Enabling Cyber Operational Resilience through Integrated Governance – The Role of the DVMS
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Introduction
In the face of escalating cyber threats, evolving regulatory landscapes, and increasingly complex digital infrastructures, organizations must shift from fragmented cybersecurity practices to integrated, business-aligned resilience strategies. The Digital Value Management System® (DVMS) offers a holistic overlay that integrates Enterprise Risk Management (ERM), IT Service Management (ITSM), Governance, Risk, and Compliance (GRC), and the NIST Cybersecurity Framework (CSF) to enable cyber operational resilience. Rather than introducing another standalone framework, DVMS acts as an adaptable scaffold—enhancing, connecting, and aligning existing practices to organizational strategy and value delivery.
The Strategic Shift: From Cybersecurity to Digital Business Risk Management
Traditional cybersecurity is often isolated, seen as an IT responsibility rather than an enterprise concern. DVMS reframes this perception by treating cybersecurity as a subset of digital business risk. At its core, DVMS views cyber resilience as the capability to “create, protect, and deliver” digital business value, treating risk and strategy as a single, inseparable concept— “strategy-risk”. This systemic view bridges operational silos and embeds cybersecurity into strategic governance, culture, and day-to-day operations.
Integrating Enterprise Risk Management (ERM)
ERM provides the foundational principles for identifying, assessing, and responding to organizational risks. DVMS integrates ERM by aligning risk management practices with strategic outcomes through its CPD Model (Create, Protect, Deliver). This model emphasizes risk-informed decision-making, treating risk not merely as a constraint but as a driver of strategic intent. The DVMS overlays ERM by ensuring that all digital activities—whether technical or procedural—are evaluated for their risk impact and aligned to enterprise goals.
Furthermore, the DVMS uses tools like the Question Outcome–Question Metric (QO–QM) methodology to support risk-informed strategic alignment. This methodology enables organizations to define metrics that measure not just what they do but why it matters. This approach enhances the effectiveness of ERM by translating abstract risks into actionable insights at both the strategic and operational levels.
Aligning with IT Service Management (ITSM)
ITSM frameworks like ITIL focus on the efficient delivery and support of IT services. However, these frameworks often struggle to address cybersecurity from a risk and resilience perspective. DVMS overlays ITSM by mapping its Minimum Viable Capabilities (Govern, Assure, Plan, Design, Change, Execute, Innovate) onto existing service management functions.
For example, the “Execute” capability aligns with IT operations, while “Change” and “Plan” integrate seamlessly with change and release management. By incorporating cybersecurity governance and assurance into these workflows, DVMS ensures that service management supports uptime and performance and contributes to cyber resilience. This integration shifts ITSM from reactive service delivery to proactive value protection and risk mitigation.
Enriching Governance, Risk, and Compliance (GRC)
GRC frameworks offer organizational governance, legal compliance, and risk management structures. Yet, they often fail to address the dynamic nature of cyber threats and digital complexity. DVMS enhances GRC by applying systems thinking and cultural awareness, recognizing that governance is not just about compliance but about fostering adaptive, learning organizations.
DVMS strengthens GRC practices through its emphasis on cultural change and leadership accountability. It applies tools like the cultural web model and the 3D Knowledge Model to assess how organizational behavior, communication, and structure affect cyber outcomes. This helps leaders build risk-aware cultures that are resilient to disruption, compliant with regulation, and aligned with strategic goals.
Operationalizing the NIST Cybersecurity Framework (CSF)
While the NIST CSF 2.0 provides an invaluable structure for organizing cybersecurity outcomes (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER), it does not prescribe how to achieve those outcomes. This is where DVMS comes in. The DVMS provides the “how”—offering methodologies, decision frameworks, and phased approaches (e.g., DVMS FastTrack™) that allow organizations to operationalize the CSF within their specific context.
The CSF’s “GOVERN” function, for instance, is enriched through DVMS capabilities like “Govern” and “Assure,” which define roles, responsibilities, and accountability across leadership, management, and operational tiers. The DVMS CPD Model aligns CSF outcomes with digital value streams, ensuring cybersecurity investments directly support business resilience.
By leveraging CSF Organizational Profiles and Tiers with the DVMS overlay, organizations can benchmark their current state, define a target state, and continuously mature their cybersecurity posture. This empowers them to not only close gaps but to evolve alongside the threat landscape.
Creating a System of Systems: The DVMS Overlay
DVMS treats the organization as a complex adaptive system—a “system of systems”—in which structure and behavior are inseparable. It enables organizations to “see the whole” by mapping existing frameworks (ERM, ITSM, GRC, CSF) into a unified, strategic model of governance and resilience.
This is accomplished through layered models like the MVC and CPD Models, which visualize how governance cascades from the boardroom to the operations floor and how every capability feeds into the organizational ability to adapt, innovate, and recover. By fostering a learning culture that iterates and adjusts based on feedback, DVMS supports long-term organizational evolution and strategic foresight.
Conclusion: DVMS as an Enabler of Continuous Resilience
The DVMS is not a replacement for ERM, ITSM, GRC, or NIST CSF—but a means to unify them. As an overlay, it ensures that cybersecurity is embedded into the organizational DNA, from strategic planning to day-to-day operations. It provides a lens through which to see cybersecurity not as a technical domain but as a continuous, enterprise-wide responsibility. The DVMS enables organizations to shift from reactive cybersecurity to proactive, adaptive cyber resilience by operationalizing the principles of systems thinking, strategic alignment, and cultural transformation.
In an age where digital risk is business risk, such a transformation is not optional—it’s existential.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
In today’s digitally driven economy, cyber disruptions are no longer an “if” but a “when.”
The DVMS Institute’s Certified Training Programs teach organizations the skills to build a Holistic, Adaptive, and Culture-Driven Overlay System that turns fragmented digital governance, assurance, and culture into a unified Digital Value Management System® capable of driving Cyber Operational Resilience, Regulatory Compliance, and Digital Trust outcomes.
The DVMS positions Cyber Operational Resilience, Regulatory Compliance, and Digital Trust as strategic, enterprise-wide digital business capabilities powered by frameworks, standards, regulatory requirements (ERM, GRC, ITSM, NIST, DORA, NIS2 SEC etc.), and the DVMS MVC, CPD, and 3D Knowledge adaptive governance, assurance, and cultural resilience models.
Achieving true cyber operational resilience, regulatory compliance, and digital trust requires seamless alignment between organizational Strategy, Governance, and Operations, underpinned by a culture dedicated to sustaining and continuously innovating the Creation, Protection, and Delivery of organizational digital value.
This systems-based approach to cyber operational resilience, regulatory compliance, and client trust demands active engagement from all members of the Digital Ecosystem, with each member playing a distinct role in proactively identifying and mitigating the systemic risks that threaten digital business operations.
This forward-looking approach to Adaptive Governance, Integrated Assurance, and Cultural Resilience positions businesses to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value, and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – The MVC’s that power operational resilience
- CPD Model – Adaptable governance and assurance
- 3D Knowledge Model – Enabling holistic organizational learning
- FastTrack Model – A phased approach to cyber resilience
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
