Most organizations don’t get breached because they chose the wrong cloud provider, operating system, or endpoint platform. They get breached because those platforms were not securely configured, maintained, or governed over time . Platform Security (PR.PS) exists because attackers don’t usually defeat technology—they exploit neglect : Unpatched systems Misconfigurations Unsupported platforms Inconsistent security baselines PR.PS is where cybersecurity discipline shows up every day , long after the architecture diagrams are finished. How PR.PS Fits Into the Protect Function So far in the Protect function: PR.AA answered who can access systems PR.AT addressed how people behave PR.DS focused on what data is truly at risk PR.PS answers the next critical question: Are the platforms we depend on actually secure by design and by default? “Platforms” include: Servers (on-prem and cloud) Endpoints Operating systems Containers Virtual machines Cloud services Core infrastructure components If...

When executives ask, “What are we actually protecting?” The honest answer is simple: Data. Not servers. Not applications. Not networks. Those matter—but only because data lives on them . PR.DS exists because cybersecurity failures become business crises only when data is exposed, altered, lost, or misused . Everything else is usually recoverable. How PR.DS Fits Into the Protect Function So far in the Protect series, we have covered: PR.AA – Who can access systems and data PR.AT – How people recognize and respond to risk PR.DS answers the next, unavoidable question: Once access is granted and people are trained—how is data actually protected? This is where cybersecurity aligns directly with: Regulatory exposure Financial loss Reputation damage Customer trust For new practitioners, PR.DS explains what data security really means . For new CISOs, it defines where accountability truly begins . What Is PR.DS (Plain English) PR.DS ensures that data is protected throughout its entire lifecyc...

Most organizations don’t fail at cybersecurity because they lack tools. They fail because people do the reasonable thing in an unreasonable situation : Clicking a convincing link Reusing a password to get work done Sharing files the fastest way, not the safest Bypassing controls that slow them down PR.AT exists because humans are not the weakest link—they are the most influential one . NIST CSF 2.0 explicitly recognizes that cybersecurity awareness and training are not “nice-to-have” activities. They are protective controls that reduce risk every single day. Where PR.AT Fits in the Protect Function So far, Protect has focused on structural controls : PR.AA ensures only the right identities have access Controls, permissions, and authentication enforce boundaries PR.AT addresses something different: How people think, decide, and behave when controls are present—or when they fail. No control operates in isolation. People configure it. People use it. People override it. PR.AT is the layer...

If you strip most cyber incidents down to their root cause, you will usually find the same failure: Someone—or something—had access they should not have had. It might be: A compromised employee account An administrator with too much privilege A service account that was never rotated A vendor account that was never removed Tools fail. Controls misfire. Alerts get missed. But identity and access failures quietly bypass them all . That is why PR.AA – Identity Management, Authentication, and Access Control is the first category in the NIST CSF 2.0 Protect function. It represents the moment where cybersecurity stops being abstract planning and starts becoming real enforcement . How PR.AA Fits Into the Big Picture Up to this point, the Identify function helped answer: What assets exist? (ID.AM) What risks matter most? (ID.RA) How do we learn and improve over time? (ID.IM) The Protect function answers the next logical question: “Now that we know what matters—how do we stop bad things fro...

Most cybersecurity programs don’t fail because they lack controls. They fail because they fail to learn . Incidents happen. Audits surface gaps. Assessments reveal weaknesses. Yet many organizations treat these moments as interruptions instead of inputs . That is exactly why Improvement (ID.IM) exists in the NIST Cybersecurity Framework (CSF) 2.0 Identify function. ID.IM ensures the organization systematically learns from experience and uses that learning to strengthen governance, risk management, and strategic execution. In CSF 2.0, improvement is no longer implied—it is explicit, measurable, and expected . This post covers: What ID.IM is in NIST CSF 2.0 How mature organizations operationalize continuous improvement Metrics that demonstrate learning, not just activity What Is NIST CSF 2.0 Improvement (ID.IM)? ID.IM focuses on identifying opportunities for improvement in cybersecurity governance, risk management, and controls based on: Incidents and near misses Risk assessments Aud...

If Asset Management answers “What do we have?” , Risk Assessment answers the more important question: “What could realistically go wrong, and what actually matters?” In NIST CSF 2.0, Risk Assessment (ID.RA) is no longer a compliance checkbox or an annual spreadsheet exercise. It is positioned as a living, decision-support capability that informs governance, investment prioritization, and executive accountability. Most organizations do risk assessments. Very few organizations use them effectively . This post explains: What ID.RA is in NIST CSF 2.0 How to implement it in a way executives trust Metrics that demonstrate risk maturity—not paperwork completion What Is NIST CSF 2.0 Risk Assessment (ID.RA)? ID.RA focuses on identifying and evaluating cybersecurity risk to organizational operations, assets, individuals, and stakeholders . In CSF 2.0, Risk Assessment explicitly includes: Threats (internal, external, supply chain, systemic) Vulnerabilities (technical, process, human) Likelih...