GRC in Belgium: Why PROTECT Is Where Insight Becomes Action

In our previous article of this GRC series, we explored the IDENTIFY function within the Cyberfundamentals (CyFyn®) framework: understanding what assets exist, which systems are critical, and where risks may emerge.

But visibility alone does not reduce risk. Knowing which assets are critical is valuable, yet it does little if no measures are taken to protect them. Once an organisation understands what matters most, the next challenge becomes keeping those assets secure.

That is where the PROTECT function comes in.

PROTECT focuses on the safeguards, controls, and processes that reduce the likelihood and impact of cybersecurity incidents. It answers a simple but crucial question: How do we keep our most important assets safe?

Whether it is a user's identity, a critical business application, sensitive customer data, or an operational technology environment, protection is about ensuring these assets remain secure, available, and resilient.

1. Protection Is Not About Protecting Everything Equally

One of the most common misconceptions in cybersecurity is that every asset should receive the same level of protection.

In reality, that approach is neither practical nor effective: The visibility gained through IDENTIFY allows organizations to prioritize. Critical systems require stronger safeguards than low-risk assets. Business impact, threat exposure, and regulatory requirements all influence how protection measures are deployed.

This is why cybersecurity is fundamentally risk-based, as organizations do not protect everything equally, but mainly protect what matters most.

2. The Principle of Defence in Depth

No security control is perfect: A strong password can be stolen. Multi-factor authentication can be bypassed. A user may still click a phishing link. Software vulnerabilities may remain undiscovered.

That is why PROTECT relies on the principle of defence in depth. Rather than depending on a single security measure, multiple layers work together to reduce risk.

A modern protection strategy typically combines:

• User awareness and security culture
• Identity and access controls
• Endpoint protection
• Network segmentation
• Secure applications and systems
• Data protection measures

If one layer fails, another remains in place. The objective is not to create an impenetrable fortress. The objective is to make successful attacks significantly more difficult and less impactful.

3. What NIS2 Expects From PROTECT

Under NIS2, protection is not merely a best practice. It is a regulatory requirement.

Several obligations map directly to the PROTECT function, including:

• Access control and authentication mechanisms
• Cybersecurity awareness and training
• Secure use of cryptography and encryption
• Vulnerability and patch management
• Asset protection and secure configurations
• Protection of networks and information systems
• Supply chain security measures

Organizations must not only implement these controls, but also be able to demonstrate that they are effective and consistently applied.

This is where governance and documentation become essential. NIS2 increasingly focuses on proving security maturity rather than simply claiming it exists.

4. The Building Blocks of PROTECT

PROTECT consists of six building blocks that work together to reduce risk and improve resilience.

4.1. Identity & Access Control  (PR.AC)

Access should be limited to the right people, at the right time, for the right reasons.

This includes:

• Multi-factor authentication
• Least-privilege access
• Role-based access controls
• Joiner, mover and leaver processes
• Privileged access management

Strong identity controls remain one of the most effective security measures available.

4.2. Awareness & Training (PR.AT)

Technology alone cannot stop every attack. Employees remain a frequent target for cybercriminals, making awareness a critical layer of protection.

Organizations should establish:

• Security awareness programs
• Phishing simulations
• Role-specific training
• Secure working practices

Security culture is not built through annual presentations, but rather developed through continuous engagement.

4.3. Data Security (PR.DS)

Data is often the asset attackers are ultimately trying to reach.

Organizations should focus on:

• Data classification
• Encryption at rest and in transit
• Secure storage
• Data retention policies
• Data loss prevention measures

The goal is to ensure information remains protected even when systems are compromised.

4.4. Information Protection Processes (PR.IP

Security should be embedded into daily operations.

This includes:

• Secure configuration standards
• Change management
• Backup procedures
• Secure development practices
• Operational security processes

Consistency often matters more than complexity.

4.5. Maintenance (PR.MA)

Security deteriorates when systems are not maintained.

Organizations should ensure:

• Timely patching
• Vulnerability remediation
• Lifecycle management
• Regular reviews of unsupported software

Many successful attacks exploit weaknesses for which fixes already exist.

4.6. Protective Technology (PR.PT)

Technology provides the technical safeguards that reinforce all other protection layers.

Examples include:

• Endpoint protection
• Network segmentation
• Firewalls
• Logging and monitoring foundations
• Remote access controls
• Secure system hardening

Technology is important, but it is most effective when supported by people and processes.

From Visibility to Resilience

Where IDENTIFY helps organizations understand what they have, PROTECT ensures those assets are safeguarded.

Together, these functions form the foundation of a mature cybersecurity program. Without visibility, protection efforts are often misdirected. Without protection, visibility alone provides little value.

Organizations that succeed are not necessarily those with the most security tools.

They are the organizations that consistently apply the right protections to the assets that matter most.