Cyber’s ODI Operating Model – The Future of Cyber Security

Cyber's ODI Operating Model is the emerging future of cyber security.

This operating data intelligence (ODI) operating model will take over Cyber operations and be driven by data.

However, as an actual set of realized practices today, Cyber’s ODI does not yet exist in full regalia and will not for some time.

Despite being emergent, ODI is the unstoppable future of Cyber.

Let’s take the covers off Cyber's ODI and peek at what it is, why it is the future of Cyber, and what to expect of it.

But before we do, let’s review today’s dominant Cyber operating models.

Cyber Operating Models

Operating models express what is done and by whom in an organization.

As such they are like RACI matrices (who is responsible, accountable, consulted and informed) but go beyond this by including the processes - or workflows - of the workplace.

There are two dominant cyber operating models implemented in practice by enterprises today, with these two implemented to a greater or lesser level.

CDA - for Core Cyber Operations

The first of the ectype Cyber operations is the Cyber Domain Automation (CDA) Operating Model which is used to automate cyber processes from identification through protection, detection, response, recovery, compliance and management.

CDA is what the technology side of the house thinks of of when they think of Cyber security in the enterprise, and you see CDA expressed in a variety of frameworks, including those from ISACA, ISO, NERC CIP, NIST and PCI among others. Truth be told, they all overlap one another and are all found in the CDA.

ESD - for Managing Risk in the Digital Ecosystem

The second of these is the Cyber Eco Stack Defense (ESD) Operating Model which is used to manage risk up and down the digital value chain of organizations, from digital infrastructures through  identity, applications and business logic, to business functions and the ecosystem value chain of the enterprise.

This is what the business side of the house thinks of when it thinks of Cyber security in the enterprise and you see ESD expressed in all manner of risk treatments for digital ecosystems applied to business operations.

ACME Widget Company

A sample profile of Cyber operations – at the AMCE Widget Company – is illustrated in Figure 1. The depiction is of Cyber processes and digital ecosystem coverage at ACME.

Figure 1: Cyber Operations at ACME Widget Company


Source: Wellington Research, 2018

Cyber CDA Operations at ACME are most comprehensive for just four of twelve Cyber processes – identification, authentication, detection and compliance – with all four reaching into common business functions of the company. However, these more complete cyber processes fall short of being implemented for end-to-end business operations among customers or suppliers across the value chain of AMCE.

The least comprehensive Cyber CDA processes at ACME include deception, log and event collection, incident response, and recovery. All of these are either limited to being used with networking and end point devices and sensors, or in the case of recovery which includes some of the company's systems. None of these go beyond basic digital infrastructure for use with data, applications, digital identities, business functions or end-to-end business processes.

ACME's Cyber Weaknesses

The notable weaknesses of ACME’s Cyber Ops include the following:

  • Deception is used for networks and nothing else
  • Cyber response processes are limited to networks, end points and some systems
  • Cyber recovery operations are limited to networks, end points and some systems

The results of the approach to Cyber at ACME include the following:

  • Higher than normal costs for detecting and responding to Cyber incidents
  • Higher than normal digital vulnerability and compromise rates
  • Limited capability to recover critical business systems following digital cyber events
  • Higher and more frequent risk consequences

In some organizations these weaknesses may be well considered trade-offs of risk mitigation costs versus other uses of capital.

But in most organizations the discourse surrounding what risks to accept is probably driven more by annual budgeting processes than top-down risk-reward decision-making.

The profile of Cyber at ACME may or may not be like yours, or it may be close enough to yours to consider instituting some changes.

This is one of Wellington's Cyber Profile Assessments and it is useful for making trade-offs – where possible – between risk appetite and treatments, market rewards and business objectives, and regulatory requirements.

Operational intelligence

Beyond appropriate adjustments, and beyond the fancy operating models and frameworks, the critical thing to notice is that Cyber effectiveness at ACME – and ALL COMPANIES – is wholly dependent on operational intelligence.

Let me repeat it: Cyber effectiveness is wholly dependent on operational intelligence.

Operational intelligence is “What you know and what you don’t know” and the combination of both – known and unknown – when it comes to Cyber make all the difference to outcomes.

Everything else is just window dressing.

Operational intelligence takes place across the plane of the two operating constructs CDA and ESD.

And despite its academic rigor and much research, the root of operational intelligence is all about the iterative OODA loop.

Figure 2: The Iterative OODA Loop for Cyber Operations


Source: Wellington Research, 2018

Codified in the 1950s by Colonel John Boyd of the US Air Force, the OODA loop describes how people react to external stimulus, from the time of arrival of external stimulus to the response to the stimulus. The uses of the OODA loop revolutionized fighter pilot tactics.

For most people the average reaction time to stimuli measures around 200 milliseconds, far faster than many but not all Cyber controls and operations.

Where today’s Cyber controls exhibit fast response times – for example within authentication or authorization, or within cryptography or intrusion detection controls – is within a specific CDA process control that operates at a specific ESD layer.

In effect, fast response times for Cyber occur where cyber processes operate within one cell of the ESD-CDA matrix, but reaction times for cross-processes operating across the cells of the CDA-ESD matrix are not rapid.

For example, fast reaction times break down when crossing ESD layers such as those across applications and business functions, or across CDA process boundaries such as authorization and analytics.

There are numerous reasons for the segregation that characterizes isolated cells of Cyber controls across the CDA-ESD matrix. Some of these include multi-phased technology generation evolution and adoption trends and changing business conditions. Other reasons for Cyber's babble-like nature include changing regulations and changing perception of risk from the uses of digital among others.

But when it comes to effectiveness, fast reactions times are what it’s all about for Cyber.

Speeding up the reaction times of the iterative OODA loop are what makes Cyber more effective.

ODI - The AI-ML Powered Future of Cyber

The future of fast reaction times across the CDA-ESD matrix is ODI where various forms and uses of machine learning operate on data to power operational intelligence for Cyber.

This future is already upon us and will forever change Cyber from today’s dominant approach involving choke-points and rule-sets to tomorrow’s approach using identity, data and machine-learned, curated and guided operational intelligence.

ODI includes today’s anomaly detection and pattern matching bots, new uses of robotic process automation (RPA) enabled process automation bots, natural language processing (NLP) learning bots, and deep learning bots operating on data and patterns at scales and time-frames that are impossible for human beings to achieve.


  • Includes the uses of fraud analytics and intrusion detection and prevention systems.
  • Can be seen today in the early uses of ML-enabled end-point security subscription services.
  • Exists with RPA enabled IT service management (ITSM) operations.
  • Can be seen in today’s AI-powered deception systems.
  • Is already being used with deep learning threat management systems.

Cyber’s future - ODI - will not sprint forth fully born overnight, nor will it arrive fully clothed next year, but it is underway nevertheless.

Get Ready for Cyber's ODI Operating Model - Today

Unfortunately, few organizations are ready for ODI today.

Recent Wellington research reveals just 22 percent of enterprises are well along the road to mature Cyber OODA loop processes today.

The other 78 percent of enterprises are not yet able to act - but want to act.

Of this almost 80 percent of the market:

  • About half - 40 percent of the market - are able to decide what a Cyber event means, but not act when it comes to Cyber events.
    • This is a bit like a lifeguard freezing at the sight of someone drowning - the person trained to react chokes.
  • The other half - about 38 percent - are in a state of doing nothing, observing events, and orienting themselves to Cyber events.
    • This is like the bystanders watching by frozen and unable to assist the lifeguard.

Figure 3: Market Readiness for the Iterative OODA Loop of Cyber's ODI

Source: Wellington Research, 2018

Who cares about Cyber operating models?

Truth be told, models are only as good as they represent the world around us. We humans are all model builders trying to represent the reality we perceive around us. Besides being a representation of the world around us, models also serve another critical purpose: they organize and discipline action among us to achieve a purpose. We are always building and rebuilding our models to better suit our needs.

ODI's primacy

Why will ODI be the future of Cyber?

The it's good for you market motivation
  • The Cod-liver-oil-is-good-for-you reason why Cyber’s ODI is the future of Cyber security is that it expands coverage of critical response times outside single cells of the CDA-ESD matrix across multiple cells of the Cyber operations matrix.
  • The better reason it is vastly improves reaction times.
The it's bad for you market motivation
  • But the market impetus for why Cyber’s ODI is the future of Cyber security is the bad-guys and adversaries are already using it in their attack scenarios.
  • The only way to fight this coming digital fight is with contemporary digitized weapons-systems.

The AI-ML future of Cyber will drive iterative OODA loop cycles in milli- and micro- seconds and will include events traversed, transected, spindled, folded, compounded, and convoluted in less time that it takes to wink.

It will involve very different terminology and data science techniques – including backpropagation, bagging, boosting, EMA, KNN, Logic learning, LVQ, SVM, and NN among many others – and skills compared with what is used by today's Cyber practitioners.

ODI's Impact

Cyber’s ODI will pit:

  • Defender bots against attacker bots
  • Firewall jockeys against data jockeys
  • On premises choke-points against subscription data services

Cyber’s ODI is the digital version of read team/blue team, black-hat/white hat

  • Those with Cyber’s ODI will be using modern digital weaponry
  • Those without Cyber’s ODI will be at a severe disadvantage in the digital Cyber wars

Cyber’s ODI will forever change Cyber as it is known today.

May the Cyber ODI force be with you as you accelerate your cyber journey.

Related Research

Cyber’s CDA Operating Model – Both Ends Against the Middle

Cyber’s ESD Operating Model – Balancing Risk-Reward for the Digital Value Chain

Boyd’s OODA Loop and How We Use It

Featured Research

2018 Cyber Security Spend Report

The 2018 Cyber Security Spend Report focuses on global spend today through the coming five years. Did you know that global spend on cyber security is: More than $103 billion today Will exceed $130 billion by or before 2022 Today’s top two spend categories account for almost 50 percent of spend by enterprises today. The

Innovative Digital Business Models

Is your company making money using some of the innovative digital business models of the future, today? If not, it is important to understand what some of the new digital business models are, what they are best used for, who should consider using them, why they are important, and when they should be used. Not