Culture as Capability – Embedding Resilience into Daily Behavior – The Assurance in Action Series – Part 4

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Cultural Challenge

Resilience isn’t based solely on frameworks, policies, or controls. Instead, it is demonstrated through daily actions. Culture influences whether staff escalate a critical vulnerability, if managers admit when recovery thresholds are missed, and whether executives confront uncomfortable truths.

This is the paradox at the heart of resilience: organizations often have the right systems and frameworks in place, yet they still fail when culture resists transparency, collaboration, or accountability. History is full of examples where culture, not technology, undermined resilience. In some organizations, frontline teams detected issues but hesitated to escalate out of fear of reprisal. In others, managers prioritized keeping dashboards green over admitting to gaps. The result was not just delayed responses but full-blown crises.

Boards and executives may declare intent, managers may adopt the Digital Value Management System® (DVMS), and controls may be implemented. Still, without a culture that fosters openness, accountability, and trust, evidence of assurance becomes meaningless.

This reality means that culture cannot be treated as an afterthought. It must be designed and managed with the same rigor as incident response, vendor continuity, or cyber defense.

Culture as a Capability, Not an Afterthought

Too often, culture is seen as intangible, something to “influence” rather than actively implement. Leaders discuss the “tone at the top” or refer to employee engagement surveys, but these ideas often remain vague. In the DVMS, culture is understood in a different way.

Culture is an organizational capability. Like other capabilities, it can be designed, measured, and improved. It is part of the Minimum Viable Capabilities (MVC) because no system of governance, workflows, or evidence can sustain itself if the underlying culture does not promote candor, discipline, and cross-functional collaboration.

This perspective aligns with Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era, which emphasizes that leadership is deeply intertwined with culture. Leaders’ actions influence the system. When leaders act defensively, employees tend to hide problems. Conversely, when leaders encourage transparency, issues are identified and addressed early. Therefore, managers must see culture not merely as an HR issue but as a systemic skill crucial for resilience.

CPD and Cultural Alignment

The Create, Protect, Deliver (CPD) Model emphasizes placing culture at the heart of business value. A culture aligned with CPD ensures resilience extends beyond technical functions, influencing every decision and interaction.

• Create: Culture fosters innovation in resilience practices. Employees feel empowered to suggest improvements or test new approaches without waiting for a compliance mandate.
• Protect: Culture encourages discipline and transparency. Escalation is swift, rehearsals are candid, and errors are treated as opportunities to learn rather than failures to be punished.
• Deliver: Culture reinforces collaboration under pressure. Teams rally across silos to maintain continuity, protect customer trust, and ensure delivery of value even when systems are under attack.

When culture aligns with CPD, resilience stops being a compliance exercise and becomes a lived behavior. People no longer act out of fear of failing an audit but from confidence in their ability to uphold business value.

Evidence of Culture

Boards do not want generic assurances that “we have the right culture.” They want proof. Just as technical controls must be tested, cultural claims must be demonstrated in measurable ways.

Escalation speed is one example. How long does it take for an incident to move from detection to executive awareness? A resilient culture reduces this time because people are not afraid to raise their hands. Participation in rehearsals is another factor. Do cross-functional teams engage meaningfully, or do they attend reluctantly, viewing the exercise as just a compliance obligation? Near-miss reporting is equally revealing. Are small failures logged and addressed, or are they buried until they escalate into crises?

The Practitioner’s Guide to Building Cyber-Resilience (Second Edition) presents the QO–QM (Question Outcome–Question Metric) model as a way to connect governance outcomes with operational measures. When applied to culture, the board might say: “Staff must feel safe reporting issues.” Managers then monitor increases in near-miss reports, improvements in corrective action rates, or participation in voluntary resilience exercises. This approach makes the abstract idea of culture into measurable outcomes and metrics that can be assessed, reported, and improved.

The Consequences of Weak Culture

Consider recent breaches where culture played as significant a role as technology.

• At Equifax (2017), the vulnerability was known and the patch was available. Yet organizational silos and a culture of minimal accountability delayed remediation. The result was a catastrophic loss of consumer trust.
• At Colonial Pipeline (2021), cyber remained treated as “IT’s problem.” Governance did not integrate cyber risk into operational resilience. A culture of compartmentalization left executives unprepared to manage a ransomware event that escalated into a national crisis.
• In the 2023 MOVEit breach, vendor risk, IT operations, and cyber monitoring each believed they were fulfilling their duties. But the culture of siloed accountability prevented unified oversight, allowing the exploit to cascade across industries.

In each case, culture was the unseen weakness. Capabilities existed on paper, but cultural blind spots rendered frameworks ineffective, turning them into illusions of resilience.

The Manager’s Role in Shaping Culture

Culture isn’t dictated solely from the boardroom. It is shaped daily by managers’ decisions and actions. A single choice by a manager, such as rewarding early reporting, insisting on candid after-action reviews, or integrating functions during rehearsals, creates a ripple effect throughout the system.

Managers exemplify what resilience looks like. A manager who praises a team for identifying an issue early shows vigilance. A manager who views a failed exercise as an opportunity to learn rather than a performance critique demonstrates psychological safety. A manager who requires involving operations, IT, and cyber in the same resilience drill promotes integration.

As Thriving on the Edge of Chaos notes, leadership is the art of turning complexity into clarity. Managers demonstrate leadership when they help their teams see resilience not as abstract governance jargon but as daily behavior that sustains value.

The Executive Imperative

For boards, culture shouldn’t be seen as just an HR issue or background factor. It is a matter of assurance. Weak cultures represent governance failures because they hinder the surfacing, sharing, and actioning of evidence. Conversely, strong cultures enhance assurance by making sure that every rehearsal, incident, and near miss contributes to organizational learning.

Directors should evaluate culture with the exact “fit for purpose” and “fit for use” tests they apply to technical capabilities. While transparency and accountability may be highlighted as strategic priorities, the actual question is whether evidence shows them in action. Boards must demand not just policies but evidence: proof that escalation occurs swiftly, that near misses are logged, that cross-functional drills are genuine, and that employees feel safe speaking openly without fear of punishment.

The Role of AI and Automation in Supporting Culture

Historically, managers saw assurance as burdensome. Gathering, testing, and reporting cultural indicators in real time seemed impractical. Psychological safety surveys, rehearsal participation metrics, or near-miss logs required slow manual processes that quickly lagged behind actual conditions.

That is changing. Advances in automation and artificial intelligence are making assurance possible at scale. Automated monitoring provides real-time visibility not only into systems but also into participation rates and escalation behaviors. AI-driven simulations continuously test resilience scenarios, offering evidence of cultural responsiveness under pressure. Agentic systems record performance data directly into governance dashboards, reducing the gap between daily behavior and board-level oversight.

For managers, AI is not a substitute for judgment or leadership. It is a tool that reduces the burden of assurance, allowing them to concentrate on interpretation, decision-making, and ongoing improvement. What was once endless paperwork now becomes real-time confidence, driven by systems that gather evidence without creating overwhelming overhead.

The Manager’s Paradigm Shift

All of this indicates a broader change for managers. Previously, governance and resilience were viewed as transactions. The focus was on implementing controls, generating reports, and passing audits. Activity was seen as progress.

Today, disruption is ongoing, and boards are no longer content with just artifacts of compliance. They demand assurance, evidence that capabilities can perform under pressure. This pushes managers to transition from delivering documentation to developing capabilities, from showing activity to demonstrating performance, and from feeling comfortable to having confidence.

This shift requires managers to think systemically. The CPD Model links culture to value creation, protection, and delivery. The MVC overlay helps managers identify cultural gaps and incorporate them into capabilities. The QO–QM model ties intent to evidence, ensuring cultural goals are measured and improved.

Because the scale of this shift can feel overwhelming, the DVMS FastTrack® approach offers a phased pathway. Managers begin with critical MVCs, develop integrated cultural skills around them, and demonstrate resilience over time. Each step boosts confidence, reduces complexity, and encourages cultural change without overwhelming the organization.

From Comfort to Confidence

Boards no longer settle for just knowing which controls exist. They seek proof that these controls function effectively under pressure. For managers, the key question is this: Are you providing artifacts that record activity or assurance evidence that proves capability?

The Assurance Mandate whitepaper introduced the shift from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA). Parts 1 and 2 of this series demonstrated how intent must be translated into capabilities and how frameworks like the NIST Cybersecurity Framework can be implemented through DVMS. Part 3 explained how controls must generate evidence.

Part 4 ties it all together: nothing works without culture. Culture determines whether resilience is merely a slogan or a genuine skill. The first offers comfort. The second fosters confidence.

Looking Ahead

In the following article of the Assurance in Action Series, we will explore the concept of continual improvement. Assurance is not a static goal but an ongoing cycle of learning, testing, and adapting. Managers will see how the DVMS enables continual improvement cycles operationalized by the CPD model and realized in the MVC.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Cyber Resilience Professional Accredited Certification Training

Governing, Assuring, and Accounting for Resilient Digital Value Outcomes In Complex, Fragmented Systems

Explainer Video – Paper vs. Living System Governed by Assurance

Despite abundant frameworks and dashboards, leaders still struggle to see how their digital value streams perform under real-world stress.

Intent, structure, and day-to-day behavior are examined in isolation, creating flat views that hide how decisions and human responses interact in a living digital system.

The result is governance that looks strong on paper but falters in practice, leaving leaders to juggle disconnected controls instead of actively strengthening the resilience of their digital value.

What’s needed is a framework-agnostic overlay system capable of governing, assuring, and accounting for digital value resilience across complex, fragmented systems.

Digital Value Management System® (DVMS)

An Overlay Management System to Govern, Assure, and Account for Resilient Digital Value Outcomes in Complex, Fragmented Systems

Explainer Video – What is a Digital Value Management System (DVMS)

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented frameworks and systems such as NISTCSF, GRC, ITSM, and AI into a unified, culture-driven governance and assurance system that accounts for the resilience of digital value within a living digital system.

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business actually performs
• Assurance Evidence – proof that outcomes are achieved and accountable
• Cultural Learning – to continually fine-tune governance intent and operational capabilities

Underpinning this integration are three distinctive DVMS models

Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution in order to create, protect, and deliver digital business value as an integrated, continuously adaptive organizational capability.

3D Knowledge (3DK) – The 3DK Model™ is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.

Minimum Viable Capabilities (MVC) – The MVC™ model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.

The integration of these models then enables three distinctive digital value management organizational capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

In summary, A DVMS enables organizations of any size, scale or complexity to:

• Govern through risk-informed decision-making
• Sustain digital value Resilience through a proactive and adaptive culture
• Measure Performance Assurance through evidence-based outcomes
• Ensure Accountability by making intent, execution, and evidence inseparable

The People and Culture That Power a DVMS

Explainer Video – The Human Engine of DVMS

Delivering the outcomes of a DVMS requires coordinated action across an enterprise’s strategy, governance, and operational layers.

Each of these business layers contains unique roles that, when aligned, enable organizations to ensure the resilience of their digital value across their complex and fragmented digital systems.

Together, these roles create an adaptive, risk-informed, and resilient culture capable of thriving in a complex and chaotic digital business environment. 

Scaling A DVMS Program – Where Do You Start?

Explainer Video – Scaling a DVMS Program

The DVMS FastTrack Model is a phased, iterative approach that helps organizations mature their Digital Value Management System over time, rather than trying to do everything simultaneously.

This approach breaks the DVMS journey into manageable phases of success. It all starts with selecting the first digital service you want to make resilient. Once that service has integrated DVMS at its boundaries, it becomes the blueprint to operationalize DVMS in the remaining digital services

The DVMS training provides an example of how to operationalize the NIST Cybersecurity Framework and ensure its digital value resilience across complex, fragmented systems.

DVMS Program Benefits

Explainer Video – DVMS Organization and Leadership Benefits

DVMS Organizational Benefits

Instead of replacing existing operational frameworks and their management systems, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.

The DVMS Certified Training Programs

Explainer Video – The DVMS Training Pathway to Operational Cyber Resilience

The DVMS Institute’s certification training programs and body-of-knowledge publications equip leaders, practitioners, and employees with the skills to govern operational cyber-resilience through an evidence-based system that assures and accounts for digital value outcomes.

Grounded in real-world governance challenges and aligned with NIST CSF 2.0, the DVMS Institute’s training programs teach organizations how to build measurable capability, transparent accountability, and defensible confidence in decision-making.

Through structured learning, applied certification, and authoritative publications, the Institute advances a disciplined, outcome-driven approach to managing digital risk, performance, and resilience as an integrated system.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system that transforms systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

The Assurance Mandate White Paper Series

Explainer Video –  Why GRAA is the Next Evolution of GRC

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional GRC artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved