When One CISO Isn’t Enough: How the DVMS Unifies Microsoft’s 14-Role Security Model
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Introduction
In recent years, the role of the Chief Information Security Officer (CISO) has grown dramatically in scope and complexity. As cyber threats escalate, regulatory demands intensify, and digital business models evolve, many organizations are finding that a single CISO can no longer keep pace.
Microsoft’s decision to appoint multiple Deputy CISOs—14 in total—each aligned to specific domains of the business, product, and engineering, serves as one high-profile case in point. This transformation signals a more profound shift in how security, risk, governance, and assurance must be embedded across enterprise operations.
A Digital Value Management System (DVMS) is uniquely positioned to respond to and anchor this evolution—by providing an integrated intelligence system that spans governance intent, operational capability, and assurance evidence.
In this essay, we examine how the DVMS framework addresses the challenges posed by a distributed CISO model, including clarifying roles and accountability, unifying domain-specific efforts, enabling measurable resilience and trust, and transforming fragmented programs into cohesive systems.
The Changing CISO Landscape at Microsoft
Historically, the CISO role has been a broad-spectrum leadership position, encompassing the definition of cybersecurity strategy, oversight of controls, management of incident response, ensuring compliance, and reporting to the board.
Yet, organizations like Microsoft have recognized that this breadth is unsustainable at large scale. In 2024 and 2025, Microsoft introduced a Deputy CISO (dCISO) strategy, appointing 14 specialists responsible for discrete domains—for example, identity and access, engineering systems, AI risk, product security, customer outreach—with each reporting to the corporate CISO and, in many cases, to a relevant business or product leader.
The rationale is compelling: one individual cannot be a domain expert, strategy leader, board advisor, compliance overseer, product partner, and operational commander all at once. As one Microsoft dCISO put it: “It’s just not humanly possible.” Splitting the role enables domain-specific accountability, more profound expertise, closer alignment with business units, and faster operational feedback loops.
However, it also raises significant governance challenges, including ensuring coherence across domains, maintaining a unified risk posture, aligning with business strategy, and generating assurance consistent with board and regulatory requirements.
How a DVMS Anchors Governance in a Distributed CISO Model
-
Governance Intent: Creating the Shared North Star
With multiple dCISOs, each domain leader may interpret priorities differently—identity security may focus on access controls, product security on secure development, and AI risk on model governance. Without a unifying framework, silos emerge. A DVMS ensures that governance intent—the organization’s strategic objectives around trust, resilience, and performance—is clearly articulated and cascaded across all domains.
In this model:
- A central governance layer defines enterprise-wide objectives (e.g., “resilience by design”, “trusted digital operations”, “compliance with DORA/ISO”).
- Domain-specific dCISOs map their domain’s responsibilities into that overarching intent—e.g., product security maps to “secure-by-design for digital outcome trust”.
- The DVMS provides visibility into how each domain’s initiatives align with the strategic north star, avoiding fragmentation and drift.
-
Operational Capability: Turning Domain Roles into Integrated Action
Once intent is set, the operational challenge remains multiple domains, multiple leaders, multiple processes. The DVMS serves as the system of operational capability—standardizing how domains enact controls, manage risk, measure performance, and interoperate. For Microsoft’s 14 dCISOs, the DVMS helps ensure that, for example, identity risk doesn’t operate in isolation from cloud infrastructure risk, engineering systems security doesn’t ignore supply chain dependencies, and AI risk aligns with product security and governance.
Key features include:
- A unified control library mapped to domains but aligned to the enterprise risk taxonomy.
- Cross-domain workflows: when identity domain flags an issue, cloud domain is notified; product domain adapts; assurance evidence is captured.
- Shared dashboards: each dCISO retains domain focus, but the corporate CISO and board see an integrated view of digital risk, trust, and performance.
-
Assurance Evidence: Making the Invisible Visible
With more roles and domains, generating coherent assurance becomes harder: how do you demonstrate to the board or regulator that you have a unified security posture rather than 14 isolated programs? DVMS addresses this by establishing the assurance evidence layer, which captures metrics, controls execution, incidents, recovery, and improvement across domains, and aggregates them into unified reporting.
- Domain dCISOs log their metrics, test results, and control execution into the DVMS platform.
- The platform normalizes and aggregates these into enterprise-level assurance reports—showing resilience, trust, and regulatory alignment.
- The CISO can use the assurance layer to show the board a “single pane of glass” rather than a series of disconnected domain reports.
Dealing with Pinch Points in a Distributed CISO Model
Fragmentation and Misalignment
When security responsibilities are spread across many leaders, fragmentation is a key risk. Domain teams may pursue local optimization (e.g., product security focuses on speed to market, identity security focuses on strict controls), leading to conflicts or gaps. DVMS alleviates this by ensuring that all domains operate on the exact governance-capability-assurance lifecycle and that alignment to enterprise intent is continuously tracked.
Accountability Diffusion
14 deputy CISOs means 14 distinct accountability threads—who is ultimately responsible when a cross-domain incident occurs? The DVMS clarifies accountability by linking domains to enterprise risk categories and ownership. In doing so, the corporate CISO retains oversight, while domain leads carry operational accountability, and the governance layer ensures that escalation paths and decision rights are defined.
Reporting Overload & Board Visibility
Each domain may report separately to the corporate CISO, who must then translate 14 streams into a board-level narrative and assurance. DVMS provides the infrastructure for consolidated reporting, enabling the CISO to present meaningful, concise metrics: aggregated risk posture, resilience indices, regulatory alignment scores, and stakeholder trust indicators.
Regulatory Complexity & Demonstrable Assurance
Regulators are increasingly expecting continuous, quantifiable assurance across operations, rather than periodic audits. A distributed model complicates this. DVMS enables consistent evidence to capture across domains, aligning control execution, test results, incident response, and improvement loops into an auditable system. For firms facing regulations such as the Digital Operational Resilience Act (DORA) or AI governance standards, this is crucial.
Competitive Advantage of DVMS in This Context
In a world where companies like Microsoft are moving toward multiple domain-specific security leaders, the DVMS not only addresses the risks but also becomes a competitive differentiator. It enables organizations to:
- Scale security governance: By decentralizing domain accountability while retaining central coherence.
- Accelerate decision-making: Domain leads can act rapidly within their remit, while DVMS ensures integration and governance controls are not bypassed.
- Prove resilience and trust: For customers, regulators, and partners, the assurance that a unified system governs the entire digital value chain is robust.
- Adapt dynamically: As new domains emerge (such as AI risk, supply-chain security, digital twins), DVMS accommodates them rather than requiring disparate patches.
Conclusion
The transformation of Microsoft’s CISO role—splitting responsibility into 14 deputy CISOs aligned to domain-specific functions—is emblematic of the broader shift in enterprise security governance. As threats, digital architectures, regulatory demand, and stakeholder expectations all multiply, the one-person CISO model simply cannot keep pace. A DVMS offers a robust answer: it aligns governance intent across the enterprise, systematizes operational capability across domains, and provides unified assurance evidence for boards, regulators, and stakeholders.
In doing so, DVMS transforms what could be a risky, fragmented model of domain-centric deputies into a cohesive, strategic system that enables organizations not only to manage but also to thrive in today’s complex digital risk landscape. By consolidating multiple domain-specific security leads into a single intelligence system, the enterprise ensures coherence, accountability, and trust—transforming security governance from a reactive program to a strategic asset.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
Digital Value Management System® (DVMS)
An Integrated Intelligence System that Governs, Assures, and Sustains Digital Business Performance, Resilience, and Trust
The DVMS Institute’s Certified Training Solutions teach organizations how to transform traditional Best-Practice Programs (such as NIST, ITSM, GRC, and ISO) into a unified, adaptive, and culture-driven DVMS Governance and Assurance Intelligence System (DVMS).
The DVMS establishes a structured, intelligence-driven pathway that unites Governance Intent, Operational Capability, and Assurance Evidence for each program— empowering organizations to achieve a unified approach for measurable performance, resilience, and stakeholder trust.
Through its MVC, CPD, 3D Knowledge, and FastTrack Models, the DVMS operationalizes a:
- Governance Overlay system that unifies strategy, assurance, and operations
- Behavioral Engine that transforms how organizations think, decide, and act in uncertainty
- Learning System that measures, adapts, and innovates the digital business over time.
DVMS Organizational Benefits
The DVMS doesn’t replace existing frameworks—it connects, contextualizes, and amplifies them, transforming compliance requirements into actionable intelligence that drives and ensures sustained digital operations and performance.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Leadership Benefits
- For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
- For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
- For the CIO, the DVMS provides a structured way to align technology investments and operations with measurable business outcomes.
- For the CRO, the DVMS provides a way to embed risk and resilience directly into operational processes, turning risk management into a driver of performance and adaptability.
- For the CISO, the DVMS provides a continuous assurance mechanism that demonstrates cyber resilience and digital trust across the enterprise and its supply chain.
- For Internal and External Auditors, the DVMS provides verifiable proof that the enterprise can maintain operational continuity under stress.
DVMS Institute Certified Training Programs
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness training provides all employees with a comprehensive understanding of the fundamentals of digital business, its associated risks, the NISTCSF, and their role in protecting organizational digital value. This investment fosters a culture that is prepared to transform systemic cyber risks into operational resilience.
DVMS NISTCSF Foundation Certification Training
The DVMS NISTCSF Foundation certification training course provides ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role as an integrated, adaptive, and culture-driven governance and assurance management system that drives resilient, compliant, and trusted digital outcomes.
DVMS Cyber Resilience Practitioner Certification Training
The Digital Value Management System® (DVMS) Practitioner certification training course provides ITSM, GRC, Cybersecurity, and Business professionals a detailed understanding of how to transform systemic cyber risk into operational resilience by uniting Fragmented Frameworks and Standards, such as NIST, ITSM, GRC, and ISO, into a holistic, adaptive, and culture-driven Governance, Assurance, and Accountability overlay system that keeps your digital business resilient, no matter the disruption.
DVMS White Papers
- The Assurance Mandate: Moving Beyond GRC to Evidence-Based Operational Resilience
- Assurance in Action: Turning Policy into Organizational Capability
- Governance By Assurance: A Systems Approach to Outcome-Based Regulation
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
