NIST CSF Identify: A Top-Down Approach

The Identify phase of a NIST CSF-based Cyber Security program is about figuring out what you are protecting in the Protect phase. The wrong way to this is to tell your IT folks to give you a list of important stuff. The right way to do this is top-down iteration. "Top-down" means that you start at the top of the hierarchy. "Iteration" means that this is a process that repeats its steps in every stage: "Lather, Rinse, Repeat."

We start at the top because Cyber Security is Risk Management and Risk Management is an executive function. Protecting whatever you decide to protect will take resources. Assigning those resources and monitoring the work done are management functions.

Starting at the top, make a list of what you deem to be critical data and systems. Don't fret if you are not IT experts because it is not expected, nor even useful, for high-level management directives to be detailed and specific. "Our client's data" is a perfectly reasonable asset to identify at this level. Ideally, you would also attach a priority to each asset (really, asset class at this level) but since we practice Reality-based Consulting, we will let you in on a secret: priority and practicality have a complex and stormy relationship. Never let the perfect be the enemy of the good. Protect the most you can, but don't overreach (we must protect every asset from day 1) and don't under reach either (we can't protect every high priority asset so we have failed before we begin).

Once you have your list, you give it to the next level down. They, in turn, review the list with two aims: to make it more specific (but only as specific as is appropriate) and to give feedback on scope and priority. Again, there is no simple rule here: sometimes they are right (because of their different perspective) and sometimes they are wrong (because of their different perspective).

Whoever does your Cyber Defending (IT usually, but the CISO if you have one) has a special extra step when they review the list: they should be giving you an estimate of the level of effort required to protect whatever is on the now more specific list.

Yes, this process is so much more work than telling IT to give a you a list.

Once the list  has to come back up the chain, the real management work begins. Priority has to be reassessed. Here is the part people often gloss over: management needs to take responsibility for dividing the list up into "Protecting now," "Protecting next" and "Protecting someday" because no one ever seems to have all the time and money in the world. You can't protect everything you identify. You don't ignore what you can't protect; you don't rationalize how it is fine not to protect the unlucky assets. Instead you keep them on the list and you explicitly (and reluctantly) put them aside. Not forever, but for now.