Culture Eats Controls for Breakfast – Why True Resilience Depends on Behavior as Much as Technology – Assurance Mandate Series – Part 4

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Real Blind Spot

Peter Drucker famously said, “Culture eats strategy for breakfast.” In today’s digital era, it’s just as true that “Culture eats controls for breakfast.”

No matter how many frameworks you adopt or certifications you earn, if your organizational culture undermines accountability, transparency, or adaptability, resilience will break down when you need it most.

In Part 3 of this series, we discussed how silos weaken resilience, using Equifax and Colonial Pipeline as examples of organizations that had controls and compliance artifacts but still failed. In this article, we revisit those examples — and include Boeing — to make a more precise point: it wasn’t the lack of controls that caused their failures. It was the culture that made those controls ineffective.

Why Culture Gets Ignored

Boards and executives tend to trust what can be easily measured. Audit scores, certification badges, patch rates, and compliance dashboards all share a common trait: they simplify complexity into numbers that can be neatly included in a board packet. These numbers provide reassurance. They appear as progress. They indicate control.

Culture, however, resists easy classification. It cannot be summarized by a single number or reduced to a neat dashboard. You can’t simply list “transparency,” “accountability,” or “adaptability” on a spreadsheet and expect the absolute truth to show through. Culture is about how people actually act when no one is watching, whether they speak up when they see a vulnerability, whether they speak up about uncomfortable truths, and whether they prioritize organizational resilience over their own comfort or career risks.

How many messengers have you shot?

This is precisely why culture often gets overlooked: it’s more challenging to measure, harder to evaluate, and tougher to justify to regulators. However, ignoring it can be dangerous because culture is what determines the effectiveness of the controls leaders depend on.

The paradox is unavoidable. Culture often influences the success of controls more than the controls themselves. A perfectly crafted patch management policy fails if the culture accepts delays. A crisis playbook is ineffective if the culture discourages escalation. An audit framework is meaningless if the culture rewards “passing the test” rather than building resilience.

When leaders restrict governance to what fits on a dashboard, they confuse activity with assurance. In doing so, they close their eyes to the crucial factor that determines whether their organization can withstand disruption.

Case 1: Boeing — Compliance Without Candor

Boeing’s 737 MAX program underwent rigorous regulatory oversight, received certifications, and had documented processes in place. On paper, the company appeared to be compliant. However, the culture, one that valued delivery schedules and cost targets more than transparency and engineering concerns, weakened those controls. Engineers who raised alarms were pushed aside. Safety became just a checkbox to meet, not a core value to uphold. The outcome was two devastating accidents that no checklist could have prevented.

The lesson is clear: even the strictest controls are pointless if culture silences the feedback that makes them work.

Case 2: Equifax — The Patch That Culture Ignored

As noted in Part 3, Equifax’s 2017 breach wasn’t caused by a lack of frameworks. The company had established compliance programs and conducted regular audits to ensure adherence to these standards. The failure occurred when a known vulnerability remained unpatched for months. Controls were in place, but the culture did not ensure accountability or follow-through. Risk management was viewed as an administrative task rather than a core enterprise priority. When the breach happened, it resulted in billions of dollars in costs and irreparable reputational damage.

Equifax teaches us that culture determines whether controls are acted upon or left to gather dust.

Case 3: Colonial Pipeline — When Culture Sees Cyber as “IT’s Problem”

The 2021 Colonial Pipeline ransomware attack, also discussed in Part 3, was not caused by a lack of technical safeguards. Instead, it reflected a broader culture that viewed cybersecurity as solely an IT issue, rather than a matter of organizational resilience and risk management. Leadership didn’t fully incorporate cyber considerations into governance or business continuity plans. When the attack occurred, it wasn’t just the systems that failed; it was the organizational mindset that failed as well.

The lesson: a culture that isolates cyber from the business causes resilience to fail at the moment of truth.

DVMS: Making Culture Visible

What links Boeing, Equifax, and Colonial is straightforward: controls were in place, but culture dictated performance. Each organization had certifications, frameworks, and compliance systems in place. However, without a culture rooted in accountability, transparency, and adaptability, those controls offered false assurance rather than true capability and resilience.

Here’s why the Digital Value Management System® (DVMS) is essential. DVMS does not see culture as something intangible. Instead, it makes culture visible by integrating behavior into governance. In DVMS, a policy is not just written down; it is reinforced through workflows and verified with assurance evidence. A control failure in IT isn’t merely documented; it is escalated as evidence of governance, revealing whether the culture exacerbates or neglects issues.

By creating continuous feedback between governance, performance, and assurance, DVMS ensures that culture isn’t just declared — it’s demonstrated.

Culture as a Systemic Variable

Culture is not “soft.” It is a systemic variable that determines whether frameworks gather dust or become lived practices. It decides whether controls exist on paper or actually work under stress. It is the invisible architecture of resilience.

With DVMS, culture becomes an integrated part of the system — monitored, reinforced, and assured like any other capability. Leaders no longer need to assume culture is resilient; they can now demand evidence that it is.

The Executive Question

Executives and boards must ask themselves difficult but essential questions:

• Do our audits tell us whether employees escalate risks — or whether they bury them?
• Can we prove that our culture reinforces resilience — or are we assuming it does?
• When disruption strikes, do our people adapt responsibly — or do they scramble to avoid blame?

Without clear answers, you are not governing by assurance. You are governing by appearances.

Closing the Gap

Controls can be copied. Frameworks can be bought. Technology can be outsourced. But culture must be governed — and too often, it isn’t.

This is the gap that boards and executives must address. Most leaders are happy to comfort themselves with certifications and dashboards, confusing activity with assurance. However, true confidence doesn’t come from artifacts; it comes from proof that your people, processes, and systems will withstand disruption when it occurs.

Culture distinguishes teams that hide mistakes from those that escalate them. It separates employees who wait for permission from those who act with accountability. It differentiates organizations that collapse when the playbook fails from those that adapt in real time. In every case study we’ve seen, including Boeing, Equifax, and Colonial Pipeline, the issue wasn’t just a technical failure. It was a cultural failure. The organizations were compliant on paper but fragile in practice.

This is why DVMS is so crucial. It does not treat culture as an afterthought or simply a slogan on a wall. Instead, it integrates culture into the governance process, making behavior visible, measurable, and actionable. It compels organizations to view culture as a systemic variable, one that can either reinforce resilience or weaken it.

For boards and executives, the message is clear: you can’t govern with artifacts alone. You must lead the culture that determines whether those artifacts are effective when they are most needed. And you must ask for evidence, not just of controls, but of the culture that supports them.

Resilience is not something you create with binders, frameworks, or compliance audits. Instead, it is experienced, strengthened, and managed on a daily basis. That is the gap DVMS addresses, transforming culture from a hidden risk into a visible source of strength.

👉 Next in the Assurance Mandate Series: DVMS as a Journey, Not a Big Bang — how organizations evolve from compliance artifacts to assured resilience.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Cyber Resilience Certified Training

Teaching Organizations How to Govern, Assure, and Account for Digital Value Resilience Across Complex Supply Chains

Explainer Video – Paper vs. Living System Governing by Assurance

Despite abundant frameworks and dashboards, leaders still struggle to see how digital value streams perform under real-world stress.

Intent, structure, and day-to-day behavior are examined in isolation, creating flat views that hide how decisions and human responses interact in a living digital system.

The result is governance that appears robust on paper but breaks down in execution, forcing leaders to manage fragmented controls rather than assure and account for resilient, system-level performance

What’s missing in an overlay management system designed to Govern, Assure, and Account for Resilient digital value resilience across a complex digital ecosystem.

The Digital Value Management System® (DVMS) to the rescue.

Digital Value Management System® (DVMS)

An Overlay Management System designed to Govern, Assure, and Account for Resilient Digital Value Across Complex Supply Chains

Explainer Video – What is a Digital Value Management System (DVMS)

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented frameworks and systems such as NISTCSF, GRC, ITSM, and AI into a unified, culture-driven governance and assurance system that accounts for the resilience of their living digital system.

A DVMS enables organizations of any size, scale or complexity to:

• Govern through risk-informed decision-making
• Sustain Resilience through a proactive and adaptive culture
• Measure Performance Assurance through evidence-based outcomes
• Ensure Accountability by making intent, execution, and evidence inseparable

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business actually performs
• Assurance Evidence – proof that outcomes are achieved and accountable
• Cultural Outcomes – that align people, decisions, and behaviors

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

The People and Culture That Power a DVMS

Explainer Video – The Human Engine of DVMS

Delivering the outcomes of a DVMS requires coordinated action across an enterprise’s strategy, governance, and operational layers.

Each of these business layers contains unique roles that, when aligned, enable organizations to protect digital assets while delivering sustained digital value and resilience.

Together, these roles create an adaptive, risk-informed, and resilient culture capable of thriving in a complex and chaotic digital business environment. 

Scaling A DVMS Program – Start Small

Explainer Video – Scaling a DVMS Program

The DVMS FastTrack Model is a phased, iterative approach that helps organizations adopt and mature their Digital Value Management System over time, rather than trying to do everything simultaneously. This approach breaks the DVMS journey into manageable phases of success.

DVMS Program Benefits

Explainer Video – DVMS Organization and Leadership Benefits

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.

The DVMS Certified Training Programs

Explainer Video – The DVMS Training Pathway to Operational Cyber Resilience

The DVMS Institute’s certification training programs and body-of-knowledge publications equip leaders, practitioners, and employees with the skills to govern operational cyber-resilience through an evidence-based system that assures and accounts for digital value outcomes.

Grounded in real-world governance challenges and aligned with NIST CSF 2.0, the DVMS Institute’s training programs teach organizations how to build measurable capability, transparent accountability, and defensible confidence in decision-making.

Through structured learning, applied certification, and authoritative publications, the Institute advances a disciplined, outcome-driven approach to managing digital risk, performance, and resilience as an integrated system.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

The Assurance Mandate White Paper Series

Explainer Video –  Why GRAA is the Next Evolution of GRC

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional GRC artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved