1-877-297-7816
Contact Sales

Optimizing limited resources by strengthening the weakest link

Please provide the information below to view the online Verizon Payment Security Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • With the right resources—experienced teams and ample funding—it’s theoretically possible to improve every part of an organization. The reality is that even the largest and most prosperous organizations have limited resources—time, budget and skilled people—available to invest in making the changes needed to improve all the systems, processes and capabilities within their organization.

    When security and compliance teams continue to experience an acute shortage of skilled professionals across the globe, how does a CISO and security steering committee decide where and when to focus time and scarce resources to remain effective? What’s needed in many organizations is a reliable method to focus on and differentiate between the “many” components—the various systems, processes, documents, capacity, capabilities, etc.—that “can” be improved from the “few” that “must” be improved in order to achieve the security and compliance objectives and goal.

    Continuous compliance and increased expectations of ongoing improvement are part of the PCI DSS v4.0 requirements. The key to achieving ongoing growth and stability of security and compliance program performance is to find a way to focus resources on only the parts within the control environment that are currently limiting or blocking further improvement—the weakest links, system constraints or leverage points.

    PCI security compliance environments, and control environments in general, are complex systems. However, they are governed by inherent simplicity. In most cases, the majority of poor performance issues are caused by very few underlying causes (the Pareto principle—also see the general truism of Price’s Law).29

    Performance improvement of PCI security compliance programs, and compliance of the control environment, is not equal to the sum of improving all the components. Focusing on improvements by targeting the weakest links—the most important constraints in a few components—can improve the performance of the whole system (see the note on “systems thinking” on page 71).

    The strength of any chain is limited by the weakest link. Similarly, the effectiveness and sustainability of a control environment is limited by the performance of the weakest link (system constraint). Improving less-weak links (i.e., focusing on any link that is not the weakest) will not improve the performance of the environment, while improving the weakest link will always result in improvement to the environment as a whole.30

  • Applying an easy-to-understand method based on sound analysis and reasoning offers a much-needed breakthrough. The LTP lays bare erroneous assumptions about what teams focus on and what they do not. It’s a practical method to help differentiate between all the parts that can be improved and those few that must be improved to achieve more with fewer resources.

    For an overview of the benefits of applying the Logical Thinking Process to improve the performance of PCI security programs, see page 69. For a more detailed discussion of how to apply the Theory of Constraints, see page 64.

     

    The GRC² Model = The Goals, Requirements and Constraints x Governance, Risk Management and Compliance

    The 2020 PSR highlighted the critical importance of organizations taking strategic action to drive investment in the development and enforcement of security and compliance programs. In many cases, it’s a survival skill to combat growing complexity. In addition to a sound security and compliance strategy, the success of PCI security compliance programs often depends upon the extent to which the program is integrated with governance and risk initiatives/activities into the broader control environment. A direct relationship exists between the amount of time and effort organizations invest into the design, execution and ongoing management of their governance, risk management and compliance (GRC) program, and the effectiveness of their PCI security programs.

    The term GRC is an established acronym that has been in existence for about 20 years. It’s an umbrella term for a management discipline and operational framework. To assure the realization of organizational goals and objectives, GRC requires an integrated, organization-wide approach to establish clearly defined, measurable standards of performance.

    In other words, the main purpose of GRC as a business practice is to develop and maintain a well-coordinated and integrated collection of capabilities to support predictable and reliable performance at every level of the organization. It’s a structured approach to align IT with business objectives, while effectively managing risk and meeting compliance requirements. Organizations should develop this essential capability to achieve goals and strategic objectives and meet stakeholder needs.

    The scope of GRC does not end with just governance, risk management and compliance. It includes assurance and performance management. When done right, a GRC approach offers better decision-making agility and confidence; reduction in costs, duplication and impacted operations; sustained, reliable performance; and delivery of value.

    Regulation is the biggest driver for GRC. The past two decades saw a substantial increase in demands from third-party stakeholders for greater transparency. Stakeholders increasingly demand (and contractually require) evidence of high-performance GRC capabilities. A significant internal driver is the need to manage costs associated with addressing risks and compliance requirements to prevent them from spinning out of control.

    • G2 = The goals, requirements and constraints of governance
      Governance is the way an organization is directed and controlled to reach goals. In GRC, governance is necessary for setting direction (through strategy and policy), monitoring performance and controls, and evaluating outcomes. Governance can be defined as the combination of processes that facilitate decision-making. The processes are established, executed and supported by all levels of management. This should be reflected in the organization’s structure. Activities performed under this category are carried out in order to clearly define and communicate control mechanisms that ensure that decisions and directives made by management are properly carried out. The processes are designed to include ongoing support of the governance function to ensure that critical, relevant management information—which is accurate, sufficient and complete—reaches the management team on a timely basis (clear visibility).

      R2 = The goals, requirements and constraints of risk management
      Risk management anticipates risks that could potentially cause harm or loss or hinder the organization from successfully managing and achieving its goals. It ensures that the organization promptly identifies, analyzes and controls risks that can derail the achievement of strategic objectives. The processes include identification and classification, assessment and communication, mitigation, and reporting on the containment of risks.

      C2 = The goals, requirements and constraints of compliance
      Compliance refers to a defined process and consistent accounting of organizational practices for ensuring that policies, standards and guidelines are employed and followed. Depending upon the context, compliance ensures that the organization takes measures and implements controls to assure that internal and external compliance requirements are consistently met. It sets measurable standards of performance for an organization’s policies and procedures on practices and individual behavior that need to conform to the expectations of a broad range of internal and external stakeholders. This typically includes compliance requirements from third-party contractual obligations and external government and industry regulations—such as PCI security.

      The compliance process includes recording all components that must be complied with, assessing the state of compliance of the organization and cost-benefit analyses to evaluate the possible impact of noncompliance with the rules. Compliance activities usually involve documentation of processes and the risks of compliance and noncompliance; identification, definition and documentation of compliance controls in place; assessment of the effectiveness of the controls; remediation of compliance issues; and disclosure and certification of compliance processes.

  • These demands resulted in an industry of exponential growth in the selection of GRC tools (software applications) to support the automation, management and reporting of GRC activities. Having a tool alone isn’t enough to guarantee effective GRC, as technology does not have ethics—people do. Hence, GRC must be addressed from a systems-thinking, people-and-process perspective even before technology is considered.

    Complexity adds no value. Organizations need to apply a framework—a powerful method for simplifying the overall approach needed to achieve results in a highly structured and predictable manner.

    The three practices that make up GRC share common and interrelated tasks, with overlapping areas of responsibility and processes. They are more effective when integrated and dealt with as combined practices.31

    GRC involves bringing the right groups of people together, supported by appropriate technology; clarifying performance expectations and outcomes (goals); determining the necessary resource commitments (requirements) needed to ensure that those goals are achieved; and evaluating what could get in the way (constraints).

    Although the concept of governance, risk management and compliance (GRC) is no longer an emerging field of study within the information assurance community, understanding its successful design and implementation still requires some demystification and exploration. That’s why the author formulated GRC2, pronounced “GRC squared.” GRC2 stands for the multiplication of each individual governance, risk management and compliance component with its respective goals, requirements and constraints. This presents an enhanced model for the logical step-by-step design, implementation, management and evaluation of a GRC approach.

    Many organizations isolate their PCI security compliance programs from broader governance programs, not realizing the effectiveness and efficiency of a synchronized approach, which avoids overlap and repetition of tasks between various programs. A unified compliance approach to meet various regulatory requirements under a single corporate governance umbrella has significant compliance and risk management benefits. Organizations should, at least annually, revisit the goals, requirements and constraints of their governance program. We include definitions of GRC below, which you can reference when constructing the articulation of your strategic goals and objectives.

    PCI DSS compliance focuses on managing risk associated with the storage, transmission and processing of payment data by defining the requirements within and between PCI security programs and enterprise risk management programs.

    See page 42 for insights on requirements—in particular, how to prepare for the impact that PCI DSS v4.0 will have on the changing PCI DSS 12 Key Requirements.

  • Figure 1. The interactions of the GRC2 Model
    Figure 1. The interactions of the GRC2 Model


  • Figure 2. GRC² Model = Managing the GRC (Goals, Requirements and Constraints) of GRC (Governance, Risk management and Compliance)

  • This process (compliance) should be very familiar to any organization that has completed a PCI DSS assessment.

    In the 2020 PSR, we highlighted Verizon’s Top 7 Strategic Data Security Management Traps, which range from inadequate leadership (often rooted in the organizational structure) to communication and culture constraints. Readers concerned about compliance issues would benefit from reviewing those traps (see page 12 of the 2020 PSR).

    Deconstructing GRC²

    Various options exist for defining the design and implementation of a GRC approach within your corporate security and compliance strategy. GRC involves a range of different organizational activities, from setting up roles and responsibilities, and business processes, and arranging periodic compliance assessments, to establishing internal continuous control monitoring and reporting procedures. Observing how organizations approached the implementation of GRC over the last 20 years offers valuable lessons in strategic and critical success factors. Many factors determine the successful outcome of GRC initiatives; in the majority of cases, organizations pay far too little attention to defining what they actually aim to achieve, the necessary requirements (capabilities) and critical constraints that stand in their way. In other words, too many organizations gloss over goals, requirements and constraints in relation to governance, risk management and compliance.

    Goals

    Define what you aim to achieve, an obvious but often overlooked step that can determine success or failure. The solution is to gather together key stakeholders and project staff, brainstorm what GRC means to your organization, and generate priorities based on specific needs. Make sure you determine which goals (for governance, risk management and compliance) should have top priority. (See page 25 for further explanation on goals.)

    Requirements

    Identify the necessary conditions to meet objectives and goals once you’ve identified, clarified and documented what governance, risk management and compliance mean to your organization, and the overall goals for each. Also determine what the requirements are for each. What are the objectives to reach the goals and respective requirements—the necessary capacity, resource inputs and capabilities? Which requirements should be prioritized as most logical and beneficial? Which method should be used to determine where to focus team energy and prioritization? How do you identify the requirements that will benefit your approach to GRC the most—particularly in light of the changes brought about with PCI DSS v4.0? (See page 42 for further explanation on requirements.)

    Constraints

    Take stock of your current situation and capabilities, because every complex system, including PCI security compliance and data security, consists of multiple linked activities that act as a constraint upon the entire system. A constraint is anything that limits a system from achieving higher performance in relation to its goal. It can be a step or process that is producing less than what’s demanded of it. At least one constraint exists in every system.

    Systems are analogous to chains. Your payment card security and compliance system consist of a chain of processes. Each system (chain) has a weakest link (constraint) that ultimately limits the success of the entire system. If you want to improve the system (strengthen the chain), where is the most logical place to focus your efforts? The weakest link! A constraint can be elevated to the point where it’s no longer the system’s limiting factor. This is called breaking the constraint. The limiting factor is now some other part of the system, or may be external to the system (an external constraint). This approach can be applied to PCI DSS compliance environments to break constraints that prevent the control environment from achieving the required level of effectiveness and sustainability. (For further explanation on constraints, see the 6 Constraints of Organizational Proficiency on page 45 of the 2020 PSR, the updated 7 Constraints of Organizational Proficiency table on page 68 and the risk of unintended consequences on page 11 of this report).