NIST CSF 2.0 – Protect Function Deep Dive: Data Security (PR.DS)

When executives ask, “What are we actually protecting?”

The honest answer is simple:

Data.

Not servers.
Not applications.
Not networks.

Those matter—but only because data lives on them.

PR.DS exists because cybersecurity failures become business crises only when data is exposed, altered, lost, or misused. Everything else is usually recoverable.

How PR.DS Fits Into the Protect Function

So far in the Protect series, we have covered:

• PR.AA – Who can access systems and data
• PR.AT – How people recognize and respond to risk

PR.DS answers the next, unavoidable question:

Once access is granted and people are trained—how is data actually protected?

This is where cybersecurity aligns directly with:

• Regulatory exposure
• Financial loss
• Reputation damage
• Customer trust

For new practitioners, PR.DS explains what data security really means.
For new CISOs, it defines where accountability truly begins.

What Is PR.DS (Plain English)

PR.DS ensures that data is protected throughout its entire lifecycle.

That lifecycle includes:

1. Creation
2. Storage
3. Use
4. Transmission
5. Retention
6. Disposal

PR.DS applies whether data is:

• On-prem
• In the cloud
• In SaaS platforms
• On laptops
• In backups
• Shared with third parties

If data exists somewhere, PR.DS applies.

Beginner Callout: Why Data Security Is Harder Than It Sounds

Many people assume data security means:

• Encryption
• Passwords
• Firewalls

Those are tools, not strategies.

Data security is difficult because:

• Data constantly moves
• Copies multiply invisibly
• Business users prioritize speed
• Ownership is often unclear

You can’t protect what you don’t understand—or can’t see.

Why PR.DS Matters So Much at the Executive Level

From the boardroom perspective:

• Most fines are data-related
• Most lawsuits follow data exposure
• Most breach notifications mention data types
• Most incident impact assessments start with data loss

Executives don’t ask:

“Was the server patched?”

They ask:

“What data was exposed, and who was affected?”

PR.DS is how security leaders answer that question confidently.

Common PR.DS Mistakes (Across All Maturity Levels)

1. Trying to Protect All Data Equally

Not all data deserves the same level of protection.

Customer PII ≠ marketing content
Production credentials ≠ internal documentation

Without prioritization, controls become expensive and ineffective.

2. Confusing Storage Security With Data Security

Securing a database does not mean the data is secure if:

• It’s exported to spreadsheets
• Shared through email
• Synced to personal devices
• Uploaded to unauthorized SaaS tools

Data security follows data—not infrastructure.

3. Leaving Classification as a Paper Exercise

If data classification:

• Is purely theoretical
• Isn’t enforced technically
• Isn’t understood by users

Then it provides little real protection.

How to Implement PR.DS in a Practical, Understandable Way

1. Start With Data Visibility

At a minimum, organizations should understand:

• What sensitive data they have
• Where it lives
• Who accesses it
• How it moves

You do not need perfection—but you need directional clarity.

2. Classify Data Based on Impact, Not Preference

Effective classification answers:

• What happens if this data is exposed?
• What happens if it’s altered?
• What happens if it’s unavailable?

Focus on impact—not volume.

This keeps programs realistic and defensible.

3. Protect Data in Use, Not Just at Rest

Encryption at rest and in transit are table stakes.

Mature PR.DS programs also address:

• Screenshots
• Copy/paste
• File sharing
• Downloads
• External uploads

This is where DLP, CASB, and modern cloud controls matter most.

4. Limit Data Retention Aggressively

Data you no longer need:

• Still creates risk
• Still expands breach scope
• Still costs money to secure

Deleting data safely is one of the most underrated security controls.

5. Account for Third Parties Explicitly

Once data leaves your environment:

• Your risk does not leave with it
• Your accountability often remains

PR.DS requires:

• Contractual protections
• Minimum security requirements
• Visibility into data sharing

Real-World Executive Example

A company experiences a cloud credential compromise.
The attack path is simple.

The impact, however, depends entirely on PR.DS:

• If sensitive data is segmented, encrypted, and monitored → limited impact
• If data is broadly accessible and poorly classified → board-level crisis

Same incident.
Very different outcome.

That difference is PR.DS maturity.

Metrics That Make PR.DS Understandable

Foundational Metrics

• % of critical data classified
• % of sensitive data encrypted
• % of endpoints enforcing data protection controls
• Number of external data-sharing paths

These show coverage.

Risk-Oriented Metrics

• Data exposure incidents by type
• Sensitive data access anomalies
• Unauthorized data sharing attempts
• Data retention exceptions

These show risk control effectiveness.

CISO Takeaways

For new CISOs especially:

• Data is what regulators care about
• Data is what customers care about
• Data is what lawsuits reference
• Data is what defines breach severity

If you control data well, many other failures become survivable.

If you don’t, even small incidents become existential.

What “Good” Looks Like

A strong PR.DS capability means:

• Sensitive data is known and prioritized
• Protection follows data wherever it goes
• Users understand how to handle data safely
• Retention is intentional, not accidental
• Leadership can speak clearly about data risk

For beginners, this provides clarity.
For CISOs, it provides defensibility.

Final Thoughts

Identity controls decide who gets in.
Awareness determines how people behave.
Data security defines what actually gets damaged.

PR.DS is where cybersecurity and business risk finally meet.

If you protect data well,
you earn time, trust, and options when things go wrong.