Security Compliance Fit

Similar to Product-Market Fit, I have coined the term “Security Compliance Fit” (SCF).

To understand this concept, we must first understand the worlds involved. Drawing an analogy from Karl Popper’s “Three Worlds” theory, I believe that information security also consists of three distinct worlds:

1. World 1 – People
   Knowledge of consciousness, emotions, feelings, pain, love, and rationality.

2. World 2 – Technology & Business
   Knowledge of technology and its evolution, trends, market conditions, and purchasing behaviors. Business and domain expertise also fall under this category.

3. World 3 – Security Knowledge
   Understanding threats, risks, vulnerabilities, threat modeling, regulatory requirements, and legal considerations.

When performing security-related tasks—whether legal or technical—you interact with all three worlds. Without a solid grasp of these worlds, it is impossible to do an effective job.

• If you do not understand people, you may come across as rude.

• If you do not understand business, you might believe security is the most important aspect, disregarding business priorities.

• If you do not understand technology, you will struggle to protect the business from security threats.

• If you lack security knowledge, you will be unable to safeguard the business from legal risks, threats, and vulnerabilities.

Security Compliance Fit (SCF)

SCF refers to achieving a perfect balance across these three worlds. Take Governance, Risk, and Compliance (GRC) professionals as an example—many struggle to connect with security experts because they lack a deep understanding of technology. They often create policies and expect others to follow them, primarily driven by customer demands and regulatory frameworks.

The challenge with regulatory frameworks is that they are not a one-size-fits-all solution. This is one of the downsides of standardization—it limits freedom and flexibility, potentially hindering innovation.

Businesses seek certifications and compliance with standards to expand their market presence and build customer trust. The business market and regulatory requirements set expectations and define the roadmap for securing the enterprise. In the end, we have no choice but to align with market demands.