From management literature (Tushman & O’Reilly), the congruence-based problem solving is a method to quickly and accurately identify the root cause of performance or opportunity gaps. In the context of security architecture, the congruence model can be applied to creating comprehensive security assessments for an organization. The model emphasizes analysis of the relationships among four core components of an organization (shown in the graphic below) also called the building blocks whose alignment relationships are the focus of congruent security architecture techniques. The goal is to leverage the relationships and interactions between those core components to reveal the underlying security posture of an organization. Each congruence relation is important in forming organizational diagnoses that help us understand the current state of security in the enterprise, and the causes of the vulnerabilities. Analyzing these relations tends to define the political map and how the players tend to navigate it. It helps identify organizational behaviors that are helpful, neutral or detrimental to the security architecture initiative. Analyzing the following three alignments using an appropriate “congruence questionnaire” is crucial to determining the security posture of the enterprise.

The Task and People Congruence Relation:

1. Do people have the required competencies to perform the critical tasks that ensure safety of data and process?
2. To what extent do the skills, abilities and motives of today’s human resources fit with security planning, architecture formulation and implementation requirements?

Identification goals: task-human resource inconsistencies that inhibit the ability to execute on security strategy.

The Task and Formal Organization Relation:

1. Do the formal linking mechanisms between units facilitate security task integration, security team building and agility from a product delivery perspective?
2. Is there a company wide vision for security and a strategy for addressing regulations, audit and security breaches?

Identification goals: task-structure inconsistencies that inhibit necessary integration among SBUs, needed to deliver a comprehensive security solution.

The Task and Culture Relation:

1. Does the existing culture energize the accomplishment of critical tasks?
2. Does the informal communication network and informal distribution of power help get the work done?
3. Is there a reluctance to take action? Is there reliance on being told what to do? Identification goals: culture-task inconsistencies that drag performance down and inhibit consensus on security goals.

This due-diligence analysis can help identify the need for managers and their teams to realign the formal structures, people processes and cultural aspects of their organization with the critical tasks necessary to achieve the overall security vision. Managers and their teams should learn from this process, and even re-initiate the process iteratively within their own SBUs if necessary.