The People and Teams That Power a NIST Cybersecurity Framework Digital Value Management System
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Delivering the outcomes of the NIST Cybersecurity Framework (CSF) integrated with the Digital Value Management System® (DVMS) requires coordinated action across an enterprise’s strategy, governance, and operational layers.
Each of these layers contains unique roles that, when aligned and functioning cohesively, enable the organization to protect digital assets and adaptively manage digital business risks while delivering sustained digital value and resilience.
The DVMS positions cybersecurity not as a technical function but as a strategic, enterprise-wide responsibility. This systems-based approach, which includes the CPD Model (Create, Protect, Deliver) and the Z-X Capability Model (Govern, Assure, Plan, Design, Execute, Change, Innovate), mandates engagement from top executives to frontline implementers, each fulfilling distinct responsibilities.
Strategy Layer: Shaping Vision and Direction
At the strategic layer, the key roles are those of executive leadership and the board of directors. These actors are responsible for setting the vision and strategic intent for the organization’s cybersecurity posture and ensuring that cybersecurity is framed as a business issue, not merely a technology concern.
The Chief Executive Officer (CEO) and Chief Operating Officer (COO) are essential in ensuring digital business value is created and protected as a concurrent activity, not as sequential steps. This concept is central to the DVMS philosophy, where unprotected value is considered to have no sustainable worth.
As the highest form of strategic oversight, the board of directors holds ultimate accountability for embedding cybersecurity risk into the organizational enterprise risk management (ERM) program. They are responsible for setting risk tolerance thresholds and ensuring the organization defines its “strategy-risk” profile. This DVMS concept treats strategy and risk as inseparable components of value creation. The board must authorize and fund the resources needed to adopt and adapt the NIST CSF and support DVMS as a scalable overlay across the organization.
Another critical role at this layer is that of the Chief Information Security Officer (CISO)—the CISO bridges high-level business strategy and the governance and operational processes that bring cybersecurity to life. At the strategic level, the CISO participates in board-level discussions, articulates the cyber risk landscape, and ensures that digital value protection is aligned with the organization’s goals. The CISO is also a key contributor to the organizational Target Profile and cybersecurity maturity journey using the CSF’s tiered model.
Equally important is the Chief Risk Officer (CRO) or the equivalent Enterprise Risk Manager, who oversees how digital risk integrates with other forms of enterprise risk, such as financial, operational, reputational, and compliance risk. This individual supports the framing of risk in strategic terms and helps ensure the use of the CSF and DVMS to shape decisions at the highest levels of the organization. These roles must ensure that cybersecurity becomes a fundamental component of the organizational mission and strategic plan, not merely a line item or technical initiative.
Governance Layer: Translating Strategy into Control and Accountability
The governance layer transforms strategic direction into policies, standards, oversight structures, and performance measurement systems. It ensures that the organizational environment can achieve the intended CSF and DVMS outcomes. The DVMS Z-X Model identifies core capabilities at this layer, particularly “Govern,” “Assure,” and “Plan.
The Chief Governance Officer, or a designated senior governance lead, is typically responsible for policy development, ensuring that all cybersecurity-related governance aligns with the broader business governance framework. This includes the cascade of policies that define how work is conducted across the enterprise, from executive mandates to operational protocols. This role works closely with the CISO and other leaders to craft a governance system that aligns with the CSF’s GOVERN Function and supports the continuous improvement expectations of the DVMS FastTrack phases.
Compliance officers and legal counsel also play vital roles in this layer. They ensure the organizational cybersecurity policies meet legal and regulatory requirements, such as SEC, NIS2, DORA, SOCI, SAMA, IMO, GDPR, HIPAA, and other sector-specific mandates (HITRUST, CMMC). These individuals are instrumental in mapping CSF outcomes and DVMS practice areas to external compliance obligations. They also manage risk mitigation strategies around contractual obligations, third-party relationships, and incident response liabilities.
Another key role is the Internal Audit Function. Internal auditors verify that the CSF and DVMS processes are followed consistently, accurately, and effectively. They provide independent assurance on the maturity and efficacy of cybersecurity practices across departments and functions. Auditors help inform the organization’s Current Profile under the CSF and support assurance functions within the DVMS by identifying non-conformance or potential risk exposure areas.
The Information and Data Governance Team is also central to governance. These professionals, often including data stewards and architects, ensure that the organization knows what digital assets it owns, where they reside, how they are classified, and how they are protected. Their work directly contributes to CSF IDENTIFY and PROTECT Functions and supports the DVMS capabilities associated with quality, compliance, and data-driven decision-making.
Operational Layer: Execution, Integration, and Continuous Improvement
The operational layer comprises the individuals and teams that execute cybersecurity activities, integrate them into business operations, and drive iterative improvement. These roles turn policies and plans into outcomes that align with both CSF Functions and DVMS practice areas, such as “Execute,” “Design,” “Change,” and “Innovate.”
Cybersecurity analysts, engineers, architects, and IT infrastructure specialists are key actors. These professionals operationalize the CSF’s technical outcomes—monitoring networks, managing identity and access control, maintaining endpoint protection, and ensuring effective detection and response systems. Their actions underpin the CSF’s PROTECT, DETECT, RESPOND, and RECOVER Functions. In the DVMS, these actors contribute to operational excellence and innovation, ensuring systems are designed and operated securely, resiliently, and with value protection.
Business process owners and departmental managers are also essential at the operational layer. As the custodians of daily operations, they must embed cybersecurity into their standard operating procedures. They participate in developing and maintaining Organizational Profiles, articulate operational risks, and ensure that cybersecurity practices do not hinder performance or innovation. Their understanding of business context enables them to make risk-informed decisions aligned with the organization’s strategy.
Human Resources (HR) also plays an operational role, supporting security through training, workforce development, and policy enforcement. HR is critical in cultivating a culture of accountability and cyber awareness. They help onboard security competencies, design behavior-based training programs, and reinforce expectations tied to roles and responsibilities.
Change management professionals, including project and program managers, are crucial for integrating the CSF and DVMS into business transformation efforts. These individuals plan and oversee initiatives that adapt business systems, platforms, and processes to meet security and resilience goals. They support the organization through the DVMS FastTrack phases: Initiate, Basic Hygiene, Expand, and Innovate. Their expertise in coordinating across teams ensures that change is sustainable and that lessons learned inform future efforts.
Finally, external-facing roles—such as procurement officers, vendor managers, and supply chain specialists—apply CSF and DVMS principles to the broader ecosystem. These roles assess third-party risks, enforce contract-level security requirements, and monitor vendor compliance. This is essential to meeting supply chain governance outcomes under CSF and maintaining a secure and trusted digital ecosystem defined by the DVMS.
Conclusion
To deliver the outcomes of the NIST CSF and the DVMS across an enterprise, roles must be aligned and empowered across the strategy, governance, and operational layers. Strategic leaders provide the vision, governance roles establish policy and assurance, and operational teams bring it all to life.
Together, these roles create an adaptive, risk-informed, and resilient organization capable of thriving in a complex, volatile digital environment. The CSF provides the outcome taxonomy and structure. At the same time, the DVMS offers a systems-based, scalable overlay for organizations to govern, assure, execute, and continually improve the security and value of their digital operations.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Holistic, Adaptive, and Culture-Powered Overlay System capable of anticipating and mitigating the systemic risk that will impact organizational cyber resilience.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
