Skip to content

Summiting Cybersecurity with the NIST CSF: Protect Your Assets

by David Mainville on
IT Security

Imagine setting out to climb a mountain with no helmet, no ropes, and no plan for shifting weather. That’s what it looks like when an organization knows what’s important — but hasn’t taken steps to protect it. In cybersecurity, knowing your assets is only the beginning. You also need to safeguard them.

Once you’ve mapped what matters, it’s time to secure it. Because preparation is protection.

In our last article, we emphasized the importance of visibility — understanding what assets matter most, where risks lie, and how they support your operations. 

In this third article of our executive series, we continue our ascent by focusing on the Protect Function of the NIST Cybersecurity Framework (CSF) 2.0.

This is the phase where preparation meets execution, and your organization puts in place the safeguards that will keep systems, data, and people secure — before the threats arrive.

What is NIST CSF: Protect

According to NIST CSF 2.0, the Protect Function helps organizations reduce the likelihood and impact of cybersecurity events. Once your critical assets and risks have been identified, this phase equips you to:

  • Prevent unauthorized access
  • Protect sensitive data
  • Train staff to make smart decisions
  • Harden systems and platforms
  • Ensure technology resilience under stress

These are not just technical safeguards — they’re operational strategies for continuity, performance, and trust.

Why NIST CSF: Protect – Five Key Categories

NIST CSF 2.0 defines five categories under the Protect Function. These work together to establish a layered defense — spanning people, processes, and technology.

1. Identity Management, Authentication, and Access Control (PR.AA)  

Who has access — and how is that access controlled?

Business value: Reduces insider threat exposure, limits blast radius of attacks, and strengthens compliance with access control mandates.

Key activities include:

  • Enforce multi-factor authentication (MFA)
  • Apply least privilege and role-based access
  • Monitor and manage access rights
  • Secure physical access to critical environments

2. Awareness and Training (PR.AT)

Do your people know how to recognize and report threats?

Business value: Human error is a leading cause of breaches. Awareness reduces risk across all departments and improves incident response posture.

Key activities include:

  • Provide general cybersecurity awareness training
  • Deliver specialized training based on roles
  • Run simulations (e.g., phishing tests)
  • Promote a culture of security accountability

3. Data Security (PR.DS)

Is sensitive information protected — wherever it goes?

Business value: Protects intellectual property, customer data, and regulatory posture (e.g., HIPAA, GDPR). Minimizes risk of data loss and reputational damage.

Key activities include:

  • Encrypt data at rest, in transit, and in use
  • Maintain tested, protected backups
  • Apply policies for data classification, retention, and disposal

4. Platform Security (PR.PS)

Are your systems, hardware, and software hardened against attack?

Business value: Ensures operational continuity even in adverse conditions. Enables recovery time objectives (RTOs) and supports business continuity planning.

Key activities include:

  • Maintain secure configurations
  • Patch and update software and hardware regularly
  • Prevent unauthorized applications
  • Integrate secure development practices

5. Technology Infrastructure Resilience (PR.IR)

Can your systems withstand disruption?

Business value: Reduces vulnerability windows, lowers the attack surface, and builds cyber resilience into core systems and services.

Key activities include:

  • Design for availability, redundancy, and failover
  • Protect against physical and environmental threats
  • Build resilient network architectures
  • Monitor resource capacity and load balancing

Why It Matters to Operational Resilience

The Protect Function is not about locking everything down — it's about building controlled flexibility.

Strong safeguards enable you to:

  • Prevent attacks from escalating into business disruptions
  • Reinforce compliance and reduce audit risk
  • Give leadership confidence in system reliability
  • Enable teams to act decisively when incidents occur

Cybersecurity incidents often begin with preventable failures: a missed software update, an untrained user, or an unlocked access point. The Protect Function addresses these risks before they lead to impact.

Executive Perspective: Security as a Strategic Enabler

From the boardroom view, protection is about more than IT hygiene. It’s a key element of:

  • Brand trust — Customers want to know their data is safe
  • Investor confidence — Secure infrastructure supports growth
  • Regulatory readiness — Avoids fines, delays, and legal exposure
  • Operational uptime — Ensures your core services keep running
Cybersecurity protection is not an expense — it’s an investment in stability and resilience.

The Risk of Under-Protecting

Organizations that overlook or under-resource this phase may experience:

  • Credential theft from weak access controls
  • Data breaches due to poor encryption or backups
  • Business outages caused by patch failures
  • Erosion of customer trust following preventable incidents

Key Takeaways

  • The Protect Function transforms risk awareness into action
  • Safeguards span people, process, and platforms
  • Resilience starts with controls that are mapped to real business needs
  • Protection isn't just a technical task — it's a leadership priority

Final Thought: Don’t Climb Without Securing Your Gear

You’ve identified your critical assets. Now it’s time to secure them. Cyber resilience depends on preparedness, and that means putting the right controls in place — before threats have a chance to take hold.

Just as climbers check their harnesses, ropes, and weather conditions, organizations must prepare their defenses for the journey ahead. Because in cybersecurity, the best response is prevention.

Next in the Series

Summiting Cybersecurity with the NIST CSF: Detect Threats Early
Protection isn’t enough — you also need to spot signs of danger before they escalate.

About This Series
Summiting Cybersecurity with the NIST CSF is a 7-part executive journey through the critical stages of cybersecurity resilience. Like climbing a mountain, cybersecurity success requires careful planning, preparation, and step-by-step execution. Guided by the NIST Cybersecurity Framework (CSF) 2.0, this series breaks down complex security principles into plain English — helping leaders understand not just what to do, but why it matters for business resilience and growth.

Subscribe to Navvia Blog

Related Articles

×