Culture’s Role in Building a Holistic and Adaptive NIST Cybersecurity Framework Digital Value Management System
Culture is pivotal in enabling a holistic and adaptive management system for digital business governance, resilience, and assurance. This unseen force influences behaviors, shapes decision-making, and defines how individuals and teams engage with strategic objectives, operational systems, and evolving risks.
In the context of the Digital Value Management System™ (DVMS) and its integration with the NIST Cybersecurity Framework (CSF) 2.0, culture is not just an enabler—it is the engine that drives the transformation from compliance-based governance to a proactive, systems-oriented approach that supports the creation, protection, and delivery of digital business value.
A holistic management system requires more than frameworks and policies. It demands a cultural foundation where cybersecurity, resilience, and assurance are viewed as shared organizational responsibilities. In many organizations, security, and governance are treated as the exclusive domains of IT or compliance teams. This narrow view creates silos, weakens accountability, and limits an organization’s ability to adapt. The DVMS explicitly rejects this fragmented model, instead promoting a systems-thinking approach where culture is seen as an intrinsic capability. From the C-suite to the front lines, employees must understand their role in managing digital business risk and be empowered to take action within a resilient ecosystem of support, learning, and accountability.
In this sense, culture is not abstract—it is observable in the language teams use, their behaviors, and how they respond to challenges. A culture that fosters resilience and assurance embraces questioning, continuous improvement, and collaboration. These attributes are deeply embedded in the DVMS philosophy, which calls for organizations to adopt new mental models that treat strategy and risk as inseparable and cybersecurity as an outcome of effective business value management. This cultural shift is critical because it changes the organizational mindset from reactive problem-solving to proactive risk anticipation. It allows teams to ask better questions, identify vulnerabilities before exploitation, and align their efforts with the organizational strategic intent.
One of the most potent cultural concepts in the DVMS is the idea of “being the menace within”—a structured mindset in which individuals think like threat actors, using insider knowledge to probe systems for weaknesses. This practice goes beyond technical penetration testing; it reflects a culture that encourages critical thinking, curiosity, and a deep sense of ownership. When employees are trusted to identify and raise concerns and feel safe to challenge assumptions and speak up about gaps in process or oversight, they become the first line of defense in a resilient digital enterprise. This proactive approach is only possible in organizations where the culture supports psychological safety, mutual respect, and the belief that every voice matters in protecting what the organization creates.
At the strategic level, culture enables governance by aligning individual behaviors with organizational objectives. This alignment is operationalized in the DVMS through the 3D Knowledge Model, which captures the interplay between team knowledge (x-axis), collaboration (y-axis), and strategic alignment (z-axis). A healthy culture strengthens each of these dimensions. It encourages teams to reflect on past experiences, adapt their current practices, and plan with agility. It fosters cross-functional cooperation, reducing friction between departments and promoting a shared sense of purpose. And it ensures that everyone understands how their actions contribute to the mission, vision, and values of the organization. In doing so, culture turns abstract governance principles into lived realities, guiding decisions and behaviors even without formal rules or oversight.
Culture also plays a key role in enabling assurance. Traditional assurance mechanisms often rely on after-the-fact audits or compliance checks, which may identify issues but do little to prevent them. An adaptive management system, by contrast, relies on cultural mechanisms to ensure that assurance is continuous, dynamic, and embedded into daily operations. For example, the use of Goal-Question-Metric (GQM) and Question-Outcome–Question-Metric (QO-QM) frameworks in the DVMS requires teams to engage deeply with their objectives, to ask why they are pursuing certain outcomes, and to measure progress in ways that reflect both technical performance and stakeholder value. This reflective, evidence-based approach to assurance is only effective when culture encourages transparency, learning, and a willingness to adjust course when needed.
Importantly, culture must support agility and adaptability. In a digital environment characterized by constant change and evolving threats, static policies and rigid hierarchies are liabilities. Adaptive organizations build cultures that value experimentation, reward innovation, and learn from failure. In the DVMS, this is reflected in the Innovate phase of the FastTrack™ roadmap, where organizations continuously assess their capabilities, test new ideas, and integrate lessons into their strategy and operations. Culture makes this possible by reducing fear of failure, encouraging collaboration across boundaries, and embedding the mindset that improvement is never finished—it is part of the daily work of delivering and protecting digital business value.
Another critical cultural factor is the ability to break down silos. Resilient governance cannot thrive in environments where information is hoarded, processes are opaque, and teams operate in isolation. Culture must promote openness and integration. In the DVMS, this is evident in how cybersecurity is woven into all seven Z-X Model capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate. Each capability intersects with cultural practices, from how teams plan and communicate to how they handle change to how they respond to crises. For example, the Assure capability requires not only the right controls and policies, but also a culture that values evidence, respects compliance, and embraces accountability. Likewise, the Execute capability depends on frontline teams having the knowledge, tools, and cultural support to make secure decisions in real-time.
Leadership is central to shaping and sustaining this kind of culture. Leaders must model the values of resilience, inquiry, and transparency. They must communicate clearly and consistently about the importance of cybersecurity and governance, and they must back up their words with visible support for training, collaboration, and investment in resilience capabilities. When leaders treat cyber risk as a business risk, ask better questions, and expect thoughtful answers, they set a tone that cascades through the organization. Conversely, when leadership is disengaged, reactive, or dismissive of security concerns, the culture follows suit—and the organization becomes vulnerable to external threats and internal dysfunction.
Finally, culture must be inclusive and adaptable across diverse organizational contexts. The DVMS is designed to scale across industries, geographies, and organizational sizes, and so must its cultural principles. A small startup may express resilience through informal collaboration and rapid iteration, while a multinational enterprise may embed resilience through structured processes and formal governance. In both cases, culture must support the behaviors that align with the organization’s strategic intent and risk tolerance. This flexibility is a hallmark of the DVMS approach, emphasizing “start where you are” and building iteratively from existing strengths. Culture provides the continuity and coherence needed to evolve, sustaining governance and assurance even as structures, systems, and threats change.
Culture is the linchpin of a holistic and adaptive management system for digital business governance, resilience, and assurance. It transforms frameworks into practices, policies into behaviors, and strategy into sustained performance. Through systems thinking, psychological safety, continuous learning, and leadership engagement, culture enables organizations to navigate complexity, manage risk, and protect value. The DVMS and NIST CSF 2.0 provide the models and tools. Still, culture brings them to life, ensuring that governance is not just a compliance exercise but a living, evolving commitment to digital excellence.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
