Wednesday, February 20, 2013

The Congruence Model for Security

From management literature (Tushman & O'Reilly), the congruence-based problem solving is a method to quickly and accurately identify the root cause of performance or opportunity gaps. In the context of security architecture, the congruence model can be applied to creating comprehensive security assessments for an organization. The model emphasizes analysis of the relationships among four core components of an organization (shown in the graphic below) also called the building blocks whose alignment relationships are the focus of congruent security architecture techniques. The goal is to leverage the relationships and interactions between those core components to reveal the underlying security posture of an organization.

Each congruence relation is important in forming organizational diagnoses that help us understand the current state of security in the enterprise, and the causes of the vulnerabilities. Analyzing these relations tends to define the political map and how the players tend to navigate it. It helps identify organizational behaviors that are helpful, neutral or detrimental to the security architecture initiative.

Analyzing the following three alignments using an appropriate "congruence questionnaire" is crucial to determining the security posture of the enterprise.

The Task and People Congruence Relation:
  1. Do people have the required competencies to perform the critical tasks that ensure safety of data and process?
  2. To what extent do the skills, abilities and motives of today’s human resources fit with security planning, architecture formulation and implementation requirements?
Identification goals: task-human resource inconsistencies that inhibit the ability to execute on security strategy.

The Task and Formal Organization Relation:
  1. Do the formal linking mechanisms between units facilitate security task integration, security team building and agility from a product delivery perspective?
  2. Is there a company wide vision for security and a strategy for addressing regulations, audit and security breaches?
Identification goals: task-structure inconsistencies that inhibit necessary integration among SBUs, needed to deliver a comprehensive security solution.

The Task and Culture Relation:
  1. Does the existing culture energize the accomplishment of critical tasks?
  2. Does the informal communication network and informal distribution of power help get the work done?
  3. Is there a reluctance to take action? Is there reliance on being told what to do? Identification goals: culture-task inconsistencies that drag performance down and inhibit consensus on security goals.
This due-diligence analysis can help identify the need for managers and their teams to realign the formal structures, people processes and cultural aspects of their organization with the critical tasks necessary to achieve the overall security vision. Managers and their teams should learn from this process, and even re-initiate the process iteratively within their own SBUs if necessary.

Next month, I will be attending IBM Pulse 2013 in Las Vegas, the industry-leading conference on Security Intelligence. Prolifics will exhibit in the solution showcase and host a number of sessions throughout the conference. To learn more about Prolifics' presence at IBM Pulse, visit: If you would like to connect with me before the conference, please click here.

Javed Shah is a Practice Director for Security at Prolifics with more than 12 years experience in identity and access management architectures. He has broad exposure developing identity and access management solutions, and system software components that deliver reliable data security, web enablement and user lifecycle management services to customers. Before joining Prolifics, Javed founded and ran a professional services company in India for 6 years. Spanning over a decade, Javed has led identity management projects to successful exits at Nestle, University of California San Francisco, Kaiser Permanente, ABM Industries, BRE Properties, UPS, Tampa General Hospital and E*TRADE Bank. He was also the leader of the ITIM Level 3 defect resolution and analysis team in India where he was responsible for handling all customer defects for North America and Asia. Javed holds a Bachelor’s degree in Computer Science, a Certificate in Implementing and Managing an Enterprise Architecture using the Zachman Framework and the CISSP certification. He is also currently pursuing an MBA from the Haas School of Business, University of California Berkeley.