-
The ongoing identification and management of constraints—factors standing in the way of positive change—is a very important activity for the management and improvement of any PCI security program performance.
The table below presents a categorized list of primary constraints. These are common constraints preventing organizations from developing the process and capability maturities needed to achieve a sustainable and effective control environment that operates with consistent performance and predictable outputs. It’s certainly not an exhaustive list, but rather a useful frame or “mental model” that can facilitate categorization of limitations and restrictions within the control environment.
The 7 Constraints of Organizational Proficiency
(the 7 Cs)
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- Charting the best strategic method for your organization
- Optimizing limited resources by strengthening the weakest link
- Goals: The security and compliance rudder
- The Security Management Canvas
- Requirements: The security and compliance hull
- Preparing for PCI DSS v4.0
- Enhanced Validation Methods and Procedures
- Continuous monitoring internal assessments and validation
- The three stages of PCI DSS compliance program failure
- PCI DSS v4.0 Navigational Points
- Constraints the Security and Compliance Shoal
- 7 Constraints of Organizational Proficiency (the 7 Cs)
- The Five Focusing Steps in Brief
- The State of Compliance
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
A detailed description of most of these constraints can be found on page 10 of the 2019 PSR.56
-
Application of the Logical Thinking Process
Many organizations are making substantial progress in advancing the maturity of their security and compliance capabilities. Many others need to ramp up their engine speed and make significant adjustments to the management of their compliance program.
In some cases, this requires substantial changes and the adoption of methods entirely new to the organization. Which is why we are dedicating this section to the Logical Thinking Process method, a very strong framework that can help you improve every aspect of data security and compliance and support better decision-making to achieve goals.
Organizations suffer poor performance in compliance environments because they don’t have clearly defined outcomes for their data security and compliance programs. Security teams often think they know what they want to accomplish, but in reality, they are unclear about what, specifically, constitutes the end states of their strategy and program. They don’t know which components to optimize and prioritize. When CISOs and their teams are unclear about priorities—what truly matters and requires focus—they sometimes fail to progress out of fear of making the wrong choices. But choices must be made.
These challenges are directly related to the goal. The importance of formulating a clear goal statement for PCI security compliance is reviewed on page 86. The achievement of that goal needs to happen by design, no matter how you define your goal or craft your mission statement. For example: “To develop, maintain and continuously improve a mature control environment that offers reasonable assurance for the effective, ongoing protection of payment card data, in a consistent, predictable and sustainable manner.” The importance of applying a method cannot be overstated. You need a method that enables you to identify, define and pursue the objectives toward your goal. You need clarity about the requirements—the conditions that need to be in place—for each objective. You also need to address and remove constraints.
How you, your team and your organization progress toward the achievement of your security and compliance goal matters—a lot. You need a proven approach that provides assurance and confidence for success: a process that identifies the roots of the undesirable effects and exposes faulty assumptions related to the root causes of poor security and compliance performance.
As mentioned on page 33, the real challenge is not achieving your security and compliance goal. It’s whether you and your organization are willing to accept and commit to the investment of resources and the planning, execution and follow-through required to achieve that goal.
Most organizations are financially restricted and need to achieve the goal with the available resources. The Logical Thinking Process does all of this in a practical, visual way that is easy to understand.
The real challenge is not the achievement of your security and compliance goal. It’s whether you and your organization are willing to accept and commit to the investment of resources and the planning, execution and follow-through required to achieve that goal.
-
Origins of the Logical Thinking Process
The LTP is a framework based on the Theory of Constraints processes developed by Dr. Goldratt, who was introduced on page 9. This method was later enhanced by H. William Dettmer, author of The Logical Thinking Process: A Systems Approach to Complex Problem Solving. It’s a method designed to take poorly defined problems and slowly but surely move them toward a solution. This meticulous process breaks down components of a systemic problem to clearly define the nature of the problem. The investment of time helps to correct the systemic problem and avoid ongoing poor performance that previously resulted in a massive waste of time and capital.
The LTP enhances collaboration and improves communication. It helps you structure ideas and analysis. It visually displays the links between cause and effect in an easily comprehendible format. The LTP also makes it much easier to refine elements and spot design flaws. Decisions are far too often based on wrong assumptions that do not reflect reality, which can be harmful. Often those assumptions are tacit—we don’t realize we make them, or fail to understand the negative impact they have on decision-making and system design.
The LTP comprises five steps, based on necessity or sufficiency reasoning, to help improve your decision-making.
-
“Inside every small problem is a larger problem struggling to get out.”57
—The Schainker Converse to Hoare’s Law of Large Problems
-
What exactly are the thinking processes?
The thinking processes are a set of tools that provide decision support for initiating and implementing a task or project. When used in a logical flow, they help walk you through a buy-in process to:
- Gain agreement on the problem
- Gain agreement on the direction for a solution
- Gain agreement that the solution solves the problem
- Agree to overcome any potential negative ramifications
- Agree to overcome any obstacles to implementation
The process of change requires the identification and acceptance of core issues, the goal and the means to the goal. This comprehensive set of logical tools can be used for exploration, solution development and solution implementation for individuals, groups or organizations.58
You can anticipate constraints in existing processes, and you can also plan for them while designing a product, process or service.
-
-
Analysis/structure vs synthesis/function
We mentioned the importance of applying systems thinking to solve PCI security challenges. The key to systems thinking is synthesis—putting components together. The approach to dealing with increasing complexity in data security and compliance environments is not by analysis; it’s not to reduce it to manageable “bites” and address each component in isolation from the others. It’s an incorrect assumption that all of the parts are essentially independent of one another. This is very true also for PCI DSS requirements, components within the compliance and control environments, where various relations, dependencies and interdependencies exist between system components. That’s why you should synthesize—and not stop short at analysis—when conducting design, evaluation and management tasks. True application of systems thinking combines analysis and synthesis, where analysis focuses on structure and synthesis on function. As H. William Dettmer mentions on page 61 of his book Systems Thinking—And Other Dangerous Habits, “The essential difference between analysis and synthesis is this: if each part of a system, considered separately, is made to operate as efficiently as possible, the system as a whole will not operate as effectively as possible.”59 Understanding this is key to unlocking the method for achieving sustainable control effectiveness for your PCI security control environment.
-
56 2019 Payment Security Report. Verizon, 2019, https://enterprise.verizon.com/en-au/resources/reports/payment-security/
57 Arthur Bloch, “Murphy’s Law: The 26th Anniversary Edition,” Penguin Group, 2003.
58 “Theory of constraints,” Wikipedia, https://en.wikipedia.org/wiki/Theory_of_constraints#The_five_focusing_steps
59 H. William Dettmer, “Systems Thinking – And Other Dangerous Habits,” Virtualbookworm.com Publishing, 2021,