Understanding the DVMS Overlay Model

Understanding the DVMS Overlay Model

Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute

Introduction

The Digital Value Management System (DVMS) represents a new way of transforming static, fragmented, and control-based Cybersecurity, GRC, ERM, ITSM, and other best-practice digital business systems into an integrated, adaptive, and culture-aligned system that drives cyber operational resilience, regulatory compliance, and digital trust across complex digital supply chains.

Unlike traditional frameworks or methods, the DVMS is explicitly designed as an overlay. This means it does not replace existing frameworks, standards, or methods but instead sits above them, helping organizations to see their activities holistically, reveal gaps, and ensure that value creation and value protection occur together. As described in the DVMS publication, Thriving on the Edge of Chaos, the DVMS provides a systems-based overlay that recognizes organizations as complex adaptive systems and emphasizes culture, leadership, and learning as core enablers of resilience.

This paper describes how the DVMS Overlay Model works, why it is necessary, and how it connects organizational governance, culture, and the NIST Cybersecurity Framework (CSF) 2.0 to operationalize practice.

The DVMS as an Overlay

The DVMS is neither a framework nor a method. Frameworks are descriptive, and processes are prescriptive, but both are often siloed and challenging to scale. The DVMS, instead, is an overlay that is adaptable by all, regardless of size, maturity, or sector. It aims to sit on top of what organizations already do—whether that involves ITIL, COBIT, ISO standards, or NIST CSF—and expose performance gaps.

This overlay approach makes DVMS highly scalable. It acknowledges that every organization already has structures, methods, and capabilities. By layering over them, DVMS avoids reinventing the wheel and instead reveals how existing practices map to essential organizational capabilities. In doing so, it ensures that cybersecurity is not seen as a technical silo but as an aspect of organizational resilience and business value.

The Three Layers of the Overlay

The DVMS Overlay is composed of three layers that together ensure organizational resilience and alignment:

1. The Top Layer: What the Organization Already Does
   This represents the existing frameworks, standards, and practices already embedded in the organization. It is treated as a “black box” to the outside world but describes the current state of business operations, compliance, and risk management.
2. The Middle Layer: The MVC-Z-X Model
   The MVC-Z-X Model provides seven minimum viable capabilities (MVCs) that every organization must possess to create and protect value: Govern, Assure, Plan, Design, Change, Execute, and Innovate. Everything an organization does maps into one or more of these capabilities. For example, HR policies fall under “Govern,” project management maps to “Plan” and “Execute,” and research activities relate to “Innovate.” This model provides the structure against which all organizational activities can be aligned.
3. The Bottom Layer: The CPD Model
   The Create, Protect, and Deliver (CPD) Model operationalizes the Z-X Model. It links governance with execution and ensures that strategy-risk—defined as the inseparability of strategy and risk—is embedded in daily activities. The CPD Model ensures that digital business value is created and delivered in an appropriately protected way, reinforcing the principle that unprotected value has no value.

Culture, Structure, and Behavior in the Overlay

The DVMS Overlay stresses that organizational culture is a core driver of success. Culture shapes how people behave, how systems adapt, and whether resilience is achieved. As Thriving on the Edge of Chaos explains, culture and structure are inextricably linked: to change culture, structural changes are often necessary (for example, reducing management layers to encourage collaboration).

The overlay recognizes the latency of cultural change, much like steering a supertanker: adjustments take time before results are visible. By embedding DVMS across all layers, organizations create a learning, transparent, and accountable culture that aligns with governance and risk objectives. This ensures that security and resilience are not bolted on afterward but emerge naturally from organizational behaviors.

Phased Adoption: The FastTrack Approach

To make adoption practical, DVMS includes a phased path known as FastTrack™. The four phases are:

• Phase 0: Initiate – Establishing the baseline, documenting workflows, and preparing governance.
• Phase 1: Basic Hygiene – Stabilizing the environment with foundational practices.
• Phase 2: Expand – Optimizing and expanding capabilities across the organization.
• Phase 3: Innovate – Embedding continual innovation and adaptive resilience as a cultural norm.

These phases are not strictly linear. For instance, an innovation in Phase 1 may loop back and influence governance decisions in Phase 0. This iterative approach mirrors agile principles and ensures that organizations do not stall waiting for “perfect” maturity before beginning improvements.

Linking DVMS to the NIST CSF 2.0

The DVMS Overlay is intentionally designed to work with the NIST CSF 2.0. The CSF provides outcomes across six functions: Govern, Identify, Protect, Detect, Respond, and Recover. The DVMS does not replace these but overlays them with organizational practice areas. For example:

• Govern aligns with DVMS’s Govern and Assure capabilities.
• Identify connections with Plan and Design, ensuring risks are understood.
• Protect and Detect fall under Execute, reinforced by Change and Innovate to adapt defenses.
• Respond and Recover map into Execute and Assure, ensuring accountability and resilience.

This alignment means that DVMS provides the “how” to the CSF’s “what.” Where CSF describes desired outcomes, DVMS shows how to integrate them into strategy, governance, and daily operations.

Systems Thinking and Strategy-Risk

A core principle of the Overlay is systems thinking. Organizations are treated as complex adaptive systems where each part influences the whole. The DVMS encourages organizations to view cybersecurity not as isolated incidents but as part of interconnected work, communication, and innovation flows.

Closely tied to this is the concept of strategy-risk. Instead of separating “strategy” and “risk” into distinct domains, DVMS merges them into a single concept. Every strategy inherently carries risk, and every risk decision is strategic. Embedding this mindset into the overlay ensures organizations can navigate uncertainty, adapt to threats, and continue delivering value.

Practical Outcomes of the Overlay

The DVMS Overlay Model achieves several practical outcomes for organizations:

1. Gap Identification—By mapping existing activities to the Z-X Model, organizations quickly identify what capabilities are missing or weak.
2. Resilience as a By-Product – Instead of chasing cybersecurity compliance, resilience emerges naturally from aligning governance, culture, and operations.
3. Concurrent Value Creation and Protection – Rather than treating protection as an afterthought, value is created and protected simultaneously.
4. Adaptability – The overlay allows organizations to evolve iteratively, embedding innovation into governance and execution.
5. Universal Applicability—DVMS is equally useful to small businesses, multinationals, and government agencies because it overlaps with what already exists.

Conclusion

The DVMS Overlay Model works by shifting perspective. Instead of treating cybersecurity as a technical silo, it reframes it as an aspect of digital value governance. By operating as a scalable overlay, DVMS enables organizations to integrate frameworks like the NIST CSF into a broader governance, culture, and operations system. Its three layers—the organization’s existing practices, the Z-X Model, and the CPD Model—ensure that strategy and risk are inseparable, value creation and protection are concurrent, and resilience is the natural outcome.

Ultimately, the DVMS Overlay is not about cybersecurity alone. It is about thriving in a volatile, uncertain, complex, and ambiguous world by building organizations that sustainably create, protect, and deliver digital value. In doing so, it provides both a lens to see differently and a roadmap to act differently, ensuring that digital business resilience is not just a goal but a way of being.

About the Author

Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute

Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.

In today’s digitally driven economy, cyber disruptions are no longer an “if” but a “when.”

The DVMS Institute Certified Training Programs teach organizations how to transform static, fragmented, and control-based Governance, Risk, and Compliance (GRC) frameworks (NIST, ISO, ITSM, COSO ERM, etc.) into an integrated GRC Digital Value Management System®. (DVMS)

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, the DVMS seamlessly aligns your digital business Strategy, Governance, Operations, and Culture to transform your GRC program into an integrated, adaptive, and culture-powered overlay system that drives proactive Operational Resilience, Regulatory Compliance, and Digital Trust across your complex digital supply chain.

By adopting this integrated, adaptive, and culture-driven approach to GRC, businesses are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Explainer Videos

• Architecture Video: David Moskowitz explains the DVMS System
• Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• Overlay Model – What is an Overlay Model
• MVC ZX Model – Powers the CPD
• CPD Model – Powers  DVMS Operations
• 3D Knowledge Model – Powers the DVMS Culture
• FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved