The more mature security and IT governance processes are, the more applicable security practices and technology are to the business. The Carnegie Mellon Capability Maturity Model (CMM) defines expectations of processes and capabilities for each level within the area of evaluation. At each higher level, SSE-CMM becomes less about a specific security attribute and more about the role of security within the organization. To achieve the next level in a capability maturity model it typically requires significant increases in investment in the development of advanced processes.”]
Source: https://www.csoonline.com/article/2136346/measuring-it-and-security-for-maturity.html