How a NIST Cybersecurity Framework Digital Value Management System Can Fortify UK Retailers Against Future Cyber Threats
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The recent cyberattacks on Marks & Spencer (M&S), the Co-op, and Harrods are a stark reminder of the growing threat landscape targeting the retail sector. These high-profile breaches, attributed to the cybercriminal group Scattered Spider, exploited systemic vulnerabilities across digital infrastructures, third-party ecosystems, and operational workflows. While each attack varied in its operational impact, the underlying commonalities suggest a broader need for strategic, structured, and proactive cybersecurity governance. Implementing a NIST Cybersecurity Framework Digital Value Management System (NIST CSF-DVMS) offers these retailers a comprehensive blueprint for identifying risks, mitigating threats, and aligning cybersecurity with business objectives.
Understanding the NIST CSF-DVMS Advantage
At its core, the NIST Cybersecurity Framework provides a flexible, repeatable, and performance-based approach for organizations to manage and reduce cybersecurity risks. When integrated into a Digital Value Management System, it evolves from a control checklist into a strategic business enabler. The DVMS overlays governance, value realization, and performance assurance principles, enabling organizations to make informed, risk-based decisions that preserve stakeholder trust and business continuity.
For retailers like M&S, the Co-op, and Harrods, this means shifting from a fragmented and reactive security posture to a systemic and integrated model that spans governance, operations, and customer engagement. With the retail sector facing growing challenges such as omnichannel complexity, high transaction volumes, legacy systems, and increasing third-party dependencies, adopting a CSF-DVMS offers a sustainable path toward cyber resilience.
Identifying and Managing Risk: Proactive Threat Intelligence
One of the defining features of the attacks on the three retailers was the suspected use of phishing and social engineering techniques to infiltrate systems. This exploitation of human vulnerabilities highlights the importance of the Identify and Protect functions within the NIST CSF. A NIST CSF-DVMS encourages ongoing risk assessments that span internal operations and third-party ecosystems, ensuring retailers understand where their most critical assets lie and who has access to them.
Using a digital value lens, retailers can prioritize their crown-jewel assets—such as payment platforms, customer data repositories, and logistics systems—and align cybersecurity investments accordingly. Instead of reacting to breaches after they happen, they can proactively anticipate threat vectors using threat intelligence platforms, business impact analysis, and continuous asset inventory mapping.
Third-Party Risk Governance and Supply Chain Assurance
The suspected vector of entry in these cases—a shared technological or supplier vulnerability—underscores a central blind spot: supply chain risk. While the retailers may have basic controls in place, their reliance on external vendors introduces security gaps that are harder to detect and remediate. The DVMS framework, emphasizing value chain transparency and risk transfer management, equips organizations with methodologies for vetting, monitoring, and continuously evaluating third-party partners.
The Protect and Detect functions of the NIST CSF, when integrated with DVMS processes, help ensure that third-party software, APIs, and services are continuously audited for compliance, and anomalies are flagged in real time. Retailers can benefit from adopting shared assurance models and integrating security SLAs into vendor contracts, turning supply chain cybersecurity into a shared responsibility rather than an outsourced problem.
Operational Continuity and Resilience
Among the three cases, M&S experienced the most severe operational disruption, with its online ordering and payment systems rendered inoperable, leading to financial losses of up to £15 million per week. In contrast, Harrods implemented swift containment protocols by disabling internet access across systems, avoiding significant public-facing impacts. These examples highlight the critical importance of Respond and Recover capabilities.
A NIST CSF-DVMS equips organizations with resilience engineering principles, ensuring operational continuity even under attack. This includes disaster recovery planning, failover architecture, offline system redundancies, and real-time incident response playbooks. When managed within the DVMS, these capabilities are not ad hoc but systematically tested, measured, and improved over time.
Moreover, the DVMS’s performance assurance dimension emphasizes continuously testing recovery times, service-level objectives, and resilience KPIs. This ensures that any cyber incident becomes a test of preparedness, not a cause for panic.
Data Privacy, Compliance, and Stakeholder Trust
Data exposure, particularly in the Co-op case, triggered regulatory concerns under GDPR, highlighting the broader stakes in maintaining customer trust. The NIST CSF’s Protect function includes guidance on identity management, access control, and data security—critical elements in preventing data breaches. When augmented with the DVMS, this translates into a privacy-centric governance model that ensures compliance and reinforces customer confidence.
Through the DVMS’s value realization lens, organizations can treat privacy and security as cost centers and market differentiators. Transparent breach notification protocols, privacy dashboards, and data minimization practices reinforce accountability and foster customer loyalty. Retailers that demonstrate a visible, verifiable commitment to cybersecurity governance can position themselves as trustworthy custodians of customer data, even in the wake of a breach.
Cultural Change and Continuous Learning
All three companies responded to the incidents by accelerating cybersecurity investments and engaging third-party forensic firms. This indicates a reactive cultural shift—one that could be better achieved through structured cybersecurity awareness and ongoing workforce training embedded within the DVMS. The Identify and Protect functions in the CSF stress workforce empowerment, but the DVMS adds a layer of cultural transformation by making cybersecurity part of every employee’s responsibility.
Continuous learning loops, scenario-based training, phishing simulations, and gamified awareness modules can all be institutionalized within the DVMS. These mechanisms ensure that cybersecurity knowledge does not reside solely within the IT department but becomes part of organizational DNA.
Sector Collaboration and Strategic Foresight
The advisories issued by the UK’s National Cyber Security Centre (NCSC) reflect a broader call for coordinated defense. A NIST CSF-DVMS enables participation in sector-wide cyber intelligence-sharing frameworks, helping retailers anticipate and prepare for evolving threats. It also encourages strategic foresight through scenario planning and horizon scanning, preparing organizations for known risks and emerging digital disruptions.
Retailers can participate in DVMS-powered industry consortia, contribute to threat databases, and collaborate on joint incident simulations. These activities reinforce collective resilience and reduce duplication of effort, making the retail sector more robust.
Conclusion: From Compliance to Strategic Resilience
When operationalized through a Digital Value Management System, the NIST cybersecurity framework provides a scalable, adaptive, and governance-driven approach to cybersecurity. For M&S, the Co-op, and Harrods, adopting this integrated model offers a pathway to recover from recent cyber incidents and future-proof their digital operations. By aligning cybersecurity with business value, operational resilience, and stakeholder trust, these retailers can move from reactive compliance to strategic advantage.
As digital commerce continues to evolve, so must the systems that safeguard it. An NIST CSF-DVMS isn’t merely a defensive play—it’s an investment in the retail brand’s sustained integrity, trust, and competitiveness.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
The DVMS Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach Service Providers of any type the skills to build a Holistic, Adaptive, and Culture-Powered Cyber Resilience Overlay System capable of proactively identifying and mitigating the systemic risks that could impact cyber business operations.
The NIST-CSF-DVMS positions cyber resiliency not as a technical function but as a strategic, enterprise-wide responsibility. This systems-based approach mandates engagement from top Leadership to Frontline Employees , each fulfilling distinct duties.
Enabling Resilience requires coordinated action across an organization’s Strategy, Governance, and Operations business layers. Each of these layers contains unique roles that, when aligned and functioning cohesively, enable the organization to protect cyber business assets and adaptively manage cyber business risks while delivering sustained cyber business operations and resilience.
Enabling this unique and innovative approach to Adaptive Governance, Resilience, and Assurance service providers can now comply with any government-mandated cyber regulation (SEC, DORA, NIS2 etc.) or maturity model program (SCF, HITRUST, CMMC etc.).
® DVMS Institute 2025 All Rights Reserved
