The NIST Cybersecurity Framework – Digital Value Management System®
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The NIST Cybersecurity Framework (CSF) and the Digital Value Management System™ (DVMS) form a comprehensive approach that empowers organizations—regardless of size, scale, or complexity—to build a holistic, adaptive system for Digital Business Governance, Operational Resilience, and Performance Assurance.
The strength of this dual approach lies in its capacity to unify strategic direction, risk management, cybersecurity, and continuous improvement into a coherent, systems-based model that is scalable and adaptable to the realities of modern digital enterprises.
The NIST CSF provides a structured foundation for managing cybersecurity risk. It defines six core functions—Govern, Identify, Protect, Detect, Respond, and Recover—that serve as pillars for improving an organization’s cybersecurity posture. However, the NIST CSF is not a how-to guide; it outlines what needs to be done but leaves much of the implementation detail open to interpretation. This is where the DVMS enters the picture. The DVMS acts as a systems model overlay, bringing to life the conceptual power of the NIST CSF by operationalizing its components through governance, cultural integration, and organizational capability development.
At the heart of DVMS is a shift in mindset from viewing cybersecurity as a technical or departmental issue to embracing it as a core organizational responsibility tied directly to business value. This shift is encapsulated in the concept of “strategy-risk”—the idea that strategy and risk are not separate functions but interwoven aspects of a unified objective: to create, protect, and deliver digital business value. By combining strategy and risk into a single concept, the DVMS helps organizations frame cybersecurity within the broader context of enterprise risk management and strategic governance. The result is an adaptive capability that evolves alongside internal changes and external threats, thereby fostering operational resilience.
The DVMS overlay system is composed of multiple interconnected models and layers, including the CPD Model (Create, Protect, Deliver), the Z-X Model (seven minimal viable capabilities: govern, assure, plan, design, change, execute, innovate), and the 3D Knowledge Model (team knowledge, collaboration, strategic alignment). These models work in concert to help organizations identify gaps in capability, define priorities for action, and implement processes that drive both performance and resilience. By using these layered models, organizations can better understand how value is created, where it is at risk, and how to close the gaps between current and desired states of performance and protection.
Another key element of the DVMS is its support for cultural transformation. Cyber resilience is not solely the result of technological controls; it is equally dependent on organizational culture. The DVMS guides organizations to foster a questioning culture where employees at all levels are empowered to think critically, ask better questions, and contribute to the shared mission of resilience. This is achieved through tools such as the Goal-Question-Metric (GQM) and the adapted QO-QM (Question-Outcome–Question-Metric) frameworks, which help align operational efforts with strategic outcomes and ensure that every action contributes to meaningful, measurable improvements.
Notably, the DVMS and NIST CSF are designed to be adaptable. The DVMS is not prescriptive; it recognizes that every organization has a unique structure, history, and capability baseline. As such, it introduces the idea of an overlay—an adaptable layer that sits on top of what an organization already does. It leverages existing frameworks, methods, and processes, enhancing rather than replacing them. This overlay provides a practical roadmap for organizations to initiate, stabilize, expand, and ultimately innovate their cybersecurity and digital governance practices.
The DVMS FastTrack model supports phased implementation, allowing organizations to begin where they are and grow over time. Early stages focus on basic hygiene and capability stabilization, while later stages introduce more sophisticated measures, such as proactive threat modeling and continuous improvement cycles. This staged approach ensures that organizations build resilience iteratively, avoiding the common pitfall of over-engineering solutions that are not sustainable.
Ultimately, the combined power of the NIST CSF and DVMS provides a dynamic system for governance and assurance that is deeply integrated into the operational fabric of the organization. It equips leaders with the tools to make informed decisions based on a clear understanding of business systems, stakeholder value, and risk tolerance. It supports cross-functional collaboration and breaks down silos by embedding cybersecurity responsibilities across all functions. It also promotes a culture of accountability and continuous learning, which is essential to maintaining performance in an increasingly complex and volatile digital landscape.
By treating value creation and protection as two sides of the same coin, the NIST CSF and DVMS enable organizations to thrive in a world of digital chaos. They transform cybersecurity from a defensive posture into a strategic capability that supports innovation, ensures compliance, enhances trust, and ultimately delivers long-term value to stakeholders. In doing so, they lay the foundation for a resilient, high-performance digital enterprise that can adapt, respond, and grow in the face of uncertainty.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
DVMS Institute is a renowned provider of accredited certified training programs that teach organizations of any size how to build a holistic overlay approach to cyber resilience through an adaptive culture trained to identify, classify, and mitigate cyber risks.
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
® DVMS Institute 2024 All Rights Reserved
