Building a DVMS Institute NIST-CSF-DVMS Training Academy
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Establishing an internal team to deliver the DVMS Institute’s accredited training and mentoring programs is critical for any organization striving to build cyber resilience, align digital risk with business strategy, and foster a culture of continuous learning and adaptation.
The NIST Cybersecurity Framework Digital Value Management System® (NIST-CSF-DVMS), as developed by the DVMS Institute, is not just another cybersecurity training program—it is an organizational operating system designed to create, protect, and deliver digital business value and enable operational cyber resilience. Setting up an internal team dedicated to implementing and embedding NIST-CSF-DVMS-aligned training and mentoring empowers an enterprise to go beyond one-time training events and cultivate a sustainable, adaptive, and performance-driven cybersecurity capability across all levels of the business.
One of the core principles behind the NIST-CSF-DVMS is that cybersecurity is not a technical function, but an enterprise-wide capability. It is rooted in the idea that cyber resilience is the byproduct of how well an organization aligns its governance, culture, risk practices, and operational execution. The NIST-CSF-DVMS overlays existing business structures through its Z-X Model and CPD (Create, Protect, Deliver) Model, which requires consistent engagement from every part of an organization, from strategy-setting executives to frontline operators. To adopt this approach, an organization must evolve into a learning organization, capable of seeing and thinking in systems. An internal training and mentoring team provides the scaffolding to make this transformation possible by equipping staff with knowledge and the tools and mental models to adapt, evolve, and lead.
Organizations must establish their internal team because external consulting or training alone cannot sustain the kind of cultural and operational change required by the DVMS. The transition from reactive cybersecurity to a proactive, risk-informed, value-centric approach involves changing how people communicate, collaborate, and make decisions. This change happens over time, through lived experience, contextualized support, and ongoing reinforcement. An internal training and mentoring team serves as a cultural change engine. It ensures that training is embedded into daily routines, that lessons learned from real-world events are integrated into learning cycles, and that staff are mentored through the complexities of adapting to change in uncertain environments.
Further, NIST-CSF-DVMS is built around the seven Minimum Viable Capabilities (MVCs)—Govern, Assure, Plan, Design, Change, Execute, and Innovate. These capabilities are not departmental silos or job descriptions, but enterprise-wide capabilities that map across functions and roles. Internal training teams can design development pathways tailored to these capabilities, ensuring that employees across disciplines—from finance to legal, from HR to IT—understand how their work contributes to and is shaped by the organization’s approach to managing digital business risk. Mentoring programs can pair employees across departments to foster cross-functional thinking, and scenario-based training can help staff connect abstract frameworks to real-world challenges. Without internal facilitators who understand the context and culture of the organization, this kind of deep integration is challenging to achieve.
Another key component of the DVMS is its focus on culture as a lever for resilience. Culture is not just a backdrop to strategy but a strategic variable that must be actively shaped. The NIST-CSF-DVMS recognizes that culture enables or impedes the success of resilience efforts. This is where the mentoring component becomes essential. Mentors serve not only as subject matter guides but as culture carriers. They model the expected behaviors—curiosity, collaboration, accountability, and systems thinking—and support their peers in developing new mental models aligned with the NIST-CSF-DVMS principles. An internal mentoring program provides psychological safety and personalized guidance, creating the conditions for profound, lasting cultural change.
Organizations that commit to setting up an internal team also create the capacity to tailor the NIST-CSF-DVMS learning journey to their own strategic and operational priorities. While the core principles of the NIST-CSF-DVMS are universally applicable, the way those principles are operationalized must reflect the organization’s structure, sector, maturity level, and risk environment. Internal trainers and mentors can contextualize the curriculum, using real examples, local language, and current initiatives. They can also ensure that training evolves, supporting the NIST-CSF-DVMS FastTrack maturity model—moving the organization through Phase 0 (Initiate), Phase 1 (Stabilize), Phase 2 (Expand), and Phase 3 (Innovate).
Moreover, establishing an internal team builds organizational ownership and sustainability. It transforms resilience from an externally driven compliance exercise to an internally driven capability. It enables the enterprise to develop its community of practice, where staff can co-create learning resources, share insights, and refine practices through feedback loops. This fosters an environment of continual learning and innovation, key themes in the NIST-CSF-DVMS and modern cyber risk governance. It also strengthens the organization’s ability to respond dynamically to new regulations (such as SEC, DORA, NIS2, SOCI, and others) and evolving threats, because the training and mentoring function becomes embedded within the enterprise’s adaptive muscle.
The internal training and mentoring team also provides the structure to cascade learning and accountability across the organization. Drawing from the NIST-CSF-DVMS guidance, policies and values must cascade from the top (e.g., board and executive leadership) through every management layer to the operational front lines. Training and mentoring are the mechanisms that make this policy cascade work in practice. Organizations reinforce a culture of shared responsibility by involving leaders at every level in the learning process—either as learners, mentors, or facilitators. This is particularly important in cybersecurity, where the effectiveness of controls often depends on the behaviors and decisions of individuals across the organization.
Additionally, the internal team becomes a key mechanism for measurement and feedback, enabling the organization to track its progress in developing cyber resilience. Using NIST-CSF-DVMS tools like the Digital Value Capability Maturity Model (DVCMM), the team can assess current capability levels, identify gaps, and prioritize development areas. Through regular check-ins, retrospective learning sessions, and maturity assessments, the training team can help the organization measure its progress not only in terms of knowledge acquisition but in cultural adoption, behavioral change, and organizational outcomes.
Setting up an academy and delivery team does not require starting from scratch. The DVMS Institute offers in-class and e-learning accredited (APMG International), assured (NCSC-GCHQ-UK), and recognized (DHS-CISA-NICCS) certification training courses, gamified simulations, publications, and exam services that can be used to train and certify a global workforce. Organizations can certify a group of internal facilitators to deliver the DVMS Institute materials and exam services. These facilitators become trainers and internal consultants supporting organizational strategy-risk alignment, cultural adaptation, and performance optimization.
Establishing an internal training and mentoring team for NIST-CSF-DVMS implementation is not optional but foundational. Without it, the NIST-CSF-DVMS becomes a static document rather than a living system. With it, the NIST-CSF-DVMS becomes the engine of enterprise adaptability, aligning digital value creation and protection with strategy, governance, and operations. In a world where cyber risks are ubiquitous, complex, and evolving, this kind of internal capacity differentiates organizations that merely survive from those that thrive. By investing in people, cultivating culture, and building internal learning systems, organizations position themselves to meet regulatory expectations and lead in an increasingly complex digital economy.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Holistic, Adaptive, and Culture-Powered Overlay System capable of anticipating and mitigating the systemic risk that will impact organizational cyber resilience.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
