According to the U.K.'s National Cyber Security Centre (NCSC), "Maturity models can help to distinguish between organizations in which security is baked in and those in which it is merely bolted on." This in itself is a valuable exercise. But the GCHQ-backed intelligence agency adds that, while useful for assessing against past performance over time, they can't and shouldn't be used to compare against third-party organizations. That's because it's impossible to know the specific contextual factors that impact individual corporate maturity scores.
So why should security and business leaders care about maturity modeling? It's all about generating visibility and insight into what stage of development your organization is currently at and where it could be doing better. The maturity model provides a framework for making objective assessments across the most important domains and identifies what's needed to improve. This information can also be used to inform executive dashboards displaying current risk posture and to base future investment decisions on.
Within this model, even organizations that reach the top maturity level are on a continuous cycle of monitoring, evaluation and improvement.
Companies often don't know how mature their cyber security posture is until it's too late. Everything seems to be working just fine until it isn't. This partly explains the long and checkered history of big-name brands succumbing to security breaches. These incidents may otherwise have been foiled had victim organizations benefited from the insights driven by an effective process maturity model.