The People That Power The Strategy, Governance, Operations and Cultural Layers of a DVMS Program
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Delivering the outcomes of the NIST Cybersecurity Framework (CSF) integrated with the Digital Value Management System® (DVMS) requires coordinated action across an enterprise’s strategy, governance, and operational layers.
Each of these layers contains unique roles that, when aligned and functioning cohesively, enable the organization to protect digital assets and adaptively manage digital business risks while delivering sustained digital value and resilience.
The DVMS positions cyber resilience not as a technical function but as a strategic, enterprise-wide responsibility. This systems-based approach, which includes the CPD Model (Create, Protect, Deliver) and the Z-X Capability Model (Govern, Assure, Plan, Design, Execute, Change, Innovate), mandates engagement from top executives to frontline implementers, each fulfilling distinct responsibilities.
Strategy Layer: Shaping Vision and Direction
At the strategic layer, the key roles are those of executive leadership and the board of directors. These actors are responsible for setting the vision and strategic intent for the organization’s cybersecurity posture and ensuring that cybersecurity is framed as a business issue, not merely a technology concern.
The Chief Executive Officer (CEO) and Chief Operating Officer (COO) are essential in ensuring digital business value is created and protected as a concurrent activity, not as sequential steps. This concept is central to the DVMS philosophy, where unprotected value is considered to have no sustainable worth.
As the highest form of strategic oversight, the board of directors holds ultimate accountability for embedding cybersecurity risk into the organizational enterprise risk management (ERM) program. They are responsible for setting risk tolerance thresholds and ensuring the organization defines its “strategy-risk” profile. This DVMS concept treats strategy and risk as inseparable components of value creation. The board must authorize and fund the resources needed to adopt and adapt the NIST CSF and support DVMS as a scalable overlay across the organization.
Another critical role at this layer is that of the Chief Information Security Officer (CISO)—the CISO bridges high-level business strategy and the governance and operational processes that bring cybersecurity to life. At the strategic level, the CISO participates in board-level discussions, articulates the cyber risk landscape, and ensures that digital value protection is aligned with the organization’s goals. The CISO is also a key contributor to the organizational Target Profile and cybersecurity maturity journey using the CSF’s tiered model.
Equally important is the Chief Risk Officer (CRO) or the equivalent Enterprise Risk Manager, who oversees how digital risk integrates with other forms of enterprise risk, such as financial, operational, reputational, and compliance risk. This individual supports the framing of risk in strategic terms and helps ensure the use of the CSF and DVMS to shape decisions at the highest levels of the organization. These roles must ensure that cybersecurity becomes a fundamental component of the organizational mission and strategic plan, not merely a line item or technical initiative.
Governance Layer: Translating Strategy into Control and Accountability
The governance layer transforms strategic direction into policies, standards, oversight structures, and performance measurement systems. It ensures that the organizational environment can achieve the intended CSF and DVMS outcomes. The DVMS Z-X Model identifies core capabilities at this layer, particularly “Govern,” “Assure,” and “Plan.
The Chief Governance Officer, or a designated senior governance lead, is typically responsible for policy development, ensuring that all cybersecurity-related governance aligns with the broader business governance framework. This includes the cascade of policies that define how work is conducted across the enterprise, from executive mandates to operational protocols. This role works closely with the CISO and other leaders to craft a governance system that aligns with the CSF’s GOVERN Function and supports the continuous improvement expectations of the DVMS FastTrack phases.
Compliance officers and legal counsel also play vital roles in this layer. They ensure the organizational cybersecurity policies meet legal and regulatory requirements, such as SEC, NIS2, DORA, SOCI, SAMA, IMO, GDPR, HIPAA, and other sector-specific mandates (HITRUST, CMMC). These individuals are instrumental in mapping CSF outcomes and DVMS practice areas to external compliance obligations. They also manage risk mitigation strategies around contractual obligations, third-party relationships, and incident response liabilities.
Another key role is the Internal Audit Function. Internal auditors verify that the CSF and DVMS processes are followed consistently, accurately, and effectively. They provide independent assurance on the maturity and efficacy of cybersecurity practices across departments and functions. Auditors help inform the organization’s Current Profile under the CSF and support assurance functions within the DVMS by identifying non-conformance or potential risk exposure areas.
The Information and Data Governance Team is also central to governance. These professionals, often including data stewards and architects, ensure that the organization knows what digital assets it owns, where they reside, how they are classified, and how they are protected. Their work directly contributes to CSF IDENTIFY and PROTECT Functions and supports the DVMS capabilities associated with quality, compliance, and data-driven decision-making.
Operational Layer: Execution, Integration, and Continuous Improvement
The operational layer comprises the individuals and teams that execute cybersecurity activities, integrate them into business operations, and drive iterative improvement. These roles turn policies and plans into outcomes that align with both CSF Functions and DVMS practice areas, such as “Execute,” “Design,” “Change,” and “Innovate.”
Cybersecurity analysts, engineers, architects, and IT infrastructure specialists are key actors. These professionals operationalize the CSF’s technical outcomes—monitoring networks, managing identity and access control, maintaining endpoint protection, and ensuring effective detection and response systems. Their actions underpin the CSF’s PROTECT, DETECT, RESPOND, and RECOVER Functions. In the DVMS, these actors contribute to operational excellence and innovation, ensuring systems are designed and operated securely, resiliently, and with value protection.
Business process owners and departmental managers are also essential at the operational layer. As the custodians of daily operations, they must embed cybersecurity into their standard operating procedures. They participate in developing and maintaining Organizational Profiles, articulate operational risks, and ensure that cybersecurity practices do not hinder performance or innovation. Their understanding of business context enables them to make risk-informed decisions aligned with the organization’s strategy.
Human Resources (HR) also plays an operational role, supporting security through training, workforce development, and policy enforcement. HR is critical in cultivating a culture of accountability and cyber awareness. They help onboard security competencies, design behavior-based training programs, and reinforce expectations tied to roles and responsibilities.
Change management professionals, including project and program managers, are crucial for integrating the CSF and DVMS into business transformation efforts. These individuals plan and oversee initiatives that adapt business systems, platforms, and processes to meet security and resilience goals. They support the organization through the DVMS FastTrack phases: Initiate, Basic Hygiene, Expand, and Innovate. Their expertise in coordinating across teams ensures that change is sustainable and that lessons learned inform future efforts.
Finally, external-facing roles—such as procurement officers, vendor managers, and supply chain specialists—apply CSF and DVMS principles to the broader ecosystem. These roles assess third-party risks, enforce contract-level security requirements, and monitor vendor compliance. This is essential to meeting supply chain governance outcomes under CSF and maintaining a secure and trusted digital ecosystem defined by the DVMS.
Cultural Layer: Making the DVMS Work in Practice
Culture is the foundation that makes a Digital Value Management System (DVMS) work in practice. While frameworks, processes, and technologies provide the structure, it is the shared values, behaviors, and mindsets across the organization that determine whether those structures deliver real outcomes.
A culture of collaboration, accountability, and continuous learning enables people to see governance, resilience, and assurance not as compliance checkboxes but as part of how they create and protect digital value every day. By fostering trust, transparency, and adaptability, culture drives alignment between strategy and execution, empowers teams to act with agility in complex digital ecosystems, and embeds the DVMS principles into the organization’s DNA—turning them from “programs” into sustainable, value-driven practices.
Conclusion
To deliver the outcomes of the NIST CSF and the DVMS across an enterprise, roles must be aligned and empowered across the strategy, governance, and operational layers. Strategic leaders provide the vision, governance roles establish policy and assurance, and operational teams bring it all to life.
Together, these roles create an adaptive, risk-informed, and resilient organization capable of thriving in a complex, volatile digital environment. The CSF provides the outcome taxonomy and structure. At the same time, the DVMS offers a systems-based, scalable overlay for organizations to govern, assure, execute, and continually improve the security and value of their digital operations.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
DVMS Cyber Resilience Professional Accredited Certification Training
Designing an Overlay System to Transform Digital Strategy into Governed, Resilient, Assured, and Accountable (GRAA) Digital Business Outcomes
From Visibility to Viability – The Dual Pillars of Cyber Resilience
Explainer Video – The Dual Pillars of Cyber Resilience
As enterprises accelerated their adoption of complex, cloud-native architectures, they encountered a new order of complexity. Infrastructure dissolved into services, workloads became ephemeral, and security boundaries blurred. In that environment, Wiz emerged as a transformational force in cloud technical security, offering radical visibility and risk prioritization across multi-cloud ecosystems.
At the same time, a broader and more consequential challenge emerged, one that extends well beyond isolated technical misconfigurations or discrete vulnerabilities.
Modern organizations function as dynamic, highly interconnected digital ecosystems shaped by siloed frameworks, technologies, applications, processes, data flows, and human actors, all operating in continuous interaction. Within this complexity, risks and outcomes are not confined to individual components; they arise from the relationships and dependencies between them.
This is the domain in which the Digital Value Management System® (DVMS) operates.
While Wiz redefined how organizations see and secure cloud environments, DVMS is redefining how enterprises govern, assure, and account for resilient digital value as an integrated dimension of digital business performance.
The Digital Value Management System® (DVMS)
Explainer Video – What is a Digital Value Management System (DVMS)
The DVMS is an overlay management system designed to transform digital strategy into governed, resilient, assured, and accountable (GRAA) digital business outcomes.
At its core, the DVMS is a simple but powerful integration of:
- Governance Intent – shared expectations and accountabilities
- Operational Capabilities – how the digital business performs under stress
- Assurance Evidence – proof that outcomes are achieved and accountable
- Cultural Learning – for governance and operational fine-tuning
The DVMS GRAA Engine
Explainer Video – How a DVMS GRAA Engine Works
The overlay GRAA engine is powered by four DVMS models:
Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution to create, protect, and deliver digital business value as an integrated, continuously adaptive capability.
Minimum Viable Capabilities (MVC) – The Minimum Viable Capabilities (MVCs) model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.
3D Knowledge (3DK) – The 3D Knowledge Model is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.
Question Outcome / Question Metric (QO/QM) – The QO/QM approach supports governance as testable intent by defining a clear Question Outcome (QO), the specific value or resilience condition that must be true at a given boundary, and pairing it with one or more Question Metrics (QM) that provide observable, decision-relevant evidence that the system can actually create, protect, and deliver that outcome under complex, living system operating conditions
The models then work together to operationalize the capabilities below that will transform digital strategy into governed, resilient, assured, and accountable digital value outcomes
A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance across every system responsible for digital value.
A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.
A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.
DVMS Benefits – Organizational and Leadership
Explainer Video – DVMS Organization and Leadership Benefits
Instead of replacing existing operational frameworks and platforms, the DVMS elevates them, connecting and contextualizing their data into actionable intelligence that enables organizations to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across Complex Digital Ecosystems
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
For the CIO, CRO, CISO, and Auditors, the DVMS provides a unified approach to organizational digital value management, operational resilience, and regulatory compliance.
DVMS – Accredited Certification Training Programs
Explainer Video – The DVMS Training Pathway to Cyber Resilience
The DVMS Institute’s certification training programs equip leaders, practitioners, and employees with the skills to build a management architecture for governing, assuring, and accounting for resilience in complex digital ecosystems.
Through structured learning, applied certification, and authoritative publications, the Institute teaches a disciplined, outcome-driven approach to managing resilience as an integrated dimension of digital business performance.
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness non-certification course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for resilience in complex digital ecosystems.
DVMS NISTCSF Cyber Resilience Foundation Certification Training
The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for achieving resilience in complex digital ecosystems.
DVMS Cyber Resilience Practitioner Certification Training
The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to build a unified governance, resilience, assurance, and accountability system designed to operationalize resilience in complex digital ecosystems.
Launching A DVMS Program
Explainer Video – Scaling a DVMS Program
The DVMS FastTrack is a phased, iterative approach that helps organizations mature a DVMS program over time, rather than trying to do everything simultaneously. This approach breaks the DVMS journey into manageable phases of success.
It all starts with selecting the first digital service you want to operationalize with the new DVMS capabilities. That service will then serve as the blueprint for operationalizing DVMS across the remaining services.
DVMS Institute White Papers – The Assurance Mandate Series
Explainer Video – From Compliance Rituals to Evidence-Based Resilience
The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.
The Assurance Mandate Paper explains why traditional compliance artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.
The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.
The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.
Company Brochures and Presentation
- DVMS One Pager
- DVMS Briefing Paper
- DVMS Company Brochure
- DVMS Product Brochure
- DVMS Company Presentation
Explainer Videos
- DVMS Architecture Video: David Moskowitz explains the DVMS System
- DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- DVMS Overlay Model – What is an Overlay Model
- DVMS MVC ZX Model – Powers the CPD
- DVMS CPD Model – Powers DVMS Operations
- DVMS 3D Knowledge Model – Powers the DVMS Culture
- DVMS FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
