Understanding the DVMS Overlay Model

Share This Post

Understanding the DVMS Overlay Model

Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute

Introduction

The Digital Value Management System (DVMS) represents a new way of transforming static, fragmented, and control-based Cybersecurity, GRC, ERM, ITSM, and other best-practice digital business systems into an integrated, adaptive, and culture-aligned system that drives cyber operational resilience, regulatory compliance, and digital trust across complex digital supply chains.

Unlike traditional frameworks or methods, the DVMS is explicitly designed as an overlay. This means it does not replace existing frameworks, standards, or methods but instead sits above them, helping organizations to see their activities holistically, reveal gaps, and ensure that value creation and value protection occur together. As described in the DVMS publication, Thriving on the Edge of Chaos, the DVMS provides a systems-based overlay that recognizes organizations as complex adaptive systems and emphasizes culture, leadership, and learning as core enablers of resilience.

This paper describes how the DVMS Overlay Model works, why it is necessary, and how it connects organizational governance, culture, and the NIST Cybersecurity Framework (CSF) 2.0 to operationalize practice.

The DVMS as an Overlay

The DVMS is neither a framework nor a method. Frameworks are descriptive, and processes are prescriptive, but both are often siloed and challenging to scale. The DVMS, instead, is an overlay that is adaptable by all, regardless of size, maturity, or sector. It aims to sit on top of what organizations already do—whether that involves ITIL, COBIT, ISO standards, or NIST CSF—and expose performance gaps.

This overlay approach makes DVMS highly scalable. It acknowledges that every organization already has structures, methods, and capabilities. By layering over them, DVMS avoids reinventing the wheel and instead reveals how existing practices map to essential organizational capabilities. In doing so, it ensures that cybersecurity is not seen as a technical silo but as an aspect of organizational resilience and business value.

The Three Layers of the Overlay

The DVMS Overlay is composed of three layers that together ensure organizational resilience and alignment:

  1. The Top Layer: What the Organization Already Does
    This represents the existing frameworks, standards, and practices already embedded in the organization. It is treated as a “black box” to the outside world but describes the current state of business operations, compliance, and risk management.
  2. The Middle Layer: The MVC-Z-X Model
    The MVC-Z-X Model provides seven minimum viable capabilities (MVCs) that every organization must possess to create and protect value: Govern, Assure, Plan, Design, Change, Execute, and Innovate. Everything an organization does maps into one or more of these capabilities. For example, HR policies fall under “Govern,” project management maps to “Plan” and “Execute,” and research activities relate to “Innovate.” This model provides the structure against which all organizational activities can be aligned.
  3. The Bottom Layer: The CPD Model
    The Create, Protect, and Deliver (CPD) Model operationalizes the Z-X Model. It links governance with execution and ensures that strategy-risk—defined as the inseparability of strategy and risk—is embedded in daily activities. The CPD Model ensures that digital business value is created and delivered in an appropriately protected way, reinforcing the principle that unprotected value has no value.

 

Culture, Structure, and Behavior in the Overlay

The DVMS Overlay stresses that organizational culture is a core driver of success. Culture shapes how people behave, how systems adapt, and whether resilience is achieved. As Thriving on the Edge of Chaos explains, culture and structure are inextricably linked: to change culture, structural changes are often necessary (for example, reducing management layers to encourage collaboration).

The overlay recognizes the latency of cultural change, much like steering a supertanker: adjustments take time before results are visible. By embedding DVMS across all layers, organizations create a learning, transparent, and accountable culture that aligns with governance and risk objectives. This ensures that security and resilience are not bolted on afterward but emerge naturally from organizational behaviors.

Phased Adoption: The FastTrack Approach

To make adoption practical, DVMS includes a phased path known as FastTrack™. The four phases are:

  • Phase 0: Initiate – Establishing the baseline, documenting workflows, and preparing governance.
  • Phase 1: Basic Hygiene – Stabilizing the environment with foundational practices.
  • Phase 2: Expand – Optimizing and expanding capabilities across the organization.
  • Phase 3: Innovate – Embedding continual innovation and adaptive resilience as a cultural norm.

 

These phases are not strictly linear. For instance, an innovation in Phase 1 may loop back and influence governance decisions in Phase 0. This iterative approach mirrors agile principles and ensures that organizations do not stall waiting for “perfect” maturity before beginning improvements.

Linking DVMS to the NIST CSF 2.0

The DVMS Overlay is intentionally designed to work with the NIST CSF 2.0. The CSF provides outcomes across six functions: Govern, Identify, Protect, Detect, Respond, and Recover. The DVMS does not replace these but overlays them with organizational practice areas. For example:

  • Govern aligns with DVMS’s Govern and Assure capabilities.
  • Identify connections with Plan and Design, ensuring risks are understood.
  • Protect and Detect fall under Execute, reinforced by Change and Innovate to adapt defenses.
  • Respond and Recover map into Execute and Assure, ensuring accountability and resilience.

 

This alignment means that DVMS provides the “how” to the CSF’s “what.” Where CSF describes desired outcomes, DVMS shows how to integrate them into strategy, governance, and daily operations.

Systems Thinking and Strategy-Risk

A core principle of the Overlay is systems thinking. Organizations are treated as complex adaptive systems where each part influences the whole. The DVMS encourages organizations to view cybersecurity not as isolated incidents but as part of interconnected work, communication, and innovation flows.

Closely tied to this is the concept of strategy-risk. Instead of separating “strategy” and “risk” into distinct domains, DVMS merges them into a single concept. Every strategy inherently carries risk, and every risk decision is strategic. Embedding this mindset into the overlay ensures organizations can navigate uncertainty, adapt to threats, and continue delivering value.

Practical Outcomes of the Overlay

The DVMS Overlay Model achieves several practical outcomes for organizations:

  1. Gap Identification—By mapping existing activities to the Z-X Model, organizations quickly identify what capabilities are missing or weak.
  2. Resilience as a By-Product – Instead of chasing cybersecurity compliance, resilience emerges naturally from aligning governance, culture, and operations.
  3. Concurrent Value Creation and Protection – Rather than treating protection as an afterthought, value is created and protected simultaneously.
  4. Adaptability – The overlay allows organizations to evolve iteratively, embedding innovation into governance and execution.
  5. Universal Applicability—DVMS is equally useful to small businesses, multinationals, and government agencies because it overlaps with what already exists.

 

Conclusion

The DVMS Overlay Model works by shifting perspective. Instead of treating cybersecurity as a technical silo, it reframes it as an aspect of digital value governance. By operating as a scalable overlay, DVMS enables organizations to integrate frameworks like the NIST CSF into a broader governance, culture, and operations system. Its three layers—the organization’s existing practices, the Z-X Model, and the CPD Model—ensure that strategy and risk are inseparable, value creation and protection are concurrent, and resilience is the natural outcome.

Ultimately, the DVMS Overlay is not about cybersecurity alone. It is about thriving in a volatile, uncertain, complex, and ambiguous world by building organizations that sustainably create, protect, and deliver digital value. In doing so, it provides both a lens to see differently and a roadmap to act differently, ensuring that digital business resilience is not just a goal but a way of being.

About the Author

Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute

Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.

Digital Value Management System® (DVMS)

The DVMS is an adaptive, culture-enabled governance overlay designed to help organizations of any size, scale, or complexity transition from static, paper-based governance models to a living, evidence-based system of Governance, Resilience, Assurance, and Accountability (GRAA).

At its core, the DVMS is a simple but powerful integration of:

Rather than adding more complexity, a DVMS integrates fragmented frameworks and practices such as NIST CSF, GRC, ITSM, DevOps, and AI into a unified overlay system that enables leaders and regulators to see, in real time, whether the digital business is working as intended—and whether the risks that matter most are being managed proactively.

Through its MVCCPD3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

  • Maintain Operational Stability Amidst Constant Digital Disruption
  • Deliver Digital Value and Trust Across A Digital Ecosystem
  • Satisfy Critical Regulatory and Certification Requirements
  • Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS White Papers

The three whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.

The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.

The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.

The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.

DVMS Cyber Resilience Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Company Brochures and Presentation
Explainer Videos

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved

More To Explore

It's Time to Protect Your digital business value & resiliency

Publications, Certification Training, Enterprise Solutions & Community

Contact Us