Aligning Cybersecurity and Privacy Goals Using A NIST Cybersecurity Framework /NIST Privacy Framework Digital Value Management System
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The growing complexity of digital operations, the relentless evolution of cyber threats, and the intensifying focus on data privacy have made it essential for organizations to adopt integrated strategies that align cybersecurity and privacy goals. In this context, the NIST Cybersecurity Framework (CSF), the NIST Privacy Framework (PF), and the Digital Value Management System (DVMS) do not exist as separate instruments but function most effectively as an interconnected system. Together, they form a comprehensive, enterprise-wide approach that enables organizations to create, protect, and deliver digital business value while meeting the dual mandates of cybersecurity and privacy. By embedding the NIST CSF and PF within the DVMS overlay, organizations can develop a dynamic, adaptive capability that ensures operational resilience, regulatory compliance, and stakeholder trust.
Like its cybersecurity counterpart, the NIST Privacy Framework is designed as a flexible and outcome-focused guide. It helps organizations identify and manage privacy risks to individuals from data processing activities. The framework consists of five core functions—Identify, Govern, Control, Communicate, and Protect—that provide a structure for understanding and managing privacy risks throughout the data lifecycle. It is aligned in design philosophy with the CSF and was developed to facilitate integration. Where the CSF focuses on safeguarding systems, networks, and assets from unauthorized access and harm, the Privacy Framework is oriented toward protecting individuals from the unintended consequences of data processing. These two lenses are not contradictory but deeply complementary: cybersecurity protects the integrity and confidentiality of data, while privacy governance ensures that data is used lawfully, ethically, and with respect for individual rights.
The intersection between cybersecurity and privacy becomes especially critical when viewed through the lens of digital business value. In today’s environment, data is a core strategic asset. Whether it’s a consumer’s biometric profile or an enterprise’s intellectual property, the value of this data is contingent upon its availability, accuracy, confidentiality, and trustworthiness. This is where the Digital Value Management System provides a transformative perspective. The DVMS is a systems-based overlay that supports the Create, Protect, and Deliver (CPD) Model of digital value. It recognizes that protecting data—and, by extension, digital value—requires integrating cybersecurity and privacy as co-dependent rather than separate domains.
By integrating both NIST frameworks within the DVMS, organizations can align cybersecurity and privacy functions with their strategic and operational goals. The DVMS structure includes seven Minimum Viable Capabilities (MVCs): Govern, Assure, Plan, Design, Change, Execute, and Innovate. Each of these capabilities is a management domain that can be mapped to CSF and PF outcomes. For example, the “Govern” capability provides direction and oversight mechanisms to establish enterprise-wide policies encompassing cybersecurity and privacy objectives. This includes defining roles, responsibilities, regulatory obligations, acceptable risk tolerances, and cultural expectations. Through this lens, the NIST PF’s Govern function and the CSF’s Govern function are harmonized under a single organizational capability, providing clarity and coherence across disciplines.
Privacy and cybersecurity controls often overlap but do not always align by default. A firewall can block a cyber threat but not ensure lawful data usage. Conversely, consent management may fulfill a privacy requirement while offering no defense against data breaches. The DVMS resolves these potential conflicts by enforcing systems thinking and cross-functional integration. For instance, within the Design and Plan capabilities of the DVMS, organizations can architect technical and procedural safeguards that reflect both privacy-by-design and security-by-design principles. This holistic planning reduces friction, eliminates redundancy, and ensures that the controls implemented serve both protective purposes—ensuring lawful use and preserving security.
The assurance capability within DVMS is vital to aligning CSF and PF outcomes. This capability focuses on performance monitoring, audits, assurance reporting, and validation of control effectiveness. From a cybersecurity perspective, this involves validating intrusion detection systems or vulnerability patching. From a privacy standpoint, this may include data protection impact assessments, breach notification testing, or adherence to consent tracking protocols. Integrating these functions into a single assurance domain ensures that governance bodies and external stakeholders receive a unified view of organizational risk and assurance, strengthening accountability and transparency.
Communication is a central pillar of the NIST Privacy Framework and aligns seamlessly with DVMS’s focus on organizational culture and stakeholder engagement. The PF emphasizes clear and effective communication of privacy practices, risk decisions, and individual rights—both internally and externally. The DVMS reinforces this emphasis through the “Execute” and “Govern” capabilities, which promote bidirectional communication between leadership, operations, and external stakeholders. This is essential for legal compliance (e.g., informing users about data use) and fostering trust in digital relationships. Combined with the NIST CSF’s emphasis on internal risk communication and incident response coordination, the result is a culture of transparency that enhances organizational credibility in the eyes of regulators, partners, and customers.
An additional dimension was integrating the NIST CSF, NIST PF, and DVMS, which proved invaluable in handling supply chain and third-party risks. Many privacy and cybersecurity incidents originate not from an organization’s systems but through vendors, partners, or cloud service providers. The NIST CSF 2.0 has expanded its focus on supply chain risk management, and the Privacy Framework also requires organizations to consider how vendors process data on their behalf. Within the DVMS, this complexity is addressed through structured planning (Plan), clear governance policies (Govern), and well-defined execution mechanisms (Execute) that ensure third parties meet the same cybersecurity and privacy standards as internal teams. This systemic approach ensures that digital trust is extended, monitored, and enforced across the entire value chain.
Innovation, the final DVMS capability, ensures that the integration of CSF and PF is not static but continuously evolving. NIST frameworks emphasize continuous improvement but rely on the organization to implement this vision. The DVMS’s Innovate capability enables organizations to embed feedback loops, monitor environmental changes, experiment with new solutions, and adapt quickly to regulatory or technological shifts. For instance, as new privacy legislation emerges or AI introduces novel risks, organizations need the agility to respond without undermining existing cybersecurity or privacy controls. Through DVMS, innovation becomes deliberate, managed, and aligned with enterprise objectives rather than reactive or disruptive.
Ultimately, the power of integrating the NIST Cybersecurity and Privacy Frameworks through the Digital Value Management System lies in its ability to balance protection and productivity. Rather than forcing trade-offs between privacy and cybersecurity, the DVMS enables both to reinforce each other in service of broader organizational goals. It offers a unified structure where privacy and cybersecurity are not competing priorities but twin guardians of digital trust and value. In doing so, it fulfills not only regulatory and security requirements but also the expectations of stakeholders who demand that organizations act responsibly, ethically, and securely in their data handling.
As organizations navigate the ever-evolving digital risk landscape, this CSF, PF, and DVMS triad is a robust, scalable, and forward-looking model. It supports compliance with laws such as GDPR, HIPAA, and the CCPA, but more importantly, it fosters resilience, innovation, and trust. In a world where data is both a strategic asset and a source of potential harm, the convergence of cybersecurity and privacy management through an integrated DVMS overlay is not just a best practice—it is a prerequisite for sustainable success in the digital economy.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
