Skip to main content

NIST CSF 2.0 – Protect Function Deep Dive: Data Security (PR.DS)


When executives ask, “What are we actually protecting?”

The honest answer is simple:

Data.

Not servers.
Not applications.
Not networks.

Those matter—but only because data lives on them.

PR.DS exists because cybersecurity failures become business crises only when data is exposed, altered, lost, or misused. Everything else is usually recoverable.

How PR.DS Fits Into the Protect Function

So far in the Protect series, we have covered:

  • PR.AA – Who can access systems and data

  • PR.AT – How people recognize and respond to risk

PR.DS answers the next, unavoidable question:

Once access is granted and people are trained—how is data actually protected?

This is where cybersecurity aligns directly with:

  • Regulatory exposure

  • Financial loss

  • Reputation damage

  • Customer trust

For new practitioners, PR.DS explains what data security really means.
For new CISOs, it defines where accountability truly begins.

What Is PR.DS (Plain English)

PR.DS ensures that data is protected throughout its entire lifecycle.

That lifecycle includes:

  1. Creation

  2. Storage

  3. Use

  4. Transmission

  5. Retention

  6. Disposal

PR.DS applies whether data is:

  • On-prem

  • In the cloud

  • In SaaS platforms

  • On laptops

  • In backups

  • Shared with third parties

If data exists somewhere, PR.DS applies.

Beginner Callout: Why Data Security Is Harder Than It Sounds

Many people assume data security means:

  • Encryption

  • Passwords

  • Firewalls

Those are tools, not strategies.

Data security is difficult because:

  • Data constantly moves

  • Copies multiply invisibly

  • Business users prioritize speed

  • Ownership is often unclear

You can’t protect what you don’t understand—or can’t see.

Why PR.DS Matters So Much at the Executive Level

From the boardroom perspective:

  • Most fines are data-related

  • Most lawsuits follow data exposure

  • Most breach notifications mention data types

  • Most incident impact assessments start with data loss

Executives don’t ask:

“Was the server patched?”

They ask:

“What data was exposed, and who was affected?”

PR.DS is how security leaders answer that question confidently.

Common PR.DS Mistakes (Across All Maturity Levels)

1. Trying to Protect All Data Equally

Not all data deserves the same level of protection.

Customer PII ≠ marketing content
Production credentials ≠ internal documentation

Without prioritization, controls become expensive and ineffective.

2. Confusing Storage Security With Data Security

Securing a database does not mean the data is secure if:

  • It’s exported to spreadsheets

  • Shared through email

  • Synced to personal devices

  • Uploaded to unauthorized SaaS tools

Data security follows data—not infrastructure.

3. Leaving Classification as a Paper Exercise

If data classification:

  • Is purely theoretical

  • Isn’t enforced technically

  • Isn’t understood by users

Then it provides little real protection.

How to Implement PR.DS in a Practical, Understandable Way

1. Start With Data Visibility

At a minimum, organizations should understand:

  • What sensitive data they have

  • Where it lives

  • Who accesses it

  • How it moves

You do not need perfection—but you need directional clarity.

2. Classify Data Based on Impact, Not Preference

Effective classification answers:

  • What happens if this data is exposed?

  • What happens if it’s altered?

  • What happens if it’s unavailable?

Focus on impact—not volume.

This keeps programs realistic and defensible.

3. Protect Data in Use, Not Just at Rest

Encryption at rest and in transit are table stakes.

Mature PR.DS programs also address:

  • Screenshots

  • Copy/paste

  • File sharing

  • Downloads

  • External uploads

This is where DLP, CASB, and modern cloud controls matter most.

4. Limit Data Retention Aggressively

Data you no longer need:

  • Still creates risk

  • Still expands breach scope

  • Still costs money to secure

Deleting data safely is one of the most underrated security controls.

5. Account for Third Parties Explicitly

Once data leaves your environment:

  • Your risk does not leave with it

  • Your accountability often remains

PR.DS requires:

  • Contractual protections

  • Minimum security requirements

  • Visibility into data sharing

Real-World Executive Example

A company experiences a cloud credential compromise.
The attack path is simple.

The impact, however, depends entirely on PR.DS:

  • If sensitive data is segmented, encrypted, and monitored → limited impact

  • If data is broadly accessible and poorly classified → board-level crisis

Same incident.
Very different outcome.

That difference is PR.DS maturity.

Metrics That Make PR.DS Understandable

Foundational Metrics

  • % of critical data classified

  • % of sensitive data encrypted

  • % of endpoints enforcing data protection controls

  • Number of external data-sharing paths

These show coverage.

Risk-Oriented Metrics

  • Data exposure incidents by type

  • Sensitive data access anomalies

  • Unauthorized data sharing attempts

  • Data retention exceptions

These show risk control effectiveness.

CISO Takeaways

For new CISOs especially:

  • Data is what regulators care about

  • Data is what customers care about

  • Data is what lawsuits reference

  • Data is what defines breach severity

If you control data well, many other failures become survivable.

If you don’t, even small incidents become existential.

What “Good” Looks Like

A strong PR.DS capability means:

  • Sensitive data is known and prioritized

  • Protection follows data wherever it goes

  • Users understand how to handle data safely

  • Retention is intentional, not accidental

  • Leadership can speak clearly about data risk

For beginners, this provides clarity.
For CISOs, it provides defensibility.

Final Thoughts

Identity controls decide who gets in.
Awareness determines how people behave.
Data security defines what actually gets damaged.

PR.DS is where cybersecurity and business risk finally meet.

If you protect data well,
you earn time, trust, and options when things go wrong.

Labels:

Popular posts from this blog

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI has moved faster than nearly any technology security leaders have dealt with. Tools that can generate text, code, images, and data insights are now embedded into productivity platforms, security tooling, development workflows, and business operations—often before security teams are formally involved. For CISOs, this creates a familiar but amplified challenge: innovation is happening faster than governance, and unmanaged generative AI introduces material risk across confidentiality, integrity, availability, compliance, and trust. For aspiring information security professionals, AI governance represents a growing and valuable discipline where strategic thinking matters just as much as technical depth. The good news? We don’t need to invent governance from scratch. NIST’s AI Risk Management Framework (AI RMF) provides a practical, flexible structure that security leaders can use today to govern generative AI responsibly and defensibly. Why Generative AI Governance Matt...
Read more

Winning the Room: How to Gain and Keep Executive Support

Blog Series: Your First 90 Days as a CISO Post 4 of 4 A Plain-English Guide for New, Aspiring, and Future Security Leaders Here's a truth that many talented security professionals discover too late: you can be technically brilliant, deeply experienced, and genuinely committed to protecting the organization — and still fail as a CISO if you don't have executive support. Security programs require funding. They require organizational authority. They require the ability to make decisions that sometimes create friction for other business units. They require the backing to hold lines when the pressure to cut corners for speed or convenience is intense. None of that happens without the support of the people at the top of the organization. And yet, earning and keeping executive support is exactly the area where security leaders most often struggle. The technical skills that make someone a great security professional don't automatically translate into the c...
Read more