How a NIST Cybersecurity Framework Digital Value Management Overlay System Uses Culture to Drive Resilient Digital Business Outcomes
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
In the era of rapid technological advancement and constant disruption, the organizations that thrive are not simply those with the best tools or the most comprehensive frameworks—they are those with cultures capable of adapting, learning, and sustaining value through uncertainty. Within the NIST Cybersecurity Framework (NIST-CSF) Digital Value Management Overlay System (DVMS), culture is a supporting element and the foundational layer upon which all digital business outcomes are built. From digital transformation initiatives to cyber resilience, governance, assurance, and innovation, culture is the fuel and feedback mechanism determining whether strategic intent becomes operational reality.
At the heart of the DVMS Overlay is recognizing that value is created, protected, and delivered by people working within systems, not by technology alone. The overlay’s cyclical architecture—represented in models such as the CPD (Create, Protect, Deliver) and Z-X frameworks—demonstrates that digital outcomes are a product of continuously evolving relationships between governance, execution, and innovation. These relationships are mediated through behaviors, decisions, and norms, all expressions of organizational culture.
Culture is what determines how people respond when no one is watching. It shapes how risk is perceived, controls are implemented, and accountability is embraced. In traditional governance models, culture is often overlooked or treated as intangible. However, culture becomes measurable in digital-first organizations, particularly those managing cyber risk and operational resilience, through behaviors, habits, and alignment with organizational purpose. As defined in the DVMS Institute’s approach, cyber resilience is the ability to recover from an incident and an organizational capacity to continually learn and adapt. This capacity stems directly from culture.
One of the most powerful illustrations of this is how the DVMS Institute aligns its seven minimum viable capabilities (Govern, Assure, Plan, Design, Change, Execute, Innovate) with the NIST CSF’s outcome-oriented Functions. In both the strategic governance alignment loop and the governance/execution innovation loop, feedback and adaptation are critical. These loops are only effective when the individuals involved are empowered to voice insights, share failures, and experiment with improvements. In this way, the 3D Knowledge Model (capturing past, present, and future understanding across team and strategic dimensions) depends fundamentally on cultural elements: psychological safety, shared purpose, and continuous learning.
The organizational outcomes emphasized in the DVMS framework—trust, resilience, performance, and value—are not one-time deliverables. They are cultural states sustained over time. For example, digital trust is not gained simply by having strong cybersecurity controls in place. It is earned and retained when stakeholders across the enterprise believe those controls are being used responsibly, transparently, and in a way that supports—not inhibits—the achievement of strategic outcomes. A high-performing culture ensures that controls are not merely enforced but embraced as essential enablers of long-term business value.
Moreover, culture directly influences the ability to govern risk effectively. Governance is not merely about policies and board oversight—it is about creating an environment where roles, responsibilities, and accountability are clearly understood, and information flows freely between strategic and operational domains. In the DVMS-CSF model, the GOVERN Function is a strategic capability designed to align the organization’s mission, vision, and values with its cybersecurity practices. This alignment is only sustainable when cultural consistency exists between what the organization aspires to and how it behaves under pressure.
Another dimension where culture plays a central role is in innovation and change management. As organizations face increasing pressure to innovate securely and responsibly, the ability to change while maintaining alignment and assurance becomes critical. Yet resistance to change is fundamentally a cultural issue. A culture that values transparency, continuous feedback, and inclusivity will approach transformation as a shared journey rather than a forced march. This makes it easier for teams to co-create, test, and iterate on digital initiatives without fear of blame or failure. In contrast, cultures built on compliance, fear, or hierarchy tend to resist change, hide mistakes, or implement controls, superficially undermining innovation and resilience.
Furthermore, culture underpins measurement and assurance. In the DVMS Overlay, performance measurement is not just about tracking key risk indicators or compliance rates. It is about understanding the organization’s maturity, agility, and alignment data. The QQ-QM and GQM (Goal-Question-Metric) structures embedded in DVMS measurement philosophy are meant to prompt cultural reflection: “Are we doing the right things? Are we doing them well? Are we learning from the outcomes?” These are cultural questions disguised as performance metrics.
Culture also plays a role in determining how cybersecurity is integrated into business design. In a digitally mature organization, cybersecurity is not an afterthought but embedded in planning, architecture, and service delivery models. This requires a culture where digital risk is seen as everyone’s responsibility, not just the domain of IT or compliance teams. A business designer working on a new product must feel confident that security concerns are not roadblocks but essential design parameters. Such behavior only emerges in a culture where cybersecurity is viewed as a competitive advantage, not operational friction.
The DVMS Overlay also highlights the importance of cross-functional and inter-team collaboration, which is cultural. The Z-X Model assumes that digital outcomes require collaboration across functions that may have historically operated in silos—governance, assurance, planning, execution, and innovation. This collaboration cannot be mandated by process alone. It must be nurtured through a culture of respect, shared goals, and trust. As the 3D Knowledge Model suggests, organizational intelligence arises not from data alone but from the human ability to contextualize and communicate that data in ways that influence collective decisions.
Ultimately, no strategy, framework, or capability model can deliver digital value at scale without culture as its backbone. Culture determines how strategy is interpreted, policies are internalized, processes are followed, and risks are mitigated in real-time. In the language of DVMS, “creating a culture capable of protecting digital business performance, resilience, and trust” is not an aspirational slogan—it is a strategic imperative.
Culture is the connective tissue that binds the capabilities, controls, and outcomes described in the NIST CSF and DVMS models. It is what makes systems adaptive rather than rigid, learning-oriented rather than defensive, and stakeholder-driven rather than compliance-focused. For digital businesses to succeed in a world defined by speed, complexity, and risk, culture must be treated not as an afterthought but as the core operating system—continuously refined, measured, and modeled from the top down and the bottom up.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Holistic, Adaptive, and Culture-Powered Overlay System capable of anticipating and mitigating the systemic risk that will impact organizational cyber resilience.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
