This is Part 3 of our series on NIST CSF 2.0. Part 2 covered the Govern function and establishing security leadership.
The Identify function answers fundamental questions that every security program must address: What do we have? What's it worth? What could go wrong? Without these answers, security efforts become unfocused—protecting everything equally (which means protecting nothing adequately) or protecting the wrong things.
What Identify Covers
The Identify function encompasses:
Asset Management — Inventorying hardware, software, data, and systems. Understanding what exists before trying to protect it.
Business Environment — Understanding how assets support business objectives. Which systems are critical to operations? Which data is most sensitive?
Risk Assessment — Evaluating threats, vulnerabilities, and potential impacts. Understanding what could go wrong and how likely it is.
Risk Management Strategy — Developing approaches to address identified risks based on organizational priorities and risk appetite.
Supply Chain Risk Management — Assessing risks introduced by vendors, suppliers, and partners.
Asset Management: The Foundation
Organizations consistently underestimate how difficult asset management is. The typical environment includes:
- Known, managed devices (relatively easy)
- Shadow IT—devices and applications IT doesn't know about
- Cloud resources spun up by developers and never decommissioned
- Legacy systems that everyone forgot about
- Third-party integrations with access to internal systems
- Data spread across managed and unmanaged locations
Effective asset management requires:
Automated discovery. Manual inventory can't keep up with dynamic environments. Use tools that continuously scan for assets:
- Network scanning (Nmap, Nessus)
- Endpoint detection platforms (CrowdStrike, SentinelOne)
- Cloud security posture management (AWS Config, Azure Policy)
- Configuration management databases (ServiceNow, similar)
Classification. Not all assets are equal. Classify by:
- Criticality to business operations
- Sensitivity of data processed or stored
- Regulatory requirements
- Exposure to threats
Ownership. Every asset should have a designated owner responsible for its security and lifecycle management.
Risk Assessment
Risk assessment connects assets to potential negative outcomes. Key elements:
Threat identification. What could threaten your assets? Consider:
- External attackers (criminals, nation-states, hacktivists)
- Insider threats (malicious or accidental)
- Natural disasters and environmental factors
- Technology failures
Vulnerability analysis. Where are the weaknesses that threats could exploit?
- Technical vulnerabilities (unpatched systems, misconfigurations)
- Process gaps (inadequate access controls, missing monitoring)
- Human factors (susceptibility to social engineering)
Impact assessment. What happens if a threat exploits a vulnerability?
- Financial impact (direct costs, lost revenue, regulatory penalties)
- Operational impact (downtime, disruption)
- Reputational impact (customer trust, brand damage)
- Legal and compliance impact
Likelihood estimation. How probable is the risk scenario? Consider:
- Threat actor motivation and capability
- Vulnerability exploitability
- Existing controls and their effectiveness
Risk prioritization. Combine impact and likelihood to prioritize risks. Focus resources on high-impact, high-likelihood scenarios first.
Practical Risk Assessment Approaches
Qualitative assessment uses categories (High/Medium/Low) rather than precise numbers. It's faster and easier to communicate but less precise.
Quantitative assessment uses numerical estimates for likelihood and impact. Frameworks like FAIR (Factor Analysis of Information Risk) provide structured approaches. More precise but requires more data and expertise.
For most organizations, a hybrid approach works best—qualitative for initial prioritization, with quantitative analysis for major decisions or high-stakes risks.
Supply Chain Risk
Modern organizations depend heavily on third parties. Supply chain risk assessment should consider:
- What data or access does each vendor have?
- What's their security posture?
- What happens if they're compromised?
- What happens if they fail (business continuity)?
Vendor risk assessment should be proportional to risk—critical vendors handling sensitive data get more scrutiny than commodity suppliers.
Common Failures in Identify
Incomplete asset inventory. Focusing only on IT-managed assets while ignoring shadow IT, cloud resources, and third-party integrations.
Static assessment. Treating risk assessment as a one-time exercise rather than continuous activity. Environments change; assessments must keep pace.
Ignoring business context. Technical risk assessment without understanding business impact leads to misallocated resources.
Analysis paralysis. Spending so much time on assessment that action never happens. Good enough now is better than perfect never.
Isolated effort. Risk assessment without input from business units misses critical context about asset importance and risk tolerance.
Getting Started
For organizations building or improving their Identify capabilities:
-
Start with crown jewels. Identify your most critical assets and sensitive data first. Expand from there.
-
Automate discovery. Deploy tools that continuously identify assets rather than relying on manual inventory.
-
Assign ownership. Every critical asset needs an owner responsible for its security.
-
Assess risk pragmatically. Use a simple framework to start. Improve sophistication over time.
-
Make it continuous. Build asset discovery and risk assessment into ongoing operations, not annual exercises.
Next in the Series
Part 4 covers the Protect function—implementing controls to safeguard critical assets based on what you've identified.
Need help with asset discovery, risk assessment, or building an Identify program? Our security assessments and GRC Advisory services provide the foundation for effective security programs. Let's talk.
