When executives ask, “What are we actually protecting?”
The honest answer is simple:
Data.
Not servers.
Not applications.
Not networks.
Those matter—but only because data lives on them.
PR.DS exists because cybersecurity failures become business crises only when data is exposed, altered, lost, or misused. Everything else is usually recoverable.
How PR.DS Fits Into the Protect Function
So far in the Protect series, we have covered:
PR.AA – Who can access systems and data
PR.AT – How people recognize and respond to risk
PR.DS answers the next, unavoidable question:
Once access is granted and people are trained—how is data actually protected?
This is where cybersecurity aligns directly with:
Regulatory exposure
Financial loss
Reputation damage
Customer trust
For new practitioners, PR.DS explains what data security really means.
For new CISOs, it defines where accountability truly begins.
What Is PR.DS (Plain English)
PR.DS ensures that data is protected throughout its entire lifecycle.
That lifecycle includes:
Creation
Storage
Use
Transmission
Retention
Disposal
PR.DS applies whether data is:
On-prem
In the cloud
In SaaS platforms
On laptops
In backups
Shared with third parties
If data exists somewhere, PR.DS applies.
Beginner Callout: Why Data Security Is Harder Than It Sounds
Many people assume data security means:
Encryption
Passwords
Firewalls
Those are tools, not strategies.
Data security is difficult because:
Data constantly moves
Copies multiply invisibly
Business users prioritize speed
Ownership is often unclear
You can’t protect what you don’t understand—or can’t see.
Why PR.DS Matters So Much at the Executive Level
From the boardroom perspective:
Most fines are data-related
Most lawsuits follow data exposure
Most breach notifications mention data types
Most incident impact assessments start with data loss
Executives don’t ask:
“Was the server patched?”
They ask:
“What data was exposed, and who was affected?”
PR.DS is how security leaders answer that question confidently.
Common PR.DS Mistakes (Across All Maturity Levels)
1. Trying to Protect All Data Equally
Not all data deserves the same level of protection.
Customer PII ≠ marketing content
Production credentials ≠ internal documentation
Without prioritization, controls become expensive and ineffective.
2. Confusing Storage Security With Data Security
Securing a database does not mean the data is secure if:
It’s exported to spreadsheets
Shared through email
Synced to personal devices
Uploaded to unauthorized SaaS tools
Data security follows data—not infrastructure.
3. Leaving Classification as a Paper Exercise
If data classification:
Is purely theoretical
Isn’t enforced technically
Isn’t understood by users
Then it provides little real protection.
How to Implement PR.DS in a Practical, Understandable Way
1. Start With Data Visibility
At a minimum, organizations should understand:
What sensitive data they have
Where it lives
Who accesses it
How it moves
You do not need perfection—but you need directional clarity.
2. Classify Data Based on Impact, Not Preference
Effective classification answers:
What happens if this data is exposed?
What happens if it’s altered?
What happens if it’s unavailable?
Focus on impact—not volume.
This keeps programs realistic and defensible.
3. Protect Data in Use, Not Just at Rest
Encryption at rest and in transit are table stakes.
Mature PR.DS programs also address:
Screenshots
Copy/paste
File sharing
Downloads
External uploads
This is where DLP, CASB, and modern cloud controls matter most.
4. Limit Data Retention Aggressively
Data you no longer need:
Still creates risk
Still expands breach scope
Still costs money to secure
Deleting data safely is one of the most underrated security controls.
5. Account for Third Parties Explicitly
Once data leaves your environment:
Your risk does not leave with it
Your accountability often remains
PR.DS requires:
Contractual protections
Minimum security requirements
Visibility into data sharing
Real-World Executive Example
A company experiences a cloud credential compromise.
The attack path is simple.
The impact, however, depends entirely on PR.DS:
If sensitive data is segmented, encrypted, and monitored → limited impact
If data is broadly accessible and poorly classified → board-level crisis
Same incident.
Very different outcome.
That difference is PR.DS maturity.
Metrics That Make PR.DS Understandable
Foundational Metrics
% of critical data classified
% of sensitive data encrypted
% of endpoints enforcing data protection controls
Number of external data-sharing paths
These show coverage.
Risk-Oriented Metrics
Data exposure incidents by type
Sensitive data access anomalies
Unauthorized data sharing attempts
Data retention exceptions
These show risk control effectiveness.
CISO Takeaways
For new CISOs especially:
Data is what regulators care about
Data is what customers care about
Data is what lawsuits reference
Data is what defines breach severity
If you control data well, many other failures become survivable.
If you don’t, even small incidents become existential.
What “Good” Looks Like
A strong PR.DS capability means:
Sensitive data is known and prioritized
Protection follows data wherever it goes
Users understand how to handle data safely
Retention is intentional, not accidental
Leadership can speak clearly about data risk
For beginners, this provides clarity.
For CISOs, it provides defensibility.
Final Thoughts
Identity controls decide who gets in.
Awareness determines how people behave.
Data security defines what actually gets damaged.
PR.DS is where cybersecurity and business risk finally meet.
If you protect data well,
you earn time, trust, and options when things go wrong.