Skip to main content

NIST CSF 2.0 – Protect Function Deep Dive: Data Security (PR.DS)


When executives ask, “What are we actually protecting?”

The honest answer is simple:

Data.

Not servers.
Not applications.
Not networks.

Those matter—but only because data lives on them.

PR.DS exists because cybersecurity failures become business crises only when data is exposed, altered, lost, or misused. Everything else is usually recoverable.

How PR.DS Fits Into the Protect Function

So far in the Protect series, we have covered:

  • PR.AA – Who can access systems and data

  • PR.AT – How people recognize and respond to risk

PR.DS answers the next, unavoidable question:

Once access is granted and people are trained—how is data actually protected?

This is where cybersecurity aligns directly with:

  • Regulatory exposure

  • Financial loss

  • Reputation damage

  • Customer trust

For new practitioners, PR.DS explains what data security really means.
For new CISOs, it defines where accountability truly begins.

What Is PR.DS (Plain English)

PR.DS ensures that data is protected throughout its entire lifecycle.

That lifecycle includes:

  1. Creation

  2. Storage

  3. Use

  4. Transmission

  5. Retention

  6. Disposal

PR.DS applies whether data is:

  • On-prem

  • In the cloud

  • In SaaS platforms

  • On laptops

  • In backups

  • Shared with third parties

If data exists somewhere, PR.DS applies.

Beginner Callout: Why Data Security Is Harder Than It Sounds

Many people assume data security means:

  • Encryption

  • Passwords

  • Firewalls

Those are tools, not strategies.

Data security is difficult because:

  • Data constantly moves

  • Copies multiply invisibly

  • Business users prioritize speed

  • Ownership is often unclear

You can’t protect what you don’t understand—or can’t see.

Why PR.DS Matters So Much at the Executive Level

From the boardroom perspective:

  • Most fines are data-related

  • Most lawsuits follow data exposure

  • Most breach notifications mention data types

  • Most incident impact assessments start with data loss

Executives don’t ask:

“Was the server patched?”

They ask:

“What data was exposed, and who was affected?”

PR.DS is how security leaders answer that question confidently.

Common PR.DS Mistakes (Across All Maturity Levels)

1. Trying to Protect All Data Equally

Not all data deserves the same level of protection.

Customer PII ≠ marketing content
Production credentials ≠ internal documentation

Without prioritization, controls become expensive and ineffective.

2. Confusing Storage Security With Data Security

Securing a database does not mean the data is secure if:

  • It’s exported to spreadsheets

  • Shared through email

  • Synced to personal devices

  • Uploaded to unauthorized SaaS tools

Data security follows data—not infrastructure.

3. Leaving Classification as a Paper Exercise

If data classification:

  • Is purely theoretical

  • Isn’t enforced technically

  • Isn’t understood by users

Then it provides little real protection.

How to Implement PR.DS in a Practical, Understandable Way

1. Start With Data Visibility

At a minimum, organizations should understand:

  • What sensitive data they have

  • Where it lives

  • Who accesses it

  • How it moves

You do not need perfection—but you need directional clarity.

2. Classify Data Based on Impact, Not Preference

Effective classification answers:

  • What happens if this data is exposed?

  • What happens if it’s altered?

  • What happens if it’s unavailable?

Focus on impact—not volume.

This keeps programs realistic and defensible.

3. Protect Data in Use, Not Just at Rest

Encryption at rest and in transit are table stakes.

Mature PR.DS programs also address:

  • Screenshots

  • Copy/paste

  • File sharing

  • Downloads

  • External uploads

This is where DLP, CASB, and modern cloud controls matter most.

4. Limit Data Retention Aggressively

Data you no longer need:

  • Still creates risk

  • Still expands breach scope

  • Still costs money to secure

Deleting data safely is one of the most underrated security controls.

5. Account for Third Parties Explicitly

Once data leaves your environment:

  • Your risk does not leave with it

  • Your accountability often remains

PR.DS requires:

  • Contractual protections

  • Minimum security requirements

  • Visibility into data sharing

Real-World Executive Example

A company experiences a cloud credential compromise.
The attack path is simple.

The impact, however, depends entirely on PR.DS:

  • If sensitive data is segmented, encrypted, and monitored → limited impact

  • If data is broadly accessible and poorly classified → board-level crisis

Same incident.
Very different outcome.

That difference is PR.DS maturity.

Metrics That Make PR.DS Understandable

Foundational Metrics

  • % of critical data classified

  • % of sensitive data encrypted

  • % of endpoints enforcing data protection controls

  • Number of external data-sharing paths

These show coverage.

Risk-Oriented Metrics

  • Data exposure incidents by type

  • Sensitive data access anomalies

  • Unauthorized data sharing attempts

  • Data retention exceptions

These show risk control effectiveness.

CISO Takeaways

For new CISOs especially:

  • Data is what regulators care about

  • Data is what customers care about

  • Data is what lawsuits reference

  • Data is what defines breach severity

If you control data well, many other failures become survivable.

If you don’t, even small incidents become existential.

What “Good” Looks Like

A strong PR.DS capability means:

  • Sensitive data is known and prioritized

  • Protection follows data wherever it goes

  • Users understand how to handle data safely

  • Retention is intentional, not accidental

  • Leadership can speak clearly about data risk

For beginners, this provides clarity.
For CISOs, it provides defensibility.

Final Thoughts

Identity controls decide who gets in.
Awareness determines how people behave.
Data security defines what actually gets damaged.

PR.DS is where cybersecurity and business risk finally meet.

If you protect data well,
you earn time, trust, and options when things go wrong.

Labels:

Comments

Post a Comment

Popular posts from this blog

Asset Management - Physical Devices - What do you have? Do you know?

Asset management and inventorying your physical systems, we all know we should do it, and I am sure most try.  I am not going to talk about the should have, would have or could have. Instead, I am going to focus on the risks associated with the NIST CSF control ID-AM.1.   The control simply states, “Physical devices and systems within the organization are inventoried.”  At the simplest level, this control is saying that the organization inventories all physical systems that are apart of the information system. In my opinion, the control is foundational because how can you secure something if you don't know it exists.  If you are not inventorying your systems, how do you know if they have adequate controls to protect the data and network.   If you had a breach of data, would you know what type of data was involved, or would you even know if you had a breach?  To further extend this, how can you perform a risk assessment on the system to understand and relay ...
Post a Comment
Read more

Vulnerability Management… It’s easy - Planning

I am sure you have had either consultants, vendors, or heard at a conference that vulnerability management is foundational security control.  While I agree that it is an essential control, I also understand that it is challenging to implement.  Vulnerability management is not just to pick a tool, scan, and fix issues.  Many components make it a complicated journey.  This series will attempt to help break it down and give you ideas on how this complex service and be delivered effectively.    Planning   Objective When you start, I recommend creating a targeted objective and set of measures against your objective.   Ensure that you keep in mind your organization’s culture, politics, and risk appetite as you are developing your objective.   I have seen some target just “critical” systems for regulatory compliance, whereas others have targeted their entire enterprise.   No matter your scope, keep in mind your team’s current resource...
Post a Comment
Read more

The Detect Function in NIST CSF 2.0: The Risk of Seeing Too Late—or Too Much

In NIST Cybersecurity Framework 2.0 (CSF 2.0) , the Detect function represents the organization’s ability to identify the occurrence of a cybersecurity event in a timely and reliable manner . While Protect focuses on reducing the likelihood of compromise, Detect determines how quickly and how accurately an organization recognizes that something has gone wrong. For CISOs and security leaders, detection is where many programs quietly fail. Not due to a lack of tools, but due to poor signal quality, unclear objectives, and misalignment with business impact. Detection that is late, noisy, or misunderstood can be as damaging as no detection at all. Official NIST CSF 2.0 guidance is available here: https://www.nist.gov/publications/nist-cybersecurity-framework-csf-20 What the Detect Function Is (and What It Enables) Under CSF 2.0, the Detect (DE) function focuses on outcomes related to: Continuous monitoring Anomalies and event detection Security logging and analysis Threat intelligence ...
Post a Comment
Read more