Six Steps to Enabling Cyber Operational Resilience Using the NIST Cybersecurity Framework and a Digital Value Management System® (DVMS)
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Introduction: Cybersecurity Reimagined through Resilience
In today’s volatile, uncertain, complex, and ambiguous (VUCA) digital environment, organizations must move beyond traditional notions of cybersecurity. The goal is to defend against attacks and develop cyber resilience—the capacity to anticipate, withstand, recover from, and adapt to adverse conditions and evolving threats.
The Digital Value Management System® (DVMS), developed by the DVMS Institute, offers a systems-based overlay that enables organizations to build cyber resilience by aligning cybersecurity initiatives with business strategy, risk management, and value delivery. DVMS does not replace existing frameworks such as the NIST Cybersecurity Framework (CSF) 2.0 or ITIL®; instead, it complements and enhances them by integrating cybersecurity into the broader context of enterprise governance and digital value creation. To fully leverage the DVMS, organizations must undergo a series of intentional, interconnected steps that transform how they perceive, manage, and operationalize cybersecurity.
Step One: Rethinking Cybersecurity as a Business Enabler
The journey begins with a fundamental change in mindset: cybersecurity is not merely a technical function or cost center but a strategic business enabler. Many organizations still approach cybersecurity as a collection of controls or compliance activities managed by IT departments in isolation.
DVMS challenges this view by asserting that cybersecurity is inseparable from enterprise risk management and organizational performance. As stated in the Institute’s foundational materials, value creation and value protection are two sides of the same coin, and both must occur concurrently to deliver sustained business value. Organizations must therefore reframe cybersecurity as a function of enterprise strategy and risk, not an afterthought or bolt-on.
This shift in perception requires leadership at the highest levels—boards, executives, and senior managers—to embrace cybersecurity as a strategic imperative. Leaders must actively sponsor cybersecurity initiatives and model the behaviors expected across the enterprise. Only then can a culture of accountability, risk awareness, and resilience take root.
The DVMS helps initiate this transformation by establishing a framework in which governance, assurance, and innovation are viewed as capabilities of equal importance in a resilient organization.
Step Two: Applying the DVMS Overlay
With the right mindset, organizations can begin applying the DVMS as an overlay to existing structures, tools, and practices. The DVMS is not a prescriptive method or rigid framework but a meta-model that overlays what the organization already does. This adaptability is central to its value. The DVMS consists of three structural layers. The top layer reflects current organizational practices, frameworks, and operations. The middle layer comprises the seven Minimum Viable Capabilities (MVCs): Govern, Assure, Plan, Design, Change, Execute, and Innovate. The MVC capabilities serve as a lens through which all organizational activity can be evaluated and improved. The bottom layer is the CPD Model—Create, Protect, Deliver—which operationalizes the DVMS by connecting strategic governance with tactical execution.
This overlay allows organizations to identify performance gaps, misaligned activities, and missing capabilities. For example, a company may discover that while it has robust security operations (execute), it lacks strategic governance policies (govern) or innovation pipelines (innovate) to adapt to emerging threats. The DVMS makes these gaps visible and offers a roadmap for improvement.
Step Three: Defining Strategy-Risk and Aligning it with Cyber Objectives
A unique feature of the DVMS is its treatment of “strategy-risk” as a unified concept. Traditional risk management often positions risk as a factor to be addressed after strategic plans are made. DVMS flips this script, embedding risk into the strategy development process itself. Organizations can better anticipate consequences, evaluate trade-offs, and make informed decisions by treating strategy and risk as inseparable. This is particularly important in cybersecurity, where the costs of delayed or reactive decision-making can be catastrophic.
Organizations can define measurable outcomes that align cybersecurity with business strategy using DVMS Question-Outcome–Question Metric (QO–QM) and Goal-Question-Metric (GQM) methodologies. These methodologies allow cross-functional teams to clarify strategic intent, formulate meaningful questions, and design metrics that guide the implementation of cybersecurity initiatives. This level of alignment is critical to ensuring that cybersecurity activities contribute to overall enterprise resilience rather than exist in isolated silos.
Step Four: Integrating the NIST CSF through Profiles and Tiers
DVMS is designed to work synergistically with the NIST CSF 2.0. The framework’s six core Functions—Govern, Identify, Protect, Detect, Respond, and Recover—map well onto the DVMS model. Organizations can use the CSF’s Organizational Profiles to define their current and target states and conduct gap analyses. By comparing where they are to where they want to be, organizations can identify priority areas for improvement and develop action plans to close those gaps.
The CSF’s Tiers characterize the rigor of an organization’s cybersecurity governance and management practices. DVMS enhances this by offering a systems thinking perspective that informs how organizations progress from ad hoc (Tier 1) to adaptive (Tier 4) cybersecurity maturity. By integrating CSF Profiles and Tiers into the DVMS overlay, organizations create a powerful engine for continuous improvement and resilience.
Step Five: Implementing in Phases with FastTrack
Adopting the DVMS does not require a “big bang” transformation. The model encourages phased implementation through its FastTrack™ approach, which is structured into four phases. Phase 0, Initiate, focuses on understanding the current state and preparing for change. Phase 1, Basic Hygiene, emphasizes stabilization—implementing foundational controls and ensuring existing systems perform effectively. Phase 2, Expand, builds on this foundation to optimize capabilities across departments and functions. Finally, Phase 3, Innovate, institutionalizes continuous learning and improvement as core organizational capabilities.
Each phase allows for incremental, manageable change, reducing the risk of disruption while steadily advancing cyber resilience. The FastTrack approach ensures that cybersecurity initiatives deliver tangible benefits from the outset by aligning implementation efforts with business value creation and protection goals.
Step Six: Building a Culture of Learning and Resilience
At the heart of organizational resilience is culture. Policies, frameworks, and technologies are essential but insufficient without a managerial mindset that values continuous learning, transparency, and adaptive behavior. The DVMS emphasizes cultivating a “learning organization” where teams actively reflect on performance, share knowledge, and evolve systems through intentional learning and improvement.
A key enabler of this transformation is the DVMS 3D Knowledge Model, which structures knowledge in three interdependent dimensions—Structured Knowledge, Contextual Knowledge, and Experiential Knowledge—to ensure that learning is embedded into the organizational DNA.
- Structured Knowledge includes documented policies, standards, and procedures that formalize the organizational understanding of cybersecurity roles, responsibilities, and practices. Within a learning culture, this knowledge is not static—it is continuously reviewed, updated, and aligned with strategic governance to reinforce consistent behavior and risk-aware decision-making.
- Contextual Knowledge allows individuals to apply structured knowledge meaningfully within specific roles, teams, and environments. By helping employees understand the “why” behind the “what,” the DVMS fosters systems thinking, enabling more nuanced responses to complex and evolving cyber threats.
- Experiential Knowledge captures insights gained from hands-on activities, retrospectives, audits, incident responses, and operational feedback loops. The DVMS institutionalizes mechanisms—such as after-action reviews, peer learning, and adaptive planning—that ensure lessons learned translate into tangible changes in behavior and practice. This supports organizational agility and resilience in the face of emerging challenges.
The 3D Knowledge Model also reinforces cross-functional collaboration and structured knowledge-sharing, enabling different departments to co-create solutions and maintain a unified approach to cyber risk and value delivery. Leadership modeling desired behaviors, embedding governance structures that reward learning, and creating safe environments where experimentation and innovation can thrive further strengthen cultural change.
As this culture matures, cybersecurity becomes an intrinsic part of the organization’s operating system—not a discrete IT function, but a core enabler of digital value creation and protection. With the DVMS and its 3D Knowledge Model, organizations can move beyond compliance toward continuous, systemic learning, transforming resilience from a goal into a daily practice.
Conclusion: Resilience as a Competitive Advantage
In the face of ever-evolving threats, achieving and maintaining cyber resilience is a strategic differentiator. Leveraging the DVMS enables organizations to embed cybersecurity into their core governance, strategy, and operations. By rethinking cybersecurity as a business enabler, applying the DVMS overlay, aligning strategy-risk with operations, integrating the NIST CSF, implementing in phased steps, and cultivating a culture of continuous learning, organizations transform themselves into resilient enterprises. In doing so, they move from merely surviving the digital storm to thriving in it.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
In today’s digitally driven economy, cyber disruptions are no longer an “if” but a “when.”
The DVMS Institute’s Certified Training Programs teach organizations the skills to build a Holistic and Culture-Aligned Overlay System capable of coordinating Adaptive, Governance, Resilience, and Assurance actions across a Complex Digital Ecosystem.
Achieving true cyber resilience across a complex digital ecosystem requires seamless alignment between organizational Strategy, Governance, and Operations, underpinned by a culture dedicated to sustaining and continuously innovating organizational digital value.
The DVMS positions cyber resilience as a strategic, enterprise-wide capability powered by the Institute’s CPD, Z-X, and 3D Knowledge models.
This systems-based approach to cyber operational resilience demands active engagement from all members of the Digital Ecosystem, with each member playing a distinct role in proactively identifying and mitigating the systemic risks that threaten digital business operations.
This adaptive, forward-looking approach to Governance, Resilience, and Assurance (GRA) positions businesses to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Drive Agility and Trust Across Your Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- ZX Model – The MVC’s that power operational resilience
- CPD Model – Adaptable governance and assurance
- 3D Knowledge Model – Enabling holistic organizational learning
- FastTrack Model – A phased approach to cyber resilience
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
