness

Broad Spectrum Security Force Multipliers and Market Adoption

2018 Cyber Security Spend Report

Finding a Strategic Cyber Security Model


Featured Research

2018 Cyber Security Spend Report

The 2018 Cyber Security Spend Report focuses on global spend today through the coming five years. Did you know that global spend on cyber security is: More than $103 billion today Will exceed $130 billion by or before 2022 Today’s top two spend categories account for almost 50 percent of spend by enterprises today. The

Innovative Digital Business Models

Is your company making money using some of the innovative digital business models of the future, today? If not, it is important to understand what some of the new digital business models are, what they are best used for, who should consider using them, why they are important, and when they should be used. Not