Skip to content

Summiting Cybersecurity with the NIST CSF: Identify Risks

by David Mainville on

Imagine standing at the base of a mountain, unsure of the route, the conditions, or even what equipment you’ll need to reach the summit. That’s the situation many organizations face when they begin addressing cybersecurity without first understanding their assets, exposures, and dependencies.

“You can’t protect what you don’t know — and you can’t climb without knowing what’s on the trail ahead.”

In our last article, we emphasized the importance of planning the route. Now, with direction established, it’s time to build your basecamp — the point from which everything else ascends. In NIST CSF 2.0, this step is defined by the Identify Function — the foundation of a risk-informed cybersecurity program.

The Purpose of NIST CSF Identify

The NIST CSF Identify Function supports the development of an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. It is the core of operational visibility and serves as the lens through which business and technology leaders begin to make risk-informed decisions.

This phase provides the groundwork to:

  • Prioritize protection and detection activities
  • Allocate cybersecurity resources effectively
  • Align cybersecurity strategy with business mission and risk appetite

In executive terms: this is where strategy meets operational reality.

Why NIST CSF Identify Is Critical for Operational Resilience

Identify isn’t just about IT inventories or asset tagging — it’s about enabling the business to perform under pressure, recover faster, and avoid blind spots. When leaders understand their digital environment — systems, data flows, supply chains, and risks — they can:

  • Safeguard critical operations by identifying which assets and services are most vital
  • Minimize downtime through informed incident planning and response
  • Reduce waste by aligning protection and detection efforts to real business risk
  • Improve decision speed when cyber threats emerge or outages occur

In short, Identify creates the situational awareness necessary for resilience. Without it, organizations are navigating blind in a high-stakes landscape.

Basecamp Activities: What Identify (ID) Looks Like in Practice

NIST CSF 2.0 outlines six key outcome categories under the Identify Function:

1. Asset Management (ID.AM) 

Do we know what we own, who relies on it, and how it supports the mission?

This category focuses on identifying and managing the assets — including data, systems, software, facilities, services, and people — that support the business. Key outcomes include:

  • Maintaining up-to-date inventories of hardware, software, and services
  • Understanding authorized data flows and communication paths
  • Prioritizing assets based on classification, criticality, and mission impact
  • Managing asset life cycles to ensure consistent visibility and control

2. Risk Assessment (ID.RA) 

What threats, vulnerabilities, and impacts should we be prepared for?

This category ensures that cybersecurity risks to the organization’s mission, assets, and individuals are clearly understood and managed. Activities include:

  • Identifying and validating vulnerabilities in assets
  • Receiving and applying threat intelligence
  • Documenting internal and external threats
  • Assessing risk likelihood, impact, and prioritizing response
  • Tracking exceptions and managing changes that affect risk posture
  • Verifying the authenticity of hardware, software, and suppliers

3.Improvement (ID.IM) 

How are we learning, adapting, and improving our cybersecurity practices?

This category supports the identification of continuous improvement opportunities across cybersecurity policies, processes, and plans. Focus areas include:

  • Capturing lessons learned from incidents, exercises, and tests
  • Updating and refining incident response and cybersecurity plans
  • Driving improvements from operational feedback loops
  • Integrating suppliers and third parties into improvement processes

Executive Perspective: More Than an IT Checklist

For executives, the Identify Function is where cybersecurity becomes risk-aware and mission-aligned. It’s not about technical audits — it’s about understanding:

  • What’s critical to the business
  • Where vulnerabilities lie
  • How cyber threats could impact operational performance

When implemented effectively, Identify enables:

  • Informed decision-making based on operational risk
  • Prioritization of cybersecurity investments with measurable ROI
  • Enhanced compliance and audit readiness
  • Greater cross-functional alignment across IT, security, and business units

The Risk of Skipping the NIST CSF Identify Function

Organizations that neglect the Identify phase often experience:

  • Misaligned controls that fail to protect high-value assets
  • Prolonged incident response times due to asset or data uncertainty
  • Redundant or wasteful security investments
  • Difficulty meeting regulatory or audit requirements

Key Takeaways

  • Identify is foundational — it turns cybersecurity from guesswork into strategy
  • Asset, risk, and improvement visibility drive smarter protection, detection, and response
  • A mature Identify function empowers leaders to act with clarity and control

Final Thought: Visibility Enables Resilience

No climber would begin an ascent without a solid basecamp. In cybersecurity, the Identify Function is where organizations gain the visibility needed to navigate complexity, prepare for threats, and build long-term operational resilience.

It’s not just the first step — it’s the one that determines the success of all others.

Next in the Series

Summiting Cybersecurity with the NIST CSF: Protect Critical Assets

Now that you know what’s valuable, learn how to protect it effectively before threats arrive.

About This Series
Summiting Cybersecurity with the NIST CSF is a 7-part executive journey through the critical stages of cybersecurity resilience. Like climbing a mountain, cybersecurity success requires careful planning, preparation, and step-by-step execution. Guided by the NIST Cybersecurity Framework (CSF) 2.0, this series breaks down complex security principles into plain English — helping leaders understand not just what to do, but why it matters for business resilience and growth.

Subscribe to Navvia Blog

×