Aligning GRC with ITSM: A Strategic Advantage for NIST-CSF Deployments
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The NIST Cybersecurity Framework (CSF) is fundamentally a risk governance framework. As such, it is more appropriately deployed and managed by the IT Service Management (ITSM) team rather than the cybersecurity team. While cybersecurity professionals provide critical technical expertise, the actual value of the NIST CSF lies in its integration into enterprise risk management and digital business value creation, which positions it squarely within the scope of ITSM.
The CSF is designed as a sector-agnostic, flexible, and outcomes-based framework that supports an organization’s ability to manage cybersecurity risk holistically, aligning protection with strategy, stakeholder expectations, and enterprise goals. ITSM, whose mission is to ensure the reliable delivery of IT-enabled business services, is uniquely positioned to align the CSF’s GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER Functions with enterprise processes, policies, and service delivery systems. By contrast, cybersecurity teams are often siloed in technical domains, with limited influence over enterprise-wide service delivery, process governance, and cultural alignment.
The DVMS Institute’s body of work emphasizes that the CSF is not just about deploying controls but instilling a cultural and governance shift that repositions cybersecurity risk as an enterprise concern to be addressed through systemic change and strategic alignment. Cybersecurity is not solely a technical challenge; it is fundamentally a business and operational resilience challenge, demanding systems thinking, cross-functional collaboration, and strategic prioritization—competencies that sit squarely within the ITSM discipline.
Furthermore, frameworks such as ITIL and COBIT, widely adopted by ITSM teams, already provide mechanisms for governance, assurance, planning, change, and continual improvement that map directly to the CSF’s intended use. The DVMS CPD (Create, Protect, Deliver) model and the Z-X Model identify that effective digital business risk management emerges from the synchronized integration of governance, assurance, planning, design, change, execution, and innovation, rather than the isolated application of technical controls.
The CSF is meant to be tailored to the organizational context and scaled through governance tiers and organizational profiles, not technical tasks but business management functions. NIST states that the CSF’s primary audience includes executives, risk managers, and policy influencers—not just cybersecurity engineers—which reinforces that its use must extend beyond the confines of a cybersecurity department.
The deployment of the CSF requires the analysis of current and target profiles, the identification of organizational gaps, and the development of integrated action plans to improve risk posture—again, all areas of responsibility where ITSM already plays a central role. In addition, the FastTrack approach advocated by the DVMS Institute for CSF adoption starts with stabilizing the current operational environment—identifying existing capabilities, maturing them, and using them as the baseline for managing digital business risk. This maturity-driven improvement methodology aligns with ITSM practices like continual service improvement (CSI).
By assigning responsibility for the CSF to ITSM, organizations leverage existing governance structures, IT operational workflows, service design capabilities, and stakeholder engagement models to embed cybersecurity into business-as-usual processes. ITSM teams also maintain the Configuration Management Database (CMDB), which is critical to the IDENTIFY Function in CSF, and Change Management, which supports the PROTECT and RESPOND Functions.
From an accountability standpoint, cyber risk management is a top-down responsibility that requires integration across all operational layers. The ITSM team, given its horizontal view across business units and service domains, is far more capable of ensuring that the CSF is operationalized across the entire organization. Moreover, by managing the CSF deployment through ITSM, the organization shifts from reactive, control-centric cybersecurity to proactive, resilience-focused governance that balances risk, performance, and value.
This shift aligns with the CSF’s emphasis on desired outcomes rather than prescriptive controls. It supports a strategy-risk approach wherein business strategy and cybersecurity risk are treated as inseparable entities. This approach is highlighted in the DVMS A Practitioner’s Guide to Adapting the NIST Cybersecurity Framework. It states that protecting value must occur concurrently with creating it, and cybersecurity should be embedded into every organizational capability, not confined to a specialized team.
Finally, the cultural shift required to embed CSF into the organizational DNA—promoting accountability, systemic risk awareness, and continual learning—is best facilitated by the ITSM function, which already engages with cross-functional teams and governs enterprise service delivery. Cybersecurity teams will remain vital as subject matter experts in specific controls, tools, and threat mitigation tactics. Still, the CSF’s strategic management, governance, and deployment require the broader, integrated lens of ITSM.
To ensure that the CSF serves its intended purpose of supporting enterprise-wide cyber resilience, it must be managed not by a specialized cybersecurity function but by the ITSM team, which has the systemic reach, governance structures, service integration capabilities, and risk alignment models needed to turn framework guidance into sustainable organizational capability.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
The DVMS Institute’s NIST Cybersecurity Framework Digital Value Management System® Certified Training, Assessment Programs teach enterprises the skills to build a Holistic, Adaptive, and Culture-Powered Governance, Resilience and Assurance Overlay System designed to proactively identify, classify and mitigate the systemic risks service providers (SaaS, Cloud, etc.) and their extended web of service providers expose to businesses every day.
The NIST-CSF-DVMS positions cyber operations resilience not as a technical function but as a strategic, enterprise-wide cultural imperative that equips Leadership to Frontline Employees with the skills to Create, Protect, and Deliver (CPD) resilient digital business value.
Enabling cyber operations resilience requires a coordinated effort across organizational Strategy, Governance, and Operational business layers. The NIST-CSF-DVMS 3D Knowledge Model ensures that each layer is aligned and operating cohesively as an integrated adaptive Governance, Resilience, and Assurance overlay system, proactively identifying, classifying, and mitigating the systemic risks that could impact cyber operations.
This unique and innovative approach to Cyber Resilience enables enterprises to comply with any government-mandated cybersecurity regulation (SEC, DORA, NIS2, etc.) or maturity model program (SCF, HITRUST, CMMC, etc.).
® DVMS Institute 2025 All Rights Reserved
