The Frameworks and Overlay System that Power A Cyber Operational Resilience Program
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
As digital transformation accelerates across industries, cyber threats have become an inevitable risk that organizations must manage proactively. The traditional approach to cybersecurity—centered around prevention and perimeter defenses—is no longer sufficient.
Today, organizations must embrace cyber operational resilience, a broader discipline focused on ensuring continuity of critical services despite cyber incidents, system failures, or external disruptions. To achieve this level of resilience, organizations rely on various established frameworks and new overlay systems that provide structure, guidance, and the enablement of best practice capabilities. These frameworks and overlays enable alignment across people, process, technology, and culture, ensuring that cyber resilience becomes a core business capability rather than a reactive afterthought.
NIST Cybersecurity Framework (NISTCSF)
The NIST Cybersecurity Framework (CSF), developed by the U.S. National Institute of Standards and Technology, is the foundation of most resilience programs. Initially designed for critical infrastructure sectors, it has evolved into a universally applicable model that organizations use worldwide to manage cyber risk and improve resilience.
The framework is organized around five core functions—Identify, Protect, Detect, Respond, and Recover—representing the lifecycle of managing cybersecurity risk. These functions guide organizations in understanding their assets and risks, implementing safeguards, monitoring threats, responding effectively to incidents, and recovering to normal operations.
What makes NIST CSF particularly effective for operational resilience is its adaptability. It allows organizations to tailor their cybersecurity programs to their size, risk profile, regulatory requirements, and maturity level. It also supports integration with other frameworks and standards, making it a versatile tool for building resilient cyber capabilities across complex enterprise environments.
Digital Value Management System (DVMS)
The Digital Value Management System (DVMS) is a business-centric overlay system that enables organizations to build a Holistic and Culture-Aligned Overlay System capable of coordinating Adaptive, Governance, Resilience and Assurance (GRA) actions across a Complex Digital Ecosystem.
Achieving true cyber operational resilience requires seamless alignment between organizational Strategy, Governance, and Operations, underpinned by a culture dedicated to sustaining and continuously innovating the Creation, Protection, and Delivery of organizational digital value.
The DVMS positions cyber resilience as a strategic, enterprise-wide capability powered by your best practice systems (NISTCSF, ITSM, GRC etc.) and the DVMS MVC, CPD, and 3D Knowledge models.
This systems-based approach to cyber operational resilience demands active engagement from all members of the Digital Ecosystem. Each member plays a distinct role in proactively identifying and mitigating the systemic risks that threaten digital business operations.
This forward-looking approach to adaptive Governance, Resilience, and Assurance (GRA) positions businesses to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Drive Agility and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
ISO/IEC 27001 and the Information Security Management System (ISMS)
Another foundational framework for cyber resilience is ISO/IEC 27001, an international standard for establishing, implementing, and maintaining an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive company information to remain secure, available, and intact.
ISO 27001 supports operational resilience by emphasizing risk assessment and continuous improvement. Organizations using this framework must identify information assets, assess associated risks, implement appropriate controls, and regularly review and update their security posture. This aligns well with resilience goals such as anticipating threats, minimizing impact, and restoring operations quickly.
Moreover, ISO 27001’s certification process helps establish trust with stakeholders and regulators, which is crucial for organizations operating in high-risk or heavily regulated sectors such as finance, healthcare, and energy.
COBIT® (Control Objectives for Information and Related Technologies)
COBIT®, developed by ISACA, is an IT governance framework that helps organizations align their IT strategies with business objectives. While it is not exclusively a cybersecurity or resilience framework, COBIT is crucial in supporting cyber operational resilience through governance and performance management.
COBIT’s structured approach includes a set of processes, control objectives, and maturity models that help organizations evaluate, direct, and monitor IT functions. By linking IT governance with strategic business goals, COBIT enables organizations to ensure that cyber risk is considered in every IT decision, from procurement to operations to innovation.
In the context of resilience, COBIT ensures that digital services are effectively governed, with clear roles, accountability, and performance measurement. It also seamlessly integrates with other frameworks and overlay models, including NIST CSF, ISO 27001, ITIL, and DVMS, making it a valuable component of a holistic resilience program.
ITIL® (Information Technology Infrastructure Library)
ITIL® is a widely adopted framework for IT service management (ITSM). While ITIL does not directly address cybersecurity, it is essential to resilience because it governs how IT services are delivered, supported, and recovered.
ITIL’s processes—particularly those for incident, problem, change, and service continuity management—provide the operational backbone for responding to cyber incidents and restoring services efficiently. For example, a ransomware attack may trigger ITIL-aligned workflows to isolate affected systems, notify stakeholders, initiate backups, and implement remediation plans.
Furthermore, ITIL promotes a service-oriented culture, where technology is managed not as infrastructure but as a portfolio of services that deliver value to the business. This perspective aligns with operational resilience goals, which emphasize maintaining critical business functions rather than simply restoring technical systems.
FAIR (Factor Analysis of Information Risk)
The FAIR model is a quantitative framework for cyber risk analysis, which is increasingly used in resilience planning. Unlike traditional risk frameworks that rely on qualitative assessments (e.g., high/medium/low risk levels), FAIR provides data-driven methods to estimate risk in monetary terms, including the potential financial impact of cyber incidents.
By quantifying cyber risk, FAIR enables organizations to make informed decisions about resilience investments, such as evaluating the return on security tools, justifying business continuity plans, or purchasing cyber insurance. It also facilitates executive communication by translating technical risks into business language.
FAIR supports risk-based prioritization in resilience programs, ensuring that the most critical assets and services receive the attention and protection they deserve. It complements frameworks like NIST CSF and ISO 27001 by providing a deeper layer of analysis for decision-making.
ISO 22301
ISO 22301 integrates well with cyber resilience, emphasizing impact analysis, recovery planning, testing, and continual improvement. For example, organizations must identify time-critical activities, determine acceptable downtime, and implement recovery strategies that align with organizational risk appetite.
When combined with cybersecurity frameworks like NIST CSF or ISO 27001, ISO 22301 provides the operational continuity layer, ensuring that organizations can withstand not only cyberattacks but also natural disasters, pandemics, or supply chain failures.
Conclusion
Cyber operational resilience is a complex, multidimensional challenge that requires more than strong IT controls—it demands an ecosystem of frameworks that span strategy, governance, risk, operations, and culture.
The NIST CSF lays the foundation with its comprehensive cyber risk management lifecycle. At the same time, the DVMS overlay connects operational resilience to sustainable business outcomes through its culture-powered adaptive governance and performance assurance capabilities. ISO standards bring structure and global consistency, COBIT provides governance rigor for IT, ITIL ensures operational readiness, FAIR enables financial insight, and ISO 22301 ensures business continuity.
No single framework is sufficient on its own. The most resilient organizations integrate these models into a cohesive program aligned with their risk profile, business strategy, and regulatory landscape. Together, these frameworks, powered by the DVMS cyber resilience overlay system, empower organizations to survive cyber disruptions and thrive in a digital world where resilience is a competitive differentiator.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
In today’s digitally driven economy, cyber disruptions are no longer an “if” but a “when.”
The DVMS Institute’s Certified Training Programs teach organizations the skills to build a Holistic and Culture-Aligned Overlay System capable of coordinating Cyber Operational Resilience actions across a Complex Digital Ecosystem.
Achieving true cyber operational resilience requires seamless alignment between organizational Strategy, Governance, and Operations, underpinned by a culture dedicated to sustaining and continuously innovating the Creation, Protection And Delivery of organizational digital value.
The DVMS positions cyber resilience as a strategic, enterprise-wide capability powered by your best practice systems (NISTCSF, ITSM, GRC etc.) and the DVMS MVC, CPD, and 3D Knowledge models.
This systems-based approach to cyber operational resilience demands active engagement from all members of the Digital Ecosystem. Each member plays a distinct role in proactively identifying and mitigating the systemic risks that threaten digital business operations.
This forward-looking approach to adaptive Governance, Resilience, and Assurance (GRA) positions businesses to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Drive Agility and Trust Across Your Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- ZX Model – The MVC’s that power operational resilience
- CPD Model – Adaptable governance and assurance
- 3D Knowledge Model – Enabling holistic organizational learning
- FastTrack Model – A phased approach to cyber resilience
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
