Constraints: The security and compliance shoal

A PCI security compliance management program is a complex system with many moving parts. A complex control environment consists of multiple linked activities. Events that occur in one area affect other areas of the system. Examples abound of these interlinking systems within every PCI security control environment, with many interconnections and dependencies between PCI DSS requirements and controls, and system components (people, documents, processes, and IT devices and networks). The decisions made often have unpredictable effects. The chain of causality is not easy to track. At any given time, an organization is limited from achieving its highest goal by at least a single constraint.

Constraints can show up in many ways. These can be anything that limits the system from achieving higher performance. There is at least one, but at most only a few significant constraints in any given system that require attention. One always acts as a constraint upon the entire system—the constraint activity is the weakest link in the chain. It can be a step or process producing less than what’s demanded of it. The whole process itself can be the constraint, and, as an example, even senior management and other departments can be considered the constraint.

This means that processes, organizations, etc., are vulnerable because the weakest person or part can adversely affect the outcome. This is a harsh reality for data security and compliance, which security teams deal with daily. No meaningful improvement exists unless time and effort are spent to reduce and remove constraints that limit system performance.

No meaningful improvement exists unless time and effort are spent to reduce and remove constraints that limit system performance.

"Not every change is an improvement but certainly every improvement is a change.”⁵²

—Eliyahu M. Goldratt

Identifying the most important constraint

The introduction of PCI DSS v4.0 places a much greater impetus on organizations to demonstrate the capability to continuously improve their control environment. However, constraints, when approached correctly, can be key to unlocking improvements in productivity.

You can—and need to—elevate a constraint to the point where it’s no longer the system’s limiting factor. This is called breaking the constraint. In a PCI DSS compliance environment, breaking the constraint helps the control environment achieve the required level of effectiveness and sustainability.

Once you break a constraint, you will uncover the next most-limiting constraint. No system exists without constraints where its performance can go to infinity. Another constraint will constrain the system’s performance. In other words, the limiting factor is now some other part of the system or is external to the system (an external constraint). 

How do you sort out the important few constraints from the trivial many? A method is needed to identify and prioritize them according to their impact on the goal. Whatever the constraints may be, much can be done to reduce their impact.

Introducing the Theory of Constraints

The Theory of Constraints (TOC) is a proven process management methodology for identifying the most important limiting factor (constraint) that stands in the way of achieving a goal, and then systematically improving that constraint until it’s no longer the limiting factor. This approach to improvement views any manageable system as limited in achieving its goals by a very small number of constraints. This makes the TOC a very powerful tool.

The TOC originated in manufacturing and soon proved usable in other environments. In 1984, Eliyahu M. Goldratt, a physicist turned business consultant, articulated the Theory of Constraints in his book, The Goal: A Process of Ongoing Improvement.⁵³ Goldratt simply defined the TOC as “a process of ongoing improvement” and a thinking process that enables people to invent simple solutions to complex problems. In 1986, he created the Avraham Y. Goldratt Institute to teach the theory. Many businesses around the world have adopted this methodology to help them better understand the factors keeping them from their goals. 

The TOC helps you look closely at a process or step and then see the step in the context of the entire line, process or organization. This holistic perspective is key to the TOC, because it views organizations as a chain of departments and functions.

Applying the TOC to PCI security compliance management

The speed and efficiency used to complete the numerous tasks that are necessary to achieve and maintain security and compliance is mostly dictated by the slowest process in the control environment operations chain. The TOC’s application to PCI security compliance, and data security in general, offers a prioritization method and a way of looking at a complex system to uncover and address underlying root causes that prevent control environments from being efficient, effective and sustainable. Its structured and logical approach can be applied system-wide to break limiting factors, get more out of existing processes and resources, and continually achieve goals.

The holistic view and continuous search for constraints enables better control over processes and exposes additional capacity—often without the need for further investments. In other words, the TOC forces you to use what you already have, rather than spend money on new equipment or more resources. This is exactly the solution many organizations need to improve their PCI security compliance capability.

The TOC benefits

In sum, the Theory of Constraints (TOC) helps individuals and teams understand that:

• Constraints analyses focus improvements on where they can have the most impact
• The concept of a constraint makes it easier to find what is slowing the advancement of the whole environment, or even the whole organization
• The holistic view of the environment (or organization) and the continuous search for constraints gives you better control over your process so that you can anticipate backups and events that reduce performance

In the context of its application to PCI security, this approach helps organizations by:

• Providing information needed to understand the scope and nature of data security and compliance goals and strategy
• Diagnosing issues, which may necessitate redefinition of the problem and recommendations based on the diagnosis
• Facilitating the capability to plan, develop and implement a structured approach to identify the correct solution (solve the right things in the right manner)
• Assisting with the implementation of recommended solutions and supporting consensus building around corrective action
• Facilitating learning—that is, growth in understanding, capability and processes to resolve similar problems in the future
• Continuously improving elements of organizational effectiveness 
• Exposing additional capacity and optimizing existing resources 

The method for achieving continuous improvement for PCI security compliance

To reiterate, your payment card security and compliance system consist of a chain of processes. If you want to improve the system (strengthen the chain), where is the most logical place to focus your efforts? The weakest link! Systems are analogous to chains, and each system has a “weakest link” (constraint) that ultimately limits the success of the entire system. In most cases, the most productive approach is to start with strengthening the weakest link. A chain will break at the weakest link, no matter how strong the other links are made. Therefore, efforts spent to improve nonconstraints will not produce the most beneficial improvement in your security and compliance system capability – its effectiveness, robustness and resilience.

For many organizations, the weakest link in the performance—strictly from a basic PCI DSS control requirement perspective—is found under Key Requirement 11: Test security of systems and networks regularly (specifically Controls 11.2 and 11.3). Other related weak links within the system are Key Requirements 12 and 6. When you increase the strength (control robustness and resilience) and address the weakest link, it should not be the weakest link anymore. While the chain became stronger, it’s not indefinitely stronger—since some other link is now the weakest one, and the overall strength of your security program is now limited by the strength of that link. The primary constraint migrated to a different component.

From a broader perspective, organizations need to determine and address the weakest links in management capabilities. A generic management problem that exists across many organizations within the payment card industry is the design and implementation of a strategy that ensures ongoing improvement of the compliance environment and its follow-through.

If you decided on the goals of your security compliance strategy and program, and the necessary conditions for attaining them, are you achieving those goals right now? If not, you could be doing better. Now, consider these additional questions:

• What is keeping your strategy and program from doing better, in light of the fact that security and compliance are processes in part of the overall control environment?
• What is keeping your control environment from doing better—and reaching its desired full potential?
• What exactly do you think are the constraining factors (everyone in your team will likely have their opinions, but who is right)?
• Where in the chain of processes is the most logical place to focus your efforts to improve your payment card security and compliance system (where you can strengthen the chain)?

Now consider four basic questions about change that every manager needs to ask:

• Why change (what is the goal)?
• What to change (where is the constraint, the problem; what is the root cause)?
• What to change to (what to do with the constraint; what is the solution)?
• How to affect the change (how do you implement it)?

It’s important to remember that these are system-level not process-level questions. While the answers to these questions have an impact on individual processes, efforts should be focused on system improvement.

"Processes are important, but our organizations ultimately succeed or fail as systems. What a shame it would be to win the battle on the process level, only to lose the war at the system level!”⁵⁴

—H. William Dettmer

Identifying and addressing constraints and core conflicts

PCI security management can only succeed when its set of baseline requirements is supported by a comprehensive set of actions taken by management to establish an effective control environment. The environment should never be subjected to random internal changes. Organizations are expected to firmly manage internal influences and have the capacity to deal with external influences, which one typically has much less control over.

As an industry, the need for ongoing improvement at a system level is not up for debate. A process of ongoing improvement is an absolute necessity. To improve means to change. As mentioned earlier, for an organization to have a process of continuous improvement, certain basic questions need to be answered faster and more effectively. Those fundamental questions are: “Why change?” “What to change?” “What to change to?” and “How to cause the change?”

What to change?

The changes are not simply limited to PCI DSS requirement changes. They go well beyond that. PCI DSS controls perform poorly within control environments for reasons that, after nearly two decades of PCI security compliance, are well known and documented. The factors that influence the sustainability and effectiveness of the environment are known. The main security and compliance management mistakes are known—we refer to them as the Top 7 Strategic Data Security Management Traps, discussed on page 12 of the 2020 PSR. As are the nine primary factors, which we call the 9 Factors of Control Effectiveness and Sustainability (see the 2018 PSR for details).⁵⁵ Additionally, the most common constraints are known: The 7 Constraints of Organizational Proficiency (see next page). 

All PCI security compliance environments can and should have known lists of observable symptoms with known cause-and-effect relationships between system components. How to identify the underlying common cause, the core problem, for all of the symptoms within the environment is a skill every security team can learn and master. With the correct approach, every organization can achieve full-compliance sustainability and effectiveness with the ability to keep 100% of PCI DSS requirements in place, and to be proficient at rapidly detecting and correcting any control that falls out of place.

For those who have not yet reached that level of operational capability and maturity, the core problem is inevitably an unresolved conflict that keeps the organization trapped and/ or distracted in a constant tug of war. This goes back to unresolved issues in the Top 7 Strategic Data Security Management Traps. This conflict is called a core conflict. Core conflicts within PCI security compliance environments have devastating effects on the performance (robustness and resilience, and therefore sustainability and effectiveness) of the control environment. Organizations attempt to treat those negative effects by creating policies. However, these are usually Band-Aid fixes, since they don’t treat the core conflict.

⁵² Eliyahu M. Goldratt, Wikipedia, https://en.wikipedia.org/wiki/Eliyahu_M._Goldratt.

⁵³ Eliyahu M. Goldratt and Jeff Cox, “The Goal: A Process of Ongoing Improvement,” North River Press, 2004.

⁵⁴ H. William Dettmer, “Goldratt’s Theory of Constraints: A Systems Approach to Continuous Improvement,” American Society for Quality (ASQ) Press, 1997.

⁵⁵ 2018 Payment Security Report, Verizon, 2018, for more details on documenting control profiles, https://www.verizon.com/business/resources/reports/payment-security-report/.