This standard is not about security per se, says Paul Proctor, VP, distinguished analyst and the role service director for risk management, Gartner Research. "There is no connection between the shifting threat landscape and maturing models. Are you doing the basic blocking and tackling? Rather than a framework of control, it's a measurement regime."
Maturity models are becoming a big thing that ultimately measures how well you do something, he says. "Where you are not doing something well, you have more risk, and where you are doing it well, you have less risk."
He gives security incident responses as an example. Measuring the number of incidents doesn't really help. If you're good, the number doesn't matter, and if you're not good, the number also doesn't matter. The risk is attached to the ability to handle the issue, not the numbers involved.
"The reality is organizations don't have the ability to determine how good or bad they are in security ... and a maturity model is a good way to do that. This is transparency so you can make some good decisions so you can get better."