The NIST Cybersecurity Framework 2.0 (CSF 2.0) reinforces foundational principles of managing cybersecurity risk while adapting to today’s dynamic threat and business environments. At the core of effective risk management is the Identify function — the foundational step in building a resilient cybersecurity program. Like all CSF functions, Identify helps organizations formalize their approach to risk, prioritize resources, and make informed decisions.
Before digging into risks, you can access the official NIST CSF 2.0 guidance here: NIST Cybersecurity Framework 2.0
What the Identify Function Is (and Why It Exists)
In the context of NIST CSF 2.0, the Identify (ID) function enables organizations to develop an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. It helps answer the fundamental questions:
- What assets and capabilities do we have?
- What cyber risks are associated with them?
- Which of these risks are meaningful to our mission and business objectives?
- Where are critical gaps or potential vulnerabilities?
A robust Identify program typically includes outcomes such as Asset Management, Risk Assessment, and Improvement — elements that help clarify the scope of risk and shape effective prioritization.
In CSF 2.0, some outcomes previously embedded in earlier versions are updated or consolidated to improve clarity and usability while still preserving the intent to map environment to risk.
Risk of Not Implementing Identify
Failing to establish an effective Identify function undermines virtually every other aspect of cybersecurity. Consider the following consequences:
1. Tactical Blind Spots Become Strategic Threats
Without a clear inventory of hardware, software, data, and user touchpoints, organizations cannot reliably prioritize protection and response investments. This often leads to shadow IT, unmanaged endpoints, and unrecognized data flows — all fertile ground for exploitation.
2. Risk Management Is Guesswork
If leadership lacks validated assessments of threats, vulnerabilities, and associated business impact, decision-making becomes reactive or arbitrary. CEOs, Boards, and risk committees require data-driven insights — not estimates — to justify security budgets and strategic choices.
3. Misaligned Cybersecurity Priorities
Without identifying the business context — including roles in the supply chain and critical service delivery — security teams may focus on the wrong issues. A spending surge on “sexy” technologies (e.g., AI detection tools) can miss basic risks like outdated assets or unmonitored cloud workloads.
4. Ineffective Risk Communication
Poor or non-existent risk identification hinders meaningful communication with stakeholders. If leaders cannot articulate risk in business terms, cybersecurity becomes a technical burden rather than a shared business concern.
5. Disconnected Improvement Cycles
A mature Identify function includes mechanisms to capture lessons learned and continuously improve risk understanding. Without this, organizations repeat mistakes, fail to track threat trends, and potentially overlook emerging vulnerabilities.
Risks of Implementing Identify Poorly
Simply “checking the box” on Identify — without depth or context — introduces its own set of risks:
1. Superficial Inventories and Static Lists
An asset inventory that is not dynamic, continuously updated, or tied to business criticality does little beyond generating documentation. It fails to help teams understand why an asset matters or how risk to that asset should influence prioritization.
2. Misguided Risk Assessments
Many organizations still conflate vulnerability detection with strategic risk assessment. Identify must capture business impact, likelihood, and threat context — not just a list of technical issues.
3. Failure to Link to Strategy and Governance
Identify is most powerful when linked to governance and enterprise risk management. If outcomes from Identify are siloed within security teams and not communicated upward, Senior Leadership and Boards remain unaware of the organization’s real exposures.
4. Over-Investing in Tools Without Process
Purchasing discovery tools without establishing operational processes to validate findings, prioritize based on business impact, and maintain ongoing accuracy turns Identify into a costly data dump.
Strategic Recommendations for Infosec Leaders
To get maximum value from the Identify function, CISOs should consider:
1. Start With Clear Business Context
Identify isn’t just an inventory exercise. Ground it in mission priorities and risk tolerance so leadership understands why risk matters.
2. Blend Technical and Business Risk Assessments
Translate technical vulnerabilities into business risk terms that executives and Boards can grasp.
3. Design for Continuous Improvement
Treat Identify as a living function with regular reviews, integration with change management, and reflection in cybersecurity roadmaps.
4. Integrate With Enterprise Risk Management (ERM)
Ensure risk outcomes from Identify flow into broader risk governance discussions so cybersecurity risks are evaluated alongside financial, operational, and legal risks.
5. Communicate Early and Often
Use Identify outputs to inform planning cycles, budget reviews, and cross-functional risk discussions.
Final Thought
In NIST CSF 2.0, the Identify function is the foundation on which all other cybersecurity activities are built. Without it, organizations risk operating in the dark — investing in protections they don’t need, overlooking critical exposures, and failing to communicate risk effectively at the executive level. Done well, Identify empowers security leaders to make informed, business-aligned decisions, justify investments with clarity, and anticipate emerging risks rather than react to them.
Understanding what you have and what could go wrong is not optional — it is the strategic first step in turning cybersecurity from cost center to risk-enabling business partner.