1-877-297-7816
Contact Sales

The Five Focusing Steps in Brief

Please provide the information below to view the online Verizon Payment Security Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • The Theory of Constraints is based on the premise that the rate of goal achievement by a goal-oriented system (the system’s throughput) is limited by at least one constraint. So, you need to prioritize improvement activities. The top priority is always the current most significant constraint. The Five Focusing Steps offers a highly defined methodology for creating rapid improvement.

    Assuming the goal of a system is articulated and its measurements defined, the steps are:

    1. Identify the system’s constraint(s)
    2. Decide how to exploit the system’s constraint(s)
    3. Subordinate everything else to the above decision(s)
    4. Elevate the system’s constraint(s)
    5. Prevent inertia from becoming the constraint60

    The Five Focusing Steps are designed to help you discover constraints early, in order to minimize or eliminate them.

  • "To err is human, and so is trying to avoid correcting it."

    —Anonymous

  • The Five Focusing Steps

    1. Identify the system’s constraint.
      Identify the specific part of the process (for example, any process within your PCI security compliance environment) that constitutes its weakest link: a policy, procedure, resource or particular system component. Identify anything keeping you from meeting desired goals. Constraints can come from internal factors, such as lack of training or poorly designed processes, or external factors—such as contractual constraints with third parties (vendors, regulators), etc.
    2. Decide how to exploit the system’s constraint.
      Determine how you can work with existing resources to reduce the impact of the constraint. For example, if the constraint is an overworked employee or team, redistribute assignments to get the work done. If a constraint is a poorly defined procedure, focus on redefining the procedure and train employees on its correct application. If the constraint is a needed feature in an IT system, optimize the current capabilities (see page 34 of the 2020 PSR, “The unknown resources buried in your ‘sandbox’”). Obtain as much capability as possible from a constraining component without undergoing expensive changes or upgrades.
    3. Subordinate and synchronize to the constraint.
      The previous step was about understanding the ins and outs of the constraint itself, and this step is about understanding everything around that constraint. To enable the constraint to operate at maximum effectiveness, the parts of the process that are not constraints (nonconstraint components) need to align with and support it. Once this is done, the overall system is evaluated to determine if the constraint has shifted to another component. For example, if the security analysts can review only X number of logs per day, you would not attempt to remove a constraint on the security information and event management (SIEM) process by increasing the number of logs to be reviewed, or continue to make the analysts aware of the additional components added to the environment that now also add to the log monitoring burden. The solution lies elsewhere. If your solution eliminated the constraint, you can jump to Step 5.
    4. Elevate the constraint.
      If the constraint still exists, you will need to make it a higher priority. Elevating the constraint refers to taking whatever action is necessary to eliminate the constraint. For example, you may need to hire more people to increase the workflow in the area where the constraint exists. This step is only considered if Steps 2 and 3 are not successful. Major changes to the existing system are considered at this point. Since elevation involves expenditure, you need to consider whether the ROI justifies the expense.
    5. Repeat the process as needed.
      You should start the process all over again to identify the next constraint and avoid inertia (meaning you want to avoid becoming complacent). If a constraint is resolved in a step, start again at the first step to identify other constraints. This ongoing process allows for continual improvement. Repeat these steps to ensure that you are getting the work done and meeting goals.
  • "I would rather discover a single causal connection than win the throne of Persia."61

    —Democritus

  • The Five Trees

    A problem can reoccur, like weeds in a garden, unless you dig down and eliminate the root. That’s much easier to do when you use a tool. These tools can be simple or complex, depending on how deep the root is or the complexity of the root system.

    The LTP comprises five separate logic trees. Each one has a specific purpose, designed to help organizational teams make better decisions. The LTP adheres to logical principles that apply to each step of the process.

    • Step 1: The Goal Tree
    • Step 2: The Current Reality (Problem) Tree
    • Step 3: Conflict Resolution (Evaporating Cloud) Diagram
    • Step 4: The Future Reality (Solution)Tree
    • Step 5: The Prerequisite (Implementation) Tree

     

    This is a very effective method for resolving complexity in security and compliance problems where many different factors contribute to visible problem indicators, and where the chain of cause and effect between deficiencies in the security control environment and underlying causes often isn’t obvious. Even traditional root-cause analysis methods can lead teams to assume that something may be the root cause of a problem when, in fact, it’s not. This Five Trees approach presents a step-by-step, workable solution by finding a fully implemented solution for an ill-defined problem.

  • Step 1: The Goal Tree—What is the goal?

    The Goal Tree is at the center of all five trees; it’s the navigational marker and fixed point of reference for all the other tools. It focuses on a specific goal that you aim to achieve for a particular data security and compliance control system, and what is necessary to get there.

    It starts with the goal statement, the vision or what the Lean Six Sigma community refers to as “True North.” This step is key to the whole process. This first step is the central and most critical one to help you formulate the desired outcome. The goal can be set only by those who created the system or those responsible for steering the organization toward the goal set by the founders. 

    Step 1 does not start by analyzing problems. It requires defining where you want to be—the goal that you aim to achieve. Where do you want to be? What is the system’s goal, its ultimate destination? This is the clearest definition of the ultimate milestone to complete the mission for any particular PCI DSS objective, or the entire program. It’s the finish line, and there can be only one goal.

    Next, define what is necessary to get there—the goal is dependent upon critical success factors and a series of conditions necessary to achieve them. The visual representation with the goal at the top and its branching necessary conditions forms the Goal Tree.

    The Goal Tree is built upon logic and clearly establishes relationships, such as: “In order to have A, we absolutely need B.” A is the next (intermediate) objective and B the necessary condition. A cannot exist/ be true/be achieved unless B exists/ is true/is achieved. The concepts of necessary and sufficient conditions help us understand and explain the different kinds of connections between various PCI DSS security controls, their different states and how they relate to each other. It also helps to explain the relationships between PCI DSS controls and other controls not included in the PCI DSS, in order to bring about the required control effectiveness and sustainability.

    When the Goal Tree is used to articulate what needs to be done and why—which is uncomplicated with a robust tree—it tells what is imposed by the circumstances. It’s not based merely on someone’s opinion. It presents the path with clarity. There’s no room for nice-to-haves, biases or whims. 

    The Goal Tree gives input to the next tool in the Logical Thinking Process: the Current Reality Tree (CRT).

    Step 2: The Current Reality (Problem) Tree—What is the problem?

    This step helps you analyze why you are not reaching your data security and compliance goals. It assesses where you are in the process, and why there is a gap. Where are we, actually, and why is there a difference?

    To accomplish this step, list the problems. They are usually based on the critical success factors. The focus of Step 2 is on identifying all factors that contribute to problems—either individually or collectively. Continue this process until root causes are identified. Identify invalid assumptions that produce conflict. Assumptions can be called what they really are: opinions, theories, hypotheses, guesses and conjectures.

    The CRT is a way of analyzing many systems or organizational problems at once. By identifying root causes common to most or all of the problems, a CRT can significantly help focus improvement of the system. It depicts the current reality in a series of dependent, logical, cause-and-effect relationships, starting from undesirable effects (UDEs) down to one or a few critical root causes. A well-defined problem is more than half solved.

    With the CRT, you identify and evaluate the gaps between the Goal Tree requirements and the actual condition. Gaps lead to UDEs. These UDEs are the inputs for another tool: the Future Reality Tree (FRT) in which the undesirable effects are neutralized with “injections”: causes or conditions not yet existing and designed to turn UDEs into their opposites—desirable effects (DEs)—without bringing negative side effects.

    Step 3: The Conflict Resolution (Evaporating Cloud) Diagram —Which assumptions are invalid?

    Apply the Conflict Resolution Diagram (CRD) to develop simple breakthrough ideas and solutions. The CRD is also called the Evaporating Cloud (EC), named in honor of Richard Bach’s 1977 book Illusions, in which the main characters remove storm clouds from the sky by thinking them away.62 It’s specifically used to structure and solve underlying conflicts. Conflicts usually are based on false assumptions, and the Conflict Resolution Diagram helps bring to the surface and evaporate the conflict. It dissolves dilemmas or conflicts between opposing objectives or conditions, different alternatives and hidden agendas (the three primary types of conflict). It identifies the exact assumptions behind the logical connections. What prevents us from curing the problem now, and how do we overcome it? 

    The CRD exposes deeply hidden root causes that must change. It lists the exact assumptions behind the logical connections. Assumptions need to be factually true and also lead to the prerequisites. Injections are ideas that solve conflicts—a solution that fulfills all requirements and invalidates conflicts. Distinguish between needs (necessities) and wants (wishes). Then you are a step closer to the solution.

    Step 4: The Future Reality (Solution) Tree —What can we expect if a fix to the problem is applied?

    While a well-defined problem may be half solved, a huge leap forward is still needed to transform a solution into reality. This tree is a visualization of a desired future state that allows mapping out future expectations. It helps to break current-reality problems or core conflicts by introducing new ideas or injections. Introduction of new ideas changes undesirable outcomes of current reality to desirable outcomes of future reality. It answers the questions: “What to change?” and/or “Change to what?” It is a way to confirm that your planned solution will actually work. 

    The Future Reality Tree is the tool of choice to gain understanding and agreement that your solution will account for all of the undesirable effects that you currently experience and built into your current reality tree. While the Future Reality Tree depicts a could-be future, it does not give all the answers about how to get there. “Injections” are the proposed actions to break the current-reality problems or core conflicts. You need to determine if injections really lead to a workable solution. 

    Building a future reality is also about setting the right priorities. Map out what steps have to be achieved and precisely how they can reach that goal. Verify that the proposed solution will actually solve the problems. Identify negative effects—the unintended consequences and side effects that might be caused by the solution. 

    Step 5: The Prerequisite (Implementation) Tree—How can the solution be executed?

    Orchestrating a major system change involves accomplishing a lot of individual tasks. This tree provides a clear definition of what needs to be done, in what sequence, and what must be done in parallel to execute the solution. The Prerequisite Tree allows you to overcome the obstacles that stop you from implementing and executing your plan.

    Define the individual steps by constructing a step-by-step implementation plan, and describe how obstacles will be handled. Some injections may require a detailed implementation plan. The Prerequisite Tree can serve as a skeleton for a project plan. It’s composed of two elements—an obstacle and an intermediate objective. The intermediate objective is the action that you must undertake to overcome or neutralize obstacles even before implementation; for example, when stakeholders argue about obstacles that hinder implementation of the solutions found with the Future Reality Tree and Evaporating Cloud. Every obstacle is then neutralized or bypassed with intermediate objectives—smaller, sequential steps and conditions necessary to fulfill in order to bypass the obstacles. These objectives help you set intermediate goals to achieve change toward the organization’s goal.

    For more information, see Systems Thinking and Other Dangerous Habits by H. William Dettmer, page 221, and From Symptoms to Causes: Applying the Logical Thinking Process to an Everyday Problem by Thorsteinn Siglaugsson.63

    The application of the Five Trees

    With this method, a security team can focus on getting rid of everything that is not crucial and distinguish between needs and wants. It directs the focus toward important problems and away from those that really don’t have to be solved. In summary, this method can help you:

    • Clarify your goals and their requirements and gain clarity about objectives
    • Determine the critical success factors branching out beneath the goals (three to five for each goal)
    • Outline the variables and conditions needed for the system to achieve the goals
    • Identify the necessary conditions for each critical success factor

    This will become increasingly important for organizations opting to follow the PCI DSS v4.0 customized control approach and ongoing assessment validation.

    The Logical Thinking Process and GRC²

    The benefits of applying the LTP to GRC² are extensive. They include communicating effectively, leading actively, empowering employees and creating an environment of continuous improvement, so organizations can keep PCI security compliance performance from stagnating or regressing. Once this method is integrated into the security management system, it’s part of your continuous improvement activities. It vastly improves the chances of successfully sustaining improvements and enables your organization to look regularly for new and better ways to accomplish objectives and reach goals. 

    Other key strengths of this approach when applied to GRC² are:

    Visibility and structure

    This includes clear, prioritized and achievable goals. The LTP approach presents a detailed visual presentation, enabling potential flaws in the security and compliance process to be identified immediately when the analysis is presented to a wider audience. The analysis of each stage links directly into the next one, which provides a coherent, seamless framework. This offers the ability to present highly complex problems and solutions in an easy-to-understand manner..

  • A note on problems vs undesirable effects

    Data security and compliance problems come in all shapes and sizes. They can manifest at any time during the control life cycle (see 2016 PSR),64 such as planning and design, implementation, monitoring, and evolution. Some problems are within your control, others aren’t. There’s seldom a single cause behind an undesirable effect (UDE), but a surprising proportion of UDEs have the same root cause. UDEs can only be eliminated by removing the root causes. As long as a cause remains, the UDE it creates won’t be eliminated.

    The LTP approaches this by first applying the terminology of “undesirable effects” and avoiding the word “problems” altogether. An UDE is a deviation from any critical success factor, as determined by your Goal Tree. In essence, this means that an UDE is just one way in which current reality differs from your ideal reality. Often, what we call problems are not really the true problems; they are consequences of underlying causes, which are the real problems.

    Defining UDEs as deviations from your Goal Tree means that they aren’t subjective. They have nothing to do with what you should want or what other people may think is best. You built the Goal Tree, and that’s what determines your UDE. So, in a very real way, you choose your undesirable effects in the process of choosing your goals. Ultimately, all of this is within your control.

    In this way, the LTP makes difficult problems easier to address, especially when they involve other people, by depersonalizing problems. It avoids appropriating blame and focuses on the chain of events that results in the UDE. Therefore, “undesirable effects” is a useful term because it focuses our attention on the system that produced the effect and its objective analysis.

  • Clarity and quality of communication

    Precision improves communication, lowering the probability for misunderstanding. In addition to sound cause-and-effect relationships, precision requires verification of statements and conditions. “Clarity is the cornerstone of every step of the LTP. The first question to always ask is not only if our statements are true, but also if they are clear. There are no buts and maybes. All conclusions are based on sound logic and all explanations must be sufficiently verified.”65 This process facilitates the enhanced thinking and learning skills of participating individuals, enabling them to handle conflicts with more confidence, correct behaviors that have undesirable consequences and assist in evaluating conditions for achieving desired outcomes.

    Improved decision-making

    The CISO, steering committee and other participants can make better informed decisions about the planning and execution of the security and compliance strategy and program.

    The LTP also benefits decisions relating to each of the other elements in The Security Management Canvas, including the security business model and security operating model.

    A foundation for continuous improvements

    The LTP provides a structure for continuing advancement. Participants can develop a deeper sense of responsibility for their own actions, through understanding the goals, requirements, constraints and consequences of actions. It also exposes additional capacity without further investment and can enable the security organization to optimize current resources and capacity, rather than spend additional money.

    Requirements analysis

    The LTP can vastly improve the quality of the requirements analysis by providing clarity and sound reasoning at all stages of the processes, as well as a structured method to formulate projects and strategy.

    Refined understanding of constraints 

    A refined understanding of constraints focuses improvements on areas of greatest impact in the control environment. The determination (analysis, evaluation and documented articulation) of constraints on the security compliance requirements (objectives) makes it easier to find what is slowing down the advancement of the entire control environment. Mapping out goals, requirements and constraints in the Five Trees presents a holistic view of the control environment. The continuous search for constraints gives the security team better control over the overall security and compliance process.