The 7 Constraints of Organizational Proficiency
(the 7 Cs)

The ongoing identification and management of constraints—factors standing in the way of positive change—is a very important activity for the management and improvement of any PCI security program performance.

The table below presents a categorized list of primary constraints. These are common constraints preventing organizations from developing the process and capability maturities needed to achieve a sustainable and effective control environment that operates with consistent performance and predictable outputs. It’s certainly not an exhaustive list, but rather a useful frame or “mental model” that can facilitate categorization of limitations and restrictions within the control environment. 

Application of the Logical Thinking Process

Many organizations are making substantial progress in advancing the maturity of their security and compliance capabilities. Many others need to ramp up their engine speed and make significant adjustments to the management of their compliance program.

In some cases, this requires substantial changes and the adoption of methods entirely new to the organization. Which is why we are dedicating this section to the Logical Thinking Process method, a very strong framework that can help you improve every aspect of data security and compliance and support better decision-making to achieve goals.

Organizations suffer poor performance in compliance environments because they don’t have clearly defined outcomes for their data security and compliance programs. Security teams often think they know what they want to accomplish, but in reality, they are unclear about what, specifically, constitutes the end states of their strategy and program. They don’t know which components to optimize and prioritize. When CISOs and their teams are unclear about priorities—what truly matters and requires focus—they sometimes fail to progress out of fear of making the wrong choices. But choices must be made.

These challenges are directly related to the goal. The importance of formulating a clear goal statement for PCI security compliance is reviewed on page 86. The achievement of that goal needs to happen by design, no matter how you define your goal or craft your mission statement. For example: “To develop, maintain and continuously improve a mature control environment that offers reasonable assurance for the effective, ongoing protection of payment card data, in a consistent, predictable and sustainable manner.” The importance of applying a method cannot be overstated. You need a method that enables you to identify, define and pursue the objectives toward your goal. You need clarity about the requirements—the conditions that need to be in place—for each objective. You also need to address and remove constraints.

How you, your team and your organization progress toward the achievement of your security and compliance goal matters—a lot. You need a proven approach that provides assurance and confidence for success: a process that identifies the roots of the undesirable effects and exposes faulty assumptions related to the root causes of poor security and compliance performance. 

As mentioned on page 33, the real challenge is not achieving your security and compliance goal. It’s whether you and your organization are willing to accept and commit to the investment of resources and the planning, execution and follow-through required to achieve that goal. 

Most organizations are financially restricted and need to achieve the goal with the available resources. The Logical Thinking Process does all of this in a practical, visual way that is easy to understand.

The real challenge is not the achievement of your security and compliance goal. It’s whether you and your organization are willing to accept and commit to the investment of resources and the planning, execution and follow-through required to achieve that goal. 

Origins of the Logical Thinking Process

The LTP is a framework based on the Theory of Constraints processes developed by Dr. Goldratt, who was introduced on page 9. This method was later enhanced by H. William Dettmer, author of The Logical Thinking Process: A Systems Approach to Complex Problem Solving. It’s a method designed to take poorly defined problems and slowly but surely move them toward a solution. This meticulous process breaks down components of a systemic problem to clearly define the nature of the problem. The investment of time helps to correct the systemic problem and avoid ongoing poor performance that previously resulted in a massive waste of time and capital.

The LTP enhances collaboration and improves communication. It helps you structure ideas and analysis. It visually displays the links between cause and effect in an easily comprehendible format. The LTP also makes it much easier to refine elements and spot design flaws. Decisions are far too often based on wrong assumptions that do not reflect reality, which can be harmful. Often those assumptions are tacit—we don’t realize we make them, or fail to understand the negative impact they have on decision-making and system design. 

The LTP comprises five steps, based on necessity or sufficiency reasoning, to help improve your decision-making. 

“Inside every small problem is a larger problem struggling to get out.”⁵⁷

—The Schainker Converse to Hoare’s Law of Large Problems

What exactly are the thinking processes?

The thinking processes are a set of tools that provide decision support for initiating and implementing a task or project. When used in a logical flow, they help walk you through a buy-in process to:

• Gain agreement on the problem
• Gain agreement on the direction for a solution
• Gain agreement that the solution solves the problem
• Agree to overcome any potential negative ramifications
• Agree to overcome any obstacles to implementation

The process of change requires the identification and acceptance of core issues, the goal and the means to the goal. This comprehensive set of logical tools can be used for exploration, solution development and solution implementation for individuals, groups or organizations.⁵⁸

You can anticipate constraints in existing processes, and you can also plan for them while designing a product, process or service.

⁵⁶ 2019 Payment Security Report. Verizon, 2019, https://enterprise.verizon.com/en-au/resources/reports/payment-security/

⁵⁷ Arthur Bloch, “Murphy’s Law: The 26th Anniversary Edition,” Penguin Group, 2003.

⁵⁸ “Theory of constraints,” Wikipedia, https://en.wikipedia.org/wiki/Theory_of_constraints#The_five_focusing_steps

⁵⁹ H. William Dettmer, “Systems Thinking – And Other Dangerous Habits,” Virtualbookworm.com Publishing, 2021,