Why Digital Service Providers Need the NIST Cybersecurity Framework and a Digital Value Management System® To Enable Cyber Resilience
David Moskowitz – Founder Member and Chief Content Architect, at the DVMS Institute
Bob Dylan’s “The Times They Are A-Changin’” is more than a song; it’s an anthem for every era of upheaval, urging us to recognize the shifting tides and adapt before we’re left behind. His warning, “For he that gets hurt will be he who has stalled / ’Cause the battle outside ragin’,” resonates deeply in today’s digital landscape.
Every organization faces relentless cyber threats, evolving regulations, and stakeholder demands for trust and transparency. Compliance checklists and siloed frameworks are no longer sufficient. To thrive amid volatility, uncertainty, complexity, and ambiguity (VUCA), digital service providers of all types need a dynamic approach that unites strategic governance with operational resilience.
The NIST Cybersecurity Framework (NIST-CSF) provides a gold-standard foundation for managing cyber risk. Still, it leaves a critical gap: it defines what to do, not how or when to operationalize cybersecurity as a business enabler. This is where the Digital Value Management System® (DVMS)—an adaptive overlay from the DVMS Institute, not another framework—becomes indispensable. By combining NIST-CSF with the DVMS overlay, organizations transform cybersecurity from a reactive cost center into a proactive driver of resilience and value.
The NIST-CSF: A Strong Foundation, but Not Enough
NIST-CSF 2.0 outlines six core functions (Govern, Identify, Protect, Detect, Respond, Recover) to manage cybersecurity risk. Its strength lies in its flexibility and outcome-oriented structure, which has made it a global standard. However, organizations often struggle to:
- Align cybersecurity with business strategy and culture.
- Integrate controls into value creation and delivery.
- Continuously adapt to new threats and opportunities.
The DVMS Institute’s A Practitioner’s Guide to Adapting the NIST Cybersecurity Framework[i] notes that traditional approaches to cybersecurity risk have typically been “bolt-on” exercises disconnected from organizational priorities.
The DVMS Overlay: Bridging Strategy, Risk, and Execution
The DVMS is explicitly not a framework; it is a universal overlay that works with NIST-CSF (and other frameworks, standards, control systems like ISO 31000, COSO, ISO 27001, NIST 800-53, ITIL, etc.) to operationalize cybersecurity as part of digital value management. Its three-layer model creates a seamless integration:
- Top layer: Existing frameworks (e.g., NIST-CSF) and organizational practices.
- Middle layer: Seven Minimum Viable Capabilities (MVC): Govern, Assure, Plan, Design, Change, Execute, Innovate.
- Bottom layer: CPD Model[ii] (Create, Protect, Deliver): Links strategy-risk, governance, and execution to value.
A new term, “strategy-risk,” is included in the description of the “Bottom layer.”
Strategy-risk is the concept that strategy and risk are inseparable and must be considered as a unified whole. Rather than treating risk as a separate, after-the-fact assessment, the DVMS overlay embeds risk directly into strategic decision-making. This means every aspect of business strategy is informed by a clear understanding of potential risks, ensuring that value creation and protection are always aligned. Organizations proactively balance ambition with resilience by adopting a strategy-risk mindset, making risk management an intrinsic part of achieving digital business objectives.
This layered approach allows the DVMS overlay to be applied to any organization, regardless of size, sector, or maturity. It is agnostic to underlying frameworks, making it universally adaptable.
Key Advantages of the Overlay Approach
- Strategy-risk integration: Cybersecurity becomes inseparable from business strategy. The CPD Model embeds risk into value creation, ensuring protection is not an afterthought but a concurrent activity. As highlighted in the DVMS Institute blog, Beyond GRC-How Strategy-risk Enables Resilience in the Age of Digital Trust[iii], the strategy-risk mindset balances ambition with resilience.
- Cultural alignment: The DVMS overlay includes tools for cultural assessment, addressing gaps like misaligned incentives or siloed communication. For example, psychological safety and cross-team collaboration are prioritized to foster proactive risk management.
- Continuous feedback loops: Three critical feedback loops ensure alignment:
- Governance/Execution: Links leadership intent with operational outcomes.
- Strategy/Governance: Informs strategic adjustments based on real-world data.
- Execution/Innovation: Drives iterative improvements.
- Flexibility and scalability: A startup might focus on basic hygiene (e.g., access controls), while a global enterprise coordinates advanced threat detection—all using the same MVC as a common language[iv].
- Integration, not replacement: The overlay works with what’s already there. It does not prescribe a new set of controls or practices. Instead, it helps organizations map their current practices to the seven MVC, exposing performance gaps and providing a roadmap for targeted improvement.
The NIST-CSF and the DVMS are outcome-oriented, making their combination relatively seamless. In fact, by treating value creation and protection as concurrent, inseparable activities, not sequential or siloed efforts, applying the DVMS makes NIST-CSF adoption and adaptation efforts easier.
The DVMS as a Meta-System: Making NIST-CSF Actionable and Adaptive
The DVMS overlay can be understood as a meta-system—a system that sits above and interacts with all the frameworks, methods, and standards already used within an organization. Rather than replacing or duplicating existing investments, the DVMS provides a unifying structure that enables digital service providers to see their entire ecosystem as interconnected. This meta-system perspective is compelling when combined with the NIST Cybersecurity Framework.
While the NIST-CSF provides a comprehensive description of what organizations should achieve to manage cybersecurity risk, it leaves the how and when of implementation up to each organization. The DVMS meta-system fills this gap by overlaying the NIST-CSF, mapping its core functions to organizational real-world capabilities, processes, and cultural realities. Through its Innovate capability and gap analysis practice area, the DVMS helps organizations systematically identify and close performance gaps, ensuring that NIST-CSF outcomes are not only met but are fully integrated into value creation and protection processes.
This way, the DVMS meta-system transforms the NIST-CSF from a static set of functions into a living, adaptive operating system for digital value management. It enables organizations to continually assess, adapt, and improve their cyber resilience, ensuring that the NIST-CSF is implemented, truly embedded, and operationalized throughout the enterprise.
The Seven Minimum Viable Capabilities (MVC)
At the heart of the DVMS MVC overlay are seven universal capabilities:
- Govern: Sets the policies that form the basis for organizational rules and oversight.
- Assure: Provide appropriate assurance that the organization does the right things, the right way (e.g., conforms to governance policies).
- Plan: Represents the planning effort that enables the organization to develop appropriate governance and assurance of these core capabilities.
- Design: Enable the organization to create, protect, and deliver value by providing the “how to do it” with available resources, etc.
- Change: Enables rapid adaptation to internal and external shifts.
- Execute: Delivers value securely and reliably.
- Innovate: Drives continual improvement and transformation.
These are not isolated silos. They are interconnected, forming a dynamic system that allows organizations to adapt and thrive as conditions change. Every organization performs these activities to some degree; the overlay makes them visible and actionable. To put this another way: Everything the organization does maps to one or more of the MVC.
How NIST-CSF and DVMS Together Enable Cyber-Resilience
The NIST-CSF 2.0 and DVMS are designed to be scalable and applicable to any organization regardless of size or industry sector.
The DVMS overlay operationalizes NIST-CSF outcomes through targeted capabilities:
| NIST-CSF Function | DVMS MVC | Outcome |
| Govern | Govern, Assure | Leadership accountability and risk-informed decision-making. |
| Identify | Plan, Design | Asset visibility and threat landscape integration into business architecture. |
| Protect | Design, Execute, Change | Security is embedded into system design and daily operations. |
| Detect | Execute, Innovate | Real-time monitoring and adaptive threat detection. |
| Respond | Change, Execute, Govern | Rapid incident containment and process refinement. |
| Recover | Execute, Plan, Innovate | Post-incident learning and systemic improvements. |
While the Assure capability does not appear in every DVMS MVC entry in the table (other than the NIST-CSF Govern function, it is part of the connective tissue that answers two critical questions:
- How do you know? – provides structured inquiry
- How can you be sure? – provides evidence-based assurance
Case Study: FastTrack Implementation
The DVMS FastTrack approach enables phased adoption:
- Initiate: Align NIST-CSF outcomes with business objectives and cultural readiness. Determine the current NIST-CSF Tiers concerning governance and management.
- Basic Hygiene: Close gaps in foundational controls (e.g., patching, logging, basic NIST-CSF outcomes). Establish initial NIST-CSF current and target profiles.
- Expand: Integrate advanced controls (e.g., AI-driven threat detection) using the CSF Tiers to inform evolving CSF Profiles.
- Innovate: Embed continuous learning and adaptation.
For example, a healthcare provider used FastTrack to map NIST-CSF’s Identify function to DVMS’s Plan capability, reducing vulnerabilities in patient data systems by 60% within six months[v].
Culture: The Foundation for Change
While the NIST-CSF mentions culture as part of Govern core function (Roles and responsibilities) and CSF Tier 4 governance, it provides no guidance regarding what this means to the organization. The DVMS overlay recognizes that culture is pivotal to success. It includes tools and practices for cultural assessment and alignment, ensuring that every improvement is supported by a culture of collaboration, learning, and shared accountability. Key cultural considerations include:
- Leadership Style: Supportive leadership inspires innovation and risk-taking.
- Employee Engagement: Engaged employees are more likely to embrace change.
- Communication: Open communication fosters transparency and trust.
- Learning Culture: Organizations that prioritize learning are more adaptable to change.
Why This Combination Works
Combining the NIST Cybersecurity Framework with the DVMS overlay creates a powerful, adaptive approach for digital service providers. While frameworks like NIST-CSF excel at describing what organizations should do to manage cybersecurity risk, they do not specify how or when to implement these practices in a way that aligns with business value and operational realities. This is where the DVMS overlay delivers unique value, specifically its Innovate capability’s gap analysis practice area. By systematically mapping current practices to desired outcomes, the DVMS gap analysis reveals where performance gaps exist and provides a clear, actionable roadmap for targeted improvement. The result is a resilient, continually learning organization that confidently creates, protects, and delivers digital business value. Here’s why this integrated approach is uniquely practical:
- From Compliance to Resilience: NIST-CSF alone risks becoming a checkbox exercise. The DVMS overlay ensures cybersecurity is measured by business outcomes, like customer trust or operational uptime, not just compliance audits.
- Cultural Transformation: The overlay operationalizes NIST-CSF’s cultural recommendations, fostering:
- Leadership buy-in: Executives govern cyber risk like any other business risk.
- Employee engagement: Security becomes everyone’s responsibility, supported by metrics tracking employee involvement in protecting organizational digital value, and business resiliency
- Systems Thinking: By treating organizations as complex adaptive systems, the DVMS overlay anticipates unintended consequences. For instance, a retail chain avoided supply disruptions by modeling cyber risks alongside logistics workflows.
Conclusion
Dylan’s timeless admonition—“If your time to you is worth savin’ / Then you better start swimmin’ or you’ll sink like a stone”—captures the urgency of this moment. In a world where digital resilience is existential, the combination of NIST-CSF and DVMS provides digital service providers both the compass and the life raft.
NIST-CSF offers the structure; the DVMS overlay delivers the adaptability. Together, they enable organizations to:
- Create value securely.
- Protect value proactively.
- Deliver value reliably.
With this integrated approach, digital service providers can survive and lead the way, turning risk into resilience and change into competitive advantage.
In Dylan’s words, “The order is rapidly fadin’.” The time to act is now.
- [i] Moskowitz, David and Nichols, David, A Practitioner’s Guide to Adapting the NIST Cybersecurity Framework 2nd ed., TSO (The Stationery Office) part of Williams Lea, © 2025 (Available 3rd quarter 2025.)
- [ii] https://www.youtube.com/watch?v=1K9_iIfjtgs&t=205s
- [iii] https://dvmsinstitute.com/2025/04/14/beyond-grc-how-strategy-risk-enables-resilience-in-the-age-of-digital-trust/
- [iv] https://dvmsinstitute.com/2025/04/18/the-nist-cybersecurity-framework-digital-value-management-system-a-cyber-resilience-overlay-system-for-organizations-of-any-size-scale-or-complexity/
- [v] https://dvmsinstitute.com/2025/04/11/how-the-nist-cybersecurity-framework-digital-value-management-system-from-the-dvms-institute-enables-performance-driven-cyber-resiliency
About the Author
Dave is the Executive Director of the DVMS Institute.
David is a Founding Member and Executive Director of the DVMS Institute LLC. He is the lead author of the “Digital Value Management System®” publication series which include the *Fundamentals of Adopting the NIST Cybersecurity Framework* and *A Practitioner’s Guide to Adapting the NIST Cybersecurity Framework*, and *Thriving on the Edge of Chaos* is scheduled published by TSO.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
