Using a DVMS to “Ethically Hack” An Enterprise NIST, ITSM, GRC, ISO, and ERM Governance and Assurance Programs

Share This Post

Using a DVMS to “Ethically Hack” An Enterprise NIST, ITSM, GRC, ISO, and ERM Governance and Assurance Programs

Introduction: The Problem with Framework Fatigue

In an era where organizations are increasingly dependent on digital systems, frameworks such as NIST, ISO, ITSM, GRC, and ERM have become essential components of modern business governance. Yet many companies still struggle to translate these frameworks into real operational value. They are often deployed in silos—compliance in one corner, IT service management in another, risk management somewhere else—resulting in fragmented processes, inconsistent controls, and blind spots that undermine digital value protection and operational resilience.

The DVMS as a Transformative Overlay for Ethical Governance Hacking

The Digital Value Management System (DVMS) offers a transformative alternative. Rather than treating these frameworks as static rulebooks, the DVMS enables organizations to “ethically hack” their internal processes, culture, and systems to uncover gaps that traditional assessments overlook. By applying systems thinking, adaptive leadership, and cultural interrogation, organizations can turn DVMS into a strategic overlay that enhances—and in many ways revolutionizes—their use of NIST, ISO, GRC, ITSM, and ERM to protect organizational digital value and operational resilience.

DVMS as a Dynamic and Adaptive Governance Lens

At its core, the DVMS reframes governance and cybersecurity as dynamic, living systems. It functions as an adaptive lens rather than a prescriptive toolkit, enabling organizations to see how their existing frameworks behave in the real world—not just on paper. The DVMS incorporates seven minimum viable capabilities (Govern, Assure, Plan, Design, Change, Execute, and Innovate) that map onto existing business processes to reveal performance gaps. Instead of adding yet another framework to the mix, it exposes where current frameworks conflict, overlap, or fail to produce intended outcomes. In this way, the DVMS helps organizations “hack” their governance systems the same way ethical hackers probe software—by testing assumptions, stress-testing controls, and exposing systemic weaknesses before adversaries do.

Hacking NIST and ISO: Beyond Documentation to Real-World Behavior

When applied to frameworks like NIST CSF or ISO 27001, the DVMS provides deeper insight into whether the controls organizations believe they have in place are functioning as designed. Many organizations hold a false sense of security based on documented policies or successful audits. The DVMS challenges these assumptions by asking whether controls truly influence behavior, integrate into decision-making, and support resilience. For example, the DVMS “Govern” capability prompts organizations to question whether cybersecurity policies shape daily actions—or simply exist as procedural artifacts. This form of introspection forces leaders to confront the practical effectiveness, not just the formal presence, of their NIST or ISO controls.

Hacking ITSM and GRC: Fixing Misalignments and Invisible Dependencies

In ITSM and GRC environments, the DVMS helps organizations identify and correct structural misalignments and hidden dependencies that undermine risk management. ITSM processes—incident, change, and problem management—often operate independently of GRC risk assessments or ISO control monitoring. The DVMS overlay connects these traditionally siloed systems, revealing how activity in one domain affects risk exposure in another. Using DVMS-driven inquiry, organizations can ask: Are our service workflows reinforcing resilience or inadvertently creating new risks? Are our GRC processes grounded in operational reality or merely in compliance checklists? This systems-level view uncovers failures and strengthens the connective tissue between frameworks.

Strategy-Risk Thinking: Hacking the Organization’s Strategic Blind Spots

The DVMS introduces a powerful paradigm known as strategy-risk thinking. Unlike traditional models that separate strategy and risk, the DVMS insists that the two are inseparable. Ethical hackers identify disconnects between intended function and actual behavior; DVMS teaches organizations to do the same with their strategies. Tools like the DVMS CPD (Create, Protect, Deliver) and 3D Knowledge Models enable organizations to assess whether risk considerations are effectively embedded in their objectives, KPIs, and investments. This mindset converts strategic misalignments into opportunities for improvement rather than latent threats.

Becoming “The Menace Within”: Red Teaming Governance Itself

One of the DVMS’s most innovative contributions is its framing of the organization as “the menace within.” Instead of relying solely on external penetration tests, organizations learn to adopt a threat actor mindset internally. With tools such as Goal-Question-Metric (GQM) and Question-Outcome-Question Metric (QO-QM), teams conduct internal red teaming of their governance structures by asking: What are we trying to achieve? How do we know controls are adequate? What evidence proves that our risk posture matches our intentions? This transforms NIST, ISO, GRC, ERM, and ITSM programs into dynamic systems that continuously adapt and improve.

Cultural Hacking: Transforming the Organizational Mindset

The DVMS emphasizes that actual governance improvement requires cultural transformation. Frameworks such as ISO or NIST often fail not because of poor documentation but because the organizational culture does not support disciplined behavior or shared risk awareness. The DVMS encourages organizations to “hack” their cultural web—analyzing rituals, stories, power structures, and underlying assumptions. This psychological hacking reveals hidden loyalties, conflicts, and outdated beliefs that hinder the effectiveness of NIST, GRC, or ERM initiatives. By promoting psychological safety and cross-functional collaboration, leaders cultivate a culture where employees feel empowered to challenge existing practices and contribute to governance improvement.

Iterative Improvement Through DVMS FastTrack™

In operational practice, organizations adopt the DVMS through iterative cycles such as the DVMS FastTrack™ method. This approach mirrors the iterative nature of ethical hacking—test, learn, adjust. Instead of waiting for annual audits or periodic assessments, organizations continuously refine their governance processes. The DVMS integrates threat intelligence, regulatory updates, and internal performance data into a living system of adaptive governance. As a result, NIST controls become more actionable, GRC efforts become more meaningful, ITSM processes become more resilient, and ERM programs become more accurate in reflecting real-world risks.

Conclusion: From Compliance to Cyber-Consciousness

Ultimately, the DVMS empowers organizations to move beyond compliance toward a state of cyber-consciousness. It transforms NIST, ISO, ITSM, GRC, and ERM programs into cohesive, adaptive systems that can evolve with the organization and the evolving threat landscape. By ethically hacking themselves—intelligently and continuously—organizations shift governance from a static obligation to a strategic advantage. They discover vulnerabilities before adversaries do, strengthen controls through cultural alignment, and build a continuous feedback loop that elevates digital trust and operational reliability.

By becoming the ethical hackers of their own governance systems, organizations unlock the full potential of their existing frameworks and cultivate a resilient culture that can thrive in an age of digital chaos.

About the Author

Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute

Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.

Digital Value Management System® (DVMS)

Governance, Resilience, Assurance & Accountability System that Protects Digital Value and Powers Operational Resilience

Digital Value Management System (DVMS) is an adaptive, Culture-Driven operating system that unifies leadership, business, and IT around a standard system of governance, resilience, assurance, and accountability that protects digital value and powers operational resilience.

A DVMS integrates and elevates investments in NIST, ISO, GRC, ITSM, and AI by providing a coordinated structure for identifying, classifying, and mitigating cyber risks that could disrupt operations, erode resilience, or diminish stakeholder trust.

Through a structured, intelligence-driven integration of Governance Intent, Operational Capability, and Assurance Evidence, the DVMS, through its MVCCPD3D Knowledge, and FastTrack Models, operationalizes a

 

DVMS White Papers

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes, including cultural ones.

By adopting a DVMS, organizations are positioned to:

  • Maintain Operational Stability Amidst Constant Digital Disruption
  • Deliver Digital Value and Trust Across A Digital Ecosystem
  • Satisfy Critical Regulatory and Certification Requirements
  • Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

  • For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
  • For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
  • For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS Cyber Resilience Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness training teaches all employees the fundamentals of digital business, its associated risks, the NISTCSF, and their role as part of a culture responsible for protecting digital business performance, resilience, and trust. This investment fosters a culture that is prepared to transform systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course teaches ITSM, GRC, Cybersecurity, and Business professionals a detailed understanding of the NIST Cybersecurity Framework and its role in an integrated, adaptive, and culture-driven governance and assurance management system that drives digital business performance, resilience, trust, and accountability.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course teaches ITSM, GRC, Cybersecurity, and Business professionals how to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that integrates fragmented frameworks such as NIST, ITSM, and GRC into an adaptive and culture-driven governance and assurance system that enhances digital business performance, resilience, trust, and accountability.

Company Brochures and Presentation
Explainer Videos

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved

More To Explore

It's Time to Protect Your digital business value & resiliency

Publications, Certification Training, Enterprise Solutions & Community

Contact Us