In information security, we have been focused for the past decade or so on making the necessary components of an organization work together to enable security. Scatter-shot approaches to information security are common as services are added, functionality expanded, or security incidents occur -- a reactionary period follows such events, security band-aids are applied to deal with the issue at hand, and then the organization lurches on to the next security problem. But if an organization's security maturity is at the level that it's fighting daily fires -- dealing with continuous responses to incidents -- rather than having working enterprise, issue-specific, and system-specific security policies and incident, disaster, and business continuity response plans, and the associated operational controls, a modern information-oriented organization will likely find it difficult to function and succeed.
As with Maslow's hierarchy of human needs with respect to individuals, an information security maturity model illustrates security needs for an organization. It provides a frame of reference to gauge the current situation and plan to move beyond day-to-day security subsistence to forward-looking security resilience and preparedness for incidents that do arise. Without the functionality implemented at lower levels, an organization tends to be distracted by trying to achieve solutions to the current level of needs. Depending on the level of distraction, an organization will not be able to function to the highest capabilities in terms of production in society and reaping the rewards of success.
Three things that are necessary to enable information security maturity:
For more background, see Bruce Schneier's blog on these components: people, process, and technology.