Culture as Capability – Embedding Resilience into Daily Behavior – The Assurance in Action Series – Part 4

Share This Post

Culture as Capability – Embedding Resilience into Daily Behavior – The Assurance in Action Series – Part 4

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Cultural Challenge

Resilience isn’t based solely on frameworks, policies, or controls. Instead, it is demonstrated through daily actions. Culture influences whether staff escalate a critical vulnerability, if managers admit when recovery thresholds are missed, and whether executives confront uncomfortable truths.

This is the paradox at the heart of resilience: organizations often have the right systems and frameworks in place, yet they still fail when culture resists transparency, collaboration, or accountability. History is full of examples where culture, not technology, undermined resilience. In some organizations, frontline teams detected issues but hesitated to escalate out of fear of reprisal. In others, managers prioritized keeping dashboards green over admitting to gaps. The result was not just delayed responses but full-blown crises.

Boards and executives may declare intent, managers may adopt the Digital Value Management System® (DVMS), and controls may be implemented. Still, without a culture that fosters openness, accountability, and trust, evidence of assurance becomes meaningless.

This reality means that culture cannot be treated as an afterthought. It must be designed and managed with the same rigor as incident response, vendor continuity, or cyber defense.

Culture as a Capability, Not an Afterthought

Too often, culture is seen as intangible, something to “influence” rather than actively implement. Leaders discuss the “tone at the top” or refer to employee engagement surveys, but these ideas often remain vague. In the DVMS, culture is understood in a different way.

Culture is an organizational capability. Like other capabilities, it can be designed, measured, and improved. It is part of the Minimum Viable Capabilities (MVC) because no system of governance, workflows, or evidence can sustain itself if the underlying culture does not promote candor, discipline, and cross-functional collaboration.

This perspective aligns with Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era, which emphasizes that leadership is deeply intertwined with culture. Leaders’ actions influence the system. When leaders act defensively, employees tend to hide problems. Conversely, when leaders encourage transparency, issues are identified and addressed early. Therefore, managers must see culture not merely as an HR issue but as a systemic skill crucial for resilience.

CPD and Cultural Alignment

The Create, Protect, Deliver (CPD) Model emphasizes placing culture at the heart of business value. A culture aligned with CPD ensures resilience extends beyond technical functions, influencing every decision and interaction.

  • Create: Culture fosters innovation in resilience practices. Employees feel empowered to suggest improvements or test new approaches without waiting for a compliance mandate.
  • Protect: Culture encourages discipline and transparency. Escalation is swift, rehearsals are candid, and errors are treated as opportunities to learn rather than failures to be punished.
  • Deliver: Culture reinforces collaboration under pressure. Teams rally across silos to maintain continuity, protect customer trust, and ensure delivery of value even when systems are under attack.

 

When culture aligns with CPD, resilience stops being a compliance exercise and becomes a lived behavior. People no longer act out of fear of failing an audit but from confidence in their ability to uphold business value.

Evidence of Culture

Boards do not want generic assurances that “we have the right culture.” They want proof. Just as technical controls must be tested, cultural claims must be demonstrated in measurable ways.

Escalation speed is one example. How long does it take for an incident to move from detection to executive awareness? A resilient culture reduces this time because people are not afraid to raise their hands. Participation in rehearsals is another factor. Do cross-functional teams engage meaningfully, or do they attend reluctantly, viewing the exercise as just a compliance obligation? Near-miss reporting is equally revealing. Are small failures logged and addressed, or are they buried until they escalate into crises?

The Practitioner’s Guide to Building Cyber-Resilience (Second Edition) presents the QO–QM (Question Outcome–Question Metric) model as a way to connect governance outcomes with operational measures. When applied to culture, the board might say: “Staff must feel safe reporting issues.” Managers then monitor increases in near-miss reports, improvements in corrective action rates, or participation in voluntary resilience exercises. This approach makes the abstract idea of culture into measurable outcomes and metrics that can be assessed, reported, and improved.

The Consequences of Weak Culture

Consider recent breaches where culture played as significant a role as technology.

  • At Equifax (2017), the vulnerability was known and the patch was available. Yet organizational silos and a culture of minimal accountability delayed remediation. The result was a catastrophic loss of consumer trust.
  • At Colonial Pipeline (2021), cyber remained treated as “IT’s problem.” Governance did not integrate cyber risk into operational resilience. A culture of compartmentalization left executives unprepared to manage a ransomware event that escalated into a national crisis.
  • In the 2023 MOVEit breach, vendor risk, IT operations, and cyber monitoring each believed they were fulfilling their duties. But the culture of siloed accountability prevented unified oversight, allowing the exploit to cascade across industries.

 

In each case, culture was the unseen weakness. Capabilities existed on paper, but cultural blind spots rendered frameworks ineffective, turning them into illusions of resilience.

The Manager’s Role in Shaping Culture

Culture isn’t dictated solely from the boardroom. It is shaped daily by managers’ decisions and actions. A single choice by a manager, such as rewarding early reporting, insisting on candid after-action reviews, or integrating functions during rehearsals, creates a ripple effect throughout the system.

Managers exemplify what resilience looks like. A manager who praises a team for identifying an issue early shows vigilance. A manager who views a failed exercise as an opportunity to learn rather than a performance critique demonstrates psychological safety. A manager who requires involving operations, IT, and cyber in the same resilience drill promotes integration.

As Thriving on the Edge of Chaos notes, leadership is the art of turning complexity into clarity. Managers demonstrate leadership when they help their teams see resilience not as abstract governance jargon but as daily behavior that sustains value.

The Executive Imperative

For boards, culture shouldn’t be seen as just an HR issue or background factor. It is a matter of assurance. Weak cultures represent governance failures because they hinder the surfacing, sharing, and actioning of evidence. Conversely, strong cultures enhance assurance by making sure that every rehearsal, incident, and near miss contributes to organizational learning.

Directors should evaluate culture with the exact “fit for purpose” and “fit for use” tests they apply to technical capabilities. While transparency and accountability may be highlighted as strategic priorities, the actual question is whether evidence shows them in action. Boards must demand not just policies but evidence: proof that escalation occurs swiftly, that near misses are logged, that cross-functional drills are genuine, and that employees feel safe speaking openly without fear of punishment.

The Role of AI and Automation in Supporting Culture

Historically, managers saw assurance as burdensome. Gathering, testing, and reporting cultural indicators in real time seemed impractical. Psychological safety surveys, rehearsal participation metrics, or near-miss logs required slow manual processes that quickly lagged behind actual conditions.

That is changing. Advances in automation and artificial intelligence are making assurance possible at scale. Automated monitoring provides real-time visibility not only into systems but also into participation rates and escalation behaviors. AI-driven simulations continuously test resilience scenarios, offering evidence of cultural responsiveness under pressure. Agentic systems record performance data directly into governance dashboards, reducing the gap between daily behavior and board-level oversight.

For managers, AI is not a substitute for judgment or leadership. It is a tool that reduces the burden of assurance, allowing them to concentrate on interpretation, decision-making, and ongoing improvement. What was once endless paperwork now becomes real-time confidence, driven by systems that gather evidence without creating overwhelming overhead.

The Manager’s Paradigm Shift

All of this indicates a broader change for managers. Previously, governance and resilience were viewed as transactions. The focus was on implementing controls, generating reports, and passing audits. Activity was seen as progress.

Today, disruption is ongoing, and boards are no longer content with just artifacts of compliance. They demand assurance, evidence that capabilities can perform under pressure. This pushes managers to transition from delivering documentation to developing capabilities, from showing activity to demonstrating performance, and from feeling comfortable to having confidence.

This shift requires managers to think systemically. The CPD Model links culture to value creation, protection, and delivery. The MVC overlay helps managers identify cultural gaps and incorporate them into capabilities. The QO–QM model ties intent to evidence, ensuring cultural goals are measured and improved.

Because the scale of this shift can feel overwhelming, the DVMS FastTrack® approach offers a phased pathway. Managers begin with critical MVCs, develop integrated cultural skills around them, and demonstrate resilience over time. Each step boosts confidence, reduces complexity, and encourages cultural change without overwhelming the organization.

From Comfort to Confidence

Boards no longer settle for just knowing which controls exist. They seek proof that these controls function effectively under pressure. For managers, the key question is this: Are you providing artifacts that record activity or assurance evidence that proves capability?

The Assurance Mandate whitepaper introduced the shift from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA). Parts 1 and 2 of this series demonstrated how intent must be translated into capabilities and how frameworks like the NIST Cybersecurity Framework can be implemented through DVMS. Part 3 explained how controls must generate evidence.

Part 4 ties it all together: nothing works without culture. Culture determines whether resilience is merely a slogan or a genuine skill. The first offers comfort. The second fosters confidence.

Looking Ahead

In the following article of the Assurance in Action Series, we will explore the concept of continual improvement. Assurance is not a static goal but an ongoing cycle of learning, testing, and adapting. Managers will see how the DVMS enables continual improvement cycles operationalized by the CPD model and realized in the MVC.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Transforming Cyber Risk into Operational Resilience – DVMS Certified Training Solutions

The DVMS Institute’s Certified Training Solutions teach organizations how to transform the NIST Cybersecurity Framework or any other IT Framework or Standard Based System, into a unified, adaptive, and culture-driven Digital Value Management System® (DVMS)

The DVMS offers organizations a structured pathway for integrating Governance Intent, Operational Execution, and Assurance Evidence, enabling them to demonstrate measurable resilience, regulatory alignment, and stakeholder confidence in a rapidly evolving digital landscape.

Through its MVCCPD3D Knowledge, and FastTrack Models, the DVMS operationalizes a Governance Overlay system that unifies strategy, assurance, and operations, a Behavioral Engine that continuously converts risk into resilience, and a Learning System that measures, adapts, and innovates over time.

DVMS White Papers

 

DVMS Institute Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness training provides all employees with a comprehensive understanding of the fundamentals of digital business, its associated risks, the NISTCSF, and their role in protecting organizational digital value. This investment fosters a culture that is prepared to transform systemic cyber risks into operational resilience.

NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course provides ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role as an integrated, adaptive, and culture-driven governance and assurance management system that drives resilient, compliant, and trusted digital outcomes.

DVMS Practitioner Certification Training

The Digital Value Management System® (DVMS) Practitioner certification training course provides ITSM, GRC, Cybersecurity, and Business professionals a detailed understanding of how to transform systemic cyber risk into operational resilience by uniting Fragmented Frameworks and Standards, such as NIST, ITSM, GRC, and ISO, into a holistic, adaptive, and culture-driven Governance, Assurance, and Accountability overlay system that keeps your digital business resilient, no matter the disruption.

DVMS Organizational Benefits

The DVMS doesn’t replace existing frameworks—it connects, contextualizes, and amplifies them, transforming compliance requirements into actionable intelligence that drives and ensures sustained digital operations and performance.

By adopting a DVMS, organizations are positioned to:

  • Maintain Operational Stability Amidst Constant Digital Disruption
  • Deliver Digital Value and Trust Across A Digital Ecosystem
  • Satisfy Critical Regulatory and Certification Requirements
  • Leverage Cyber Resilience as a Competitive Advantage

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, the DVMS provides a structured way to align technology investments and operations with measurable business outcomes.

For the CRO, the DVMS provides a way to embed risk and resilience directly into operational processes, turning risk management into a driver of performance and adaptability.

For the CISO, the DVMS provides a continuous assurance mechanism that demonstrates cyber resilience and digital trust across the enterprise and its supply chain.

For Internal and External Auditors, the DVMS provides verifiable proof that the enterprise can maintain operational continuity under stress.

DVMS Explainer Videos

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved

More To Explore

It's Time to Protect Your digital business value & resiliency

Publications, Certification Training, Enterprise Solutions & Community

Contact Us