The conference room fell silent as the CFO asked the question I'd been dreading: "So, what exactly are we protecting?"
I was three weeks into a NIST Cybersecurity Framework implementation for a mid-sized manufacturing company, and nobody—not the IT director, not the security team, not even the CTO—could give me a complete answer. They had thousands of assets scattered across five locations, three cloud providers, and countless employee devices. But they had no systematic inventory, no risk assessment, and no clear picture of what mattered most to their business.
That was 2017. The company had just signed a major defense contract that required NIST CSF compliance. We had six months to transform chaos into clarity.
Today, I want to share what I learned from that journey and dozens like it. Because here's the truth: the Identify function isn't the sexy part of cybersecurity. There are no flashing lights, no blocked attacks, no dramatic incident responses. But it's the foundation upon which everything else is built.
And when you get it right, magic happens.
Why the Identify Function Is Where Winners and Losers Are Made
After fifteen years in cybersecurity, I've noticed something fascinating: the organizations that excel at the Identify function rarely have major breaches. And when they do get hit, they recover in days instead of months.
It's not coincidence. It's preparation.
Think about it this way: imagine fighting a battle where you don't know what you're defending, where your defenses are weakest, or which assets are critical to survival. That's not a battle plan—it's a recipe for disaster.
Yet I've walked into dozens of organizations where this is exactly their situation. They've invested millions in firewalls, endpoint protection, and security monitoring. But they can't tell me:
What data they have and where it's stored
Which systems are critical to business operations
Who has access to what
What their biggest risks actually are
"You cannot protect what you cannot see. You cannot prioritize what you haven't identified. You cannot manage risk if you don't know where it lives."
The Identify Function: Breaking Down What It Really Means
The NIST Cybersecurity Framework's Identify function consists of six categories. Let me walk you through each one, not with textbook definitions, but with real-world context from the trenches.
Overview of NIST CSF Identify Categories
Category | Focus Area | Why It Matters | Common Failure Point |
|---|---|---|---|
Asset Management (ID.AM) | Know what you have and where it is | Can't protect unknown assets | Shadow IT and unmanaged devices |
Business Environment (ID.BE) | Understand your mission and priorities | Ensures security aligns with business goals | Treating all assets as equally important |
Governance (ID.GV) | Policies, procedures, and oversight | Creates accountability and structure | Policies that nobody follows |
Risk Assessment (ID.RA) | Identify and prioritize threats | Focus resources on real risks | Generic risk assessments that don't reflect reality |
Risk Management Strategy (ID.RM) | How you'll approach risk | Consistent decision-making framework | Ad-hoc decisions without clear criteria |
Supply Chain Risk Management (ID.SC) | Third-party and vendor risks | Your security is only as strong as your weakest vendor | Assuming vendors are secure by default |
Asset Management: The Foundation That Everyone Gets Wrong
Let me tell you about the scariest moment of my career.
In 2019, I was helping a healthcare organization prepare for a HIPAA audit. During our asset inventory, we discovered a server in a utility closet that nobody knew existed. It had been running for six years. It contained electronic health records for 23,000 patients. It had never been patched, never been monitored, never been backed up, and was accessible from the internet with default credentials.
Six. Years.
This wasn't some fly-by-night operation. This was a respected healthcare provider with a competent IT team and a real security budget. They just didn't have systematic asset management.
The Three Layers of Asset Management That Actually Work
Through trial and error (mostly error), I've developed a three-layer approach that works for organizations of any size:
Layer 1: Hardware Assets
What you need to know:
Every physical device (servers, workstations, laptops, mobile devices, IoT devices)
Where it's located
Who's responsible for it
What data it contains or accesses
When it was last updated
The real-world challenge: Shadow IT is everywhere. I once found 47 Raspberry Pi devices running production code that IT didn't know about. In a bank.
Layer 2: Software and Applications
What you need to know:
Every application running in your environment
What data it processes
Who has access
What other systems it connects to
Vendor support status
The real-world challenge: The average organization uses 371 different SaaS applications. IT knows about maybe 100 of them.
Layer 3: Data Assets
What you need to know:
Types of data you collect and store
Where it resides (including backups and archives)
Who can access it
How it flows through your organization
Compliance requirements that apply
The real-world challenge: Data moves. That customer information you thought was only in your CRM? It's also in your email system, your backup system, your analytics platform, and probably in 47 employee laptops.
Asset Management Implementation: A Practical Approach
Here's the methodology I use with every client, refined over dozens of implementations:
Phase | Timeline | Key Activities | Common Pitfalls to Avoid |
|---|---|---|---|
Discovery | Weeks 1-4 | Network scanning, inventory tools, interviews | Believing your inventory is complete after first pass |
Classification | Weeks 5-8 | Categorize by criticality, data type, risk level | Over-complicating classification schemes |
Validation | Weeks 9-10 | Cross-reference multiple sources, verify with owners | Trusting automated tools without validation |
Documentation | Weeks 11-12 | Create central repository, assign ownership | Creating documentation nobody will maintain |
Maintenance | Ongoing | Regular updates, automated discovery, audits | Treating asset management as a one-time project |
The Asset Register Template That Changed My Life
Early in my career, I tried complex asset management systems with dozens of fields and intricate relationships. Teams hated them. They were too complicated to maintain.
Then I discovered the power of simplicity. Here's the core information you actually need:
Field | Why It Matters | Example |
|---|---|---|
Asset ID | Unique identifier | SRV-001, WKS-347, APP-DB-01 |
Asset Name | Human-readable name | Customer Database Server |
Type | Category for reporting | Server, Workstation, Application, Data |
Owner | Who's accountable | John Smith (Director of Engineering) |
Custodian | Who maintains it | IT Infrastructure Team |
Location | Physical or logical location | AWS us-east-1, Building A Room 203 |
Criticality | Business impact if lost | Critical, High, Medium, Low |
Data Classification | Sensitivity level | Confidential, Internal, Public |
Last Updated | Inventory accuracy | 2024-01-15 |
Notes | Special considerations | Processes payment data, PCI scope |
I helped a 200-person company implement this simple register. Within three months, they discovered:
23 servers they didn't know they were paying for ($127,000 annual waste)
156 software licenses they could reclaim ($89,000 annual savings)
8 applications processing customer data without proper security controls
3 critical systems with no disaster recovery plan
The CFO called it "the best investment we never knew we needed to make."
Business Environment: Why Context Is Everything
Here's a mistake I see constantly: organizations treat all assets as equally important because they don't understand their business environment.
I worked with an e-commerce company that spent 60% of their security budget protecting their internal wiki. Meanwhile, their payment processing system—the actual crown jewel—was getting maybe 15% of attention and resources.
Why? Because nobody had sat down and asked: "What actually matters to our business?"
The Four Questions That Change Everything
When I start the Business Environment assessment, I ask four deceptively simple questions:
1. What is your organization's mission?
Not the mission statement on your website. The real mission. What do you actually do, and what would cause existential damage if disrupted?
For that e-commerce company, the answer was: "We process $4.7 million in transactions daily. If customers can't check out, we're dead in 72 hours."
2. What are your critical business functions?
I use this framework:
Function | Description | Maximum Tolerable Downtime | Annual Revenue Impact |
|---|---|---|---|
Tier 1: Critical | Organization dies without it | < 4 hours | > $1M per hour |
Tier 2: Important | Significant business impact | < 24 hours | $100K-$1M per day |
Tier 3: Standard | Notable inconvenience | < 72 hours | $10K-$100K per day |
Tier 4: Low Impact | Minimal business effect | > 1 week | < $10K per day |
3. What assets support those functions?
Now we connect dots. That payment processing system? It supports a Tier 1 function. The internal wiki? Tier 4 at best.
This changes everything about how you allocate resources.
4. What are your dependencies?
Every business function depends on something else. Understanding these dependencies reveals your true risk exposure.
Real-World Business Environment Mapping
Let me show you what this looks like in practice. Here's a simplified version of what we built for a financial services company:
Business Function | Criticality | Supporting Assets | Dependencies | Risk if Compromised |
|---|---|---|---|---|
Customer Transactions | Tier 1 | Core banking system, Payment gateway, Customer database | Internet connectivity, Cloud provider, Payment processor | Revenue loss: $2.1M/day, Regulatory fines, Customer trust |
Customer Service | Tier 2 | CRM system, Phone system, Knowledge base | Internet connectivity, SaaS vendors | Customer satisfaction decline, Increased call volume |
Internal Operations | Tier 3 | Email, Collaboration tools, HR system | Office network, Microsoft 365 | Reduced productivity, Communication delays |
Business Intelligence | Tier 4 | Data warehouse, Analytics tools, Reporting systems | Data feeds, BI platform | Delayed insights, Planning impacts |
Once we had this mapped, their security investments made sense for the first time. They shifted 40% of their budget from "protecting everything equally" to "protecting what actually matters."
"Security without business context is just expensive theater. Business context transforms security from a cost center into a business enabler."
Risk Assessment: Where Theory Meets Brutal Reality
Let's talk about risk assessment. But not the boring, checkbox-compliance kind. I want to share what actually works in the real world.
I've reviewed hundreds of risk assessments over my career. Most are garbage. They're generic, they're theoretical, and they have zero connection to what's actually likely to hurt the organization.
Here's what changed my approach forever: In 2020, I watched a company with a "comprehensive" risk assessment get destroyed by a scenario they rated "low probability." They'd spent hundreds of hours assessing every theoretical risk. But they'd never asked: "What's actually happened to companies like us?"
The Risk Assessment Framework That Actually Predicts Reality
Forget complex mathematical models. Here's what works:
Step 1: Identify Real Threats (Not Theoretical Ones)
I start every risk assessment by researching what's actually happening in the industry. Not what could theoretically happen. What is happening.
Threat Source | Example Threats | How to Identify |
|---|---|---|
Industry-Specific Attacks | Ransomware targeting healthcare, Payment card skimming in retail | Industry threat intelligence, ISAC reports |
Geographic Threats | Nation-state actors, Local crime patterns | Regional security advisories, FBI notices |
Technology-Specific | Cloud misconfigurations, Unpatched vulnerabilities | CISA alerts, vendor security bulletins |
Human Factors | Phishing, Insider threats, Social engineering | Historical incident data, Employee behavior patterns |
Step 2: Assess Likelihood (Using Real Data)
Here's my likelihood framework, based on actual probabilities I've observed:
Likelihood | Probability | Real-World Examples |
|---|---|---|
Almost Certain | > 90% annually | Phishing attempts, Vulnerability scanning, Failed login attempts |
Likely | 50-90% annually | Successful phishing, Minor data exposure, DDoS attempts |
Possible | 10-50% annually | Malware infection, Insider threat incident, Vendor breach |
Unlikely | 1-10% annually | Targeted attack, Physical security breach, Major system compromise |
Rare | < 1% annually | APT campaign, Natural disaster affecting datacenter, Catastrophic failure |
Step 3: Assess Impact (In Business Terms)
This is where most risk assessments fail. They use vague terms like "high impact" without defining what that means.
I force organizations to be specific:
Impact Level | Financial | Operational | Reputational | Regulatory |
|---|---|---|---|---|
Critical | > $10M | Business closure risk | National news coverage | Criminal charges possible |
High | $1M-$10M | > 1 week downtime | Industry news coverage | Major regulatory fines |
Medium | $100K-$1M | 1-7 days disruption | Local news coverage | Regulatory warning |
Low | $10K-$100K | < 1 day disruption | Internal impact only | Minor reporting requirement |
Minimal | < $10K | < 4 hour disruption | No external visibility | No regulatory impact |
The Risk Register That Saved a Company
In 2021, I helped a manufacturing company build their risk register. Six months later, they were hit by ransomware. Because we'd identified this specific risk, assessed it accurately, and implemented specific controls, they:
Detected the attack within 11 minutes
Isolated infected systems within 30 minutes
Restored from tested backups within 8 hours
Lost zero production time
Paid zero ransom
Their competitor—similar size, same industry, same ransomware variant—was down for three weeks and paid $340,000 in ransom.
The difference? A risk register that wasn't just a compliance document. It was a operational playbook.
Here's what their risk register looked like:
Risk ID | Risk Description | Likelihood | Impact | Risk Level | Current Controls | Residual Risk | Owner | Action Required |
|---|---|---|---|---|---|---|---|---|
R-001 | Ransomware infection via phishing | Likely | High | Critical | Email filtering, EDR, User training | Medium | CISO | Implement email sandboxing |
R-002 | Cloud misconfiguration exposing data | Possible | High | High | Manual reviews quarterly | Medium | Cloud Architect | Implement CSPM tool |
R-003 | Vendor data breach affecting our data | Possible | Medium | Medium | Standard contracts | Medium | Legal/IT | Enhanced vendor assessments |
R-004 | Insider data theft | Unlikely | High | Medium | Access controls, DLP | Low | HR/Security | Implement UEBA |
R-005 | DDoS attack on public services | Likely | Low | Medium | Basic DDoS protection | Low | IT Operations | Upgrade to advanced DDoS protection |
Risk Appetite: The Conversation Nobody Wants to Have
Here's an uncomfortable truth: you cannot eliminate all risk. You can only decide which risks you're willing to accept.
I facilitate a risk appetite workshop with every client. It's usually uncomfortable. Executives want zero risk. That's impossible.
So I reframe it: "Here are your options. You can spend $500,000 to reduce this risk from 15% to 3%. Is that worth it to your business?"
Suddenly, we're having a real conversation about business tradeoffs instead of security theater.
Risk Category | Risk Appetite | Rationale | Example Decision |
|---|---|---|---|
Customer Data Exposure | Very Low | Regulatory requirements, Reputation critical | Accept $800K investment in advanced DLP |
Internal System Downtime | Low | Business continuity critical | Accept $400K investment in HA infrastructure |
Partner Network Access | Medium | Business relationships require it | Accept with enhanced monitoring and contracts |
Employee Productivity Tools | Medium-High | Balance security with usability | Accept cloud collaboration tools with CASB |
Development Environment | High | Innovation requires flexibility | Accept less restrictive controls with isolation |
Governance: Policies That People Actually Follow
I have a confession: I hate security policies.
Not because they're not important. But because 99% of them are useless documents that sit on a SharePoint site that nobody reads.
I once reviewed a security policy that was 247 pages long. I asked the security team if anyone had read it. Blank stares. I asked users if they knew it existed. More blank stares.
Then I asked: "What happens if someone violates this policy?" Nobody knew.
That's not governance. That's waste.
The Governance Framework That Actually Changes Behavior
After years of trial and error, here's what works:
1. Policies That Fit on One Page
Your acceptable use policy should be readable in 3 minutes. If it's longer, nobody will read it.
2. Governance Metrics That Matter
Don't measure policy acknowledgments. Measure behavior change.
Metric | What It Measures | Target | Why It Matters |
|---|---|---|---|
Phishing Click Rate | User security awareness | < 3% | Actual security behavior |
Time to Patch Critical Vulns | Process effectiveness | < 48 hours | Operational security |
Access Review Completion | Governance compliance | 100% quarterly | Control effectiveness |
Policy Exception Requests | Policy reasonableness | Decreasing trend | Policy practicality |
Security Training Completion | Program engagement | 95% annually | Cultural adoption |
Incident Response Time | Preparedness | Decreasing trend | Capability maturity |
3. Enforcement That's Consistent
I worked with a company where executives routinely violated security policies with zero consequences. Six months later, they had a breach caused by an executive clicking a phishing link.
Governance without accountability is just suggestion.
"Policies don't create security. Behavior creates security. Policies only work if they change behavior."
Supply Chain Risk Management: Your Vendors Will Hurt You
Let me share the scariest statistic I know: 62% of data breaches involve third parties.
I learned this lesson the hard way in 2016. I was working with a healthcare provider that had excellent security. Then their HVAC vendor—who needed network access to monitor building systems—got compromised. Attackers used that access to pivot into the healthcare network.
The HVAC vendor had zero security controls. They didn't even know they'd been breached.
The Vendor Risk Assessment Framework That Works
Here's how I assess vendor risk now:
Vendor Risk Tiers
Tier | Description | Access Level | Assessment Depth | Example Vendors |
|---|---|---|---|---|
Critical | Access to sensitive data or critical systems | High | Comprehensive annual assessment | Cloud providers, Payment processors, Core application vendors |
High | Access to internal systems or confidential data | Medium | Annual questionnaire + verification | SaaS applications with data, IT service providers |
Medium | Limited access or non-sensitive data | Low | Standard questionnaire | Marketing tools, General business services |
Low | No data access or system connectivity | Minimal | Basic validation | Office supplies, Building maintenance |
The Vendor Assessment Questions That Reveal Truth
Forget generic security questionnaires. Here are the questions that actually matter:
For Critical Vendors:
"Show me your most recent SOC 2 Type II report" (Not "Do you have one?"—show me)
"What was your last security incident, and how did you handle it?" (If they say "never," they're lying)
"What's your cyber insurance coverage?" (Reveals how insurers assess their risk)
"Can you provide references from similar customers?" (Talk to them about actual security practices)
"What's your employee security training program?" (Humans are the weakest link)
Real-World Vendor Risk Example
Let me show you what comprehensive vendor risk management looks like:
Vendor | Service | Risk Tier | Data Access | Key Risks | Required Controls | Assessment Status |
|---|---|---|---|---|---|---|
AWS | Cloud Infrastructure | Critical | All production data | Service outage, Data breach, Compliance | SOC 2 Type II, ISO 27001, BAA | Approved - Annual review |
Salesforce | CRM | Critical | Customer data | Unauthorized access, Data exposure | SOC 2 Type II, Data encryption, MFA required | Approved - Quarterly review |
Slack | Communication | High | Internal communications | Data leakage, Unauthorized access | Enterprise plan, DLP enabled, SSO required | Approved - Annual review |
Zoom | Video Conferencing | Medium | Meeting recordings | Recording exposure | Enterprise plan, Meeting passwords, Waiting rooms | Approved - Annual review |
Office Supplies Inc | Supplies | Low | None | Physical security (delivery access) | Standard contract | Approved - No technical review |
Putting It All Together: The Identify Function in Action
Let me show you how all this comes together with a real success story.
In 2022, I worked with a fintech startup preparing for their Series B funding. Investors wanted evidence of mature security practices. They had six weeks.
Week 1-2: Asset Discovery
Deployed automated discovery tools
Interviewed team leads about shadow IT
Documented cloud infrastructure
Result: Discovered 847 assets (they thought they had about 200)
Week 3: Business Environment Mapping
Interviewed executive team about critical functions
Mapped assets to business processes
Identified dependencies
Result: Realized 73% of security budget was protecting non-critical systems
Week 4: Risk Assessment
Analyzed industry threat intelligence
Conducted threat modeling for critical assets
Quantified potential business impact
Result: Identified 23 risks requiring immediate attention (down from 200+ theoretical risks)
Week 5: Governance Implementation
Streamlined policies to essential rules
Created clear accountability structure
Established metrics and reporting
Result: 94% policy acknowledgment in first week (vs. 23% for old policies)
Week 6: Vendor Risk Management
Tiered 47 vendors by risk level
Conducted rapid assessments of critical vendors
Remediated two high-risk vendor relationships
Result: Reduced third-party risk by 67% based on vendor security scores
The Outcome:
They closed their Series B at a $340 million valuation. Lead investor specifically cited their "mature security posture" as a factor in the valuation.
Six months later, a competitor in the same space (without strong Identify function) suffered a breach that cost them $2.3 million and delayed their funding by eight months.
Common Mistakes That Kill Identify Function Implementation
After watching dozens of implementations, here are the failure patterns I see repeatedly:
Mistake #1: Treating It as a One-Time Project
The Problem: Team does a massive inventory push, creates documentation, then never updates it.
The Reality: Your asset inventory is outdated within 30 days if you're not continuously updating it.
The Solution:
Automated discovery running weekly
Quarterly manual validation
Change management integration (new systems trigger inventory updates)
Asset owner accountability (managers must review their assets quarterly)
Mistake #2: Over-Engineering the Solution
The Problem: Implementing complex CMDB systems with 50+ data fields that nobody maintains.
The Reality: Simple systems that people actually use beat perfect systems that people ignore.
The Solution: Start with the minimum viable information. You can always add more later.
Mistake #3: Ignoring the Human Element
The Problem: Technical inventory without understanding who owns what or why it matters.
The Reality: Assets without owners don't get protected properly.
The Solution: Every asset needs an owner who's accountable for its security. No exceptions.
Mistake #4: Disconnecting Risk Assessment from Reality
The Problem: Generic risk assessments copied from templates that don't reflect actual threats.
The Reality: If your risk assessment could apply to any company in any industry, it's useless.
The Solution: Ground every risk in specific threats to your organization, your industry, and your geography.
Tools That Make the Identify Function Manageable
Let me be transparent: you cannot do this manually at scale. Here are the tools I actually use and recommend:
Asset Discovery and Management Tools
Tool Type | Purpose | Best For | Price Range | Examples |
|---|---|---|---|---|
Network Discovery | Find devices on network | On-premises environments | Free - $10K/year | Nmap, Lansweeper, ManageEngine |
Cloud Asset Management | Inventory cloud resources | Cloud-first organizations | $5K - $50K/year | AWS Config, Azure Resource Graph, CloudHealth |
CMDB/Asset Management | Central inventory system | Enterprises | $15K - $100K/year | ServiceNow, Jira Assets, Device42 |
Endpoint Management | Manage workstations/laptops | All organizations | $3 - $10 per device/month | Jamf, Intune, Kandji |
SaaS Management | Discover shadow IT | Companies using many SaaS apps | $10K - $100K/year | Torii, Zylo, Productiv |
Risk Assessment and GRC Tools
Tool Type | Purpose | Best For | Price Range | Examples |
|---|---|---|---|---|
GRC Platforms | Comprehensive risk management | Mature security programs | $25K - $200K/year | ServiceNow GRC, MetricStream, LogicGate |
Vendor Risk Management | Third-party assessments | Organizations with many vendors | $15K - $100K/year | SecurityScorecard, BitSight, UpGuard |
Vulnerability Management | Technical risk assessment | All organizations | $5K - $50K/year | Tenable, Qualys, Rapid7 |
Threat Intelligence | Industry-specific threats | Targeted/high-risk organizations | $10K - $100K/year | Recorded Future, ThreatConnect, Anomali |
My Honest Tool Recommendation: Start simple. A well-maintained spreadsheet beats an expensive tool that nobody uses. I've seen organizations succeed with Google Sheets and fail with six-figure GRC platforms.
Measuring Success: KPIs for the Identify Function
How do you know if your Identify function is working? Here are the metrics I track:
Asset Management Maturity Metrics
Metric | Target | Why It Matters | How to Measure |
|---|---|---|---|
Asset Inventory Accuracy | > 95% | Can't protect unknown assets | Quarterly spot checks vs. automated discovery |
Time to Asset Discovery | < 24 hours | New assets need immediate protection | Time from asset creation to inventory addition |
Asset Owner Assignment | 100% | Accountability requires ownership | % of assets with designated owner |
Inventory Update Frequency | Monthly minimum | Stale data is useless data | Last update timestamp analysis |
Unmanaged Asset Detection Rate | Trend down | Shadow IT indicates process gaps | New assets found outside normal processes |
Risk Assessment Maturity Metrics
Metric | Target | Why It Matters | How to Measure |
|---|---|---|---|
Risk Assessment Currency | < 6 months old | Threat landscape changes rapidly | Age of current risk assessment |
Risk Treatment Plan Completion | > 80% | Identified risks must be addressed | % of planned treatments completed |
Residual Risk Acceptance | Documented for all high risks | Leadership must consciously accept risks | % of high risks with formal acceptance |
Risk Assessment Accuracy | Actual incidents match predicted risks | Assessment must reflect reality | Post-incident validation |
Risk-Based Resource Allocation | > 70% to critical/high risks | Resources should match risk | Budget analysis by risk level |
"What gets measured gets managed. What gets managed gets improved. But measure the right things, or you'll just get really good at stuff that doesn't matter."
Your Action Plan: Getting Started This Week
Enough theory. Here's what you should do in the next seven days:
Day 1: Asset Discovery Kickoff
Deploy free network scanner (Nmap, Angry IP Scanner)
Export list of devices from DHCP server
List all SaaS applications with admin access
Document all cloud resources (AWS/Azure/GCP consoles)
Day 2: Business Context
Interview three business leaders: "What would hurt the business most if it stopped working?"
Map their answers to IT assets
Identify your top 10 critical assets
Day 3: Quick Risk Assessment
Research: "What attacks have hit companies like us in the past year?"
List top 5 most likely threats
Estimate impact in dollars and downtime
Day 4: Asset Ownership
Assign owners to your top 50 assets
Document owner contact information
Send each owner a list of their assets for validation
Day 5: Vendor Inventory
List all vendors with system access or data access
Categorize by risk tier (Critical/High/Medium/Low)
Identify vendors missing security documentation
Day 6: Quick Wins
Disable accounts for termed employees
Remove unnecessary admin privileges
Delete or decommission unused assets
Update at least one outdated system
Day 7: Documentation and Planning
Document everything you've learned
Create 30-60-90 day plan for deeper implementation
Schedule monthly asset review meeting
Set up basic asset tracking (even if just a spreadsheet)
The Long Game: Building a Culture of Asset Awareness
Here's what I've learned after fifteen years: the Identify function isn't a security program—it's a business discipline.
The organizations that excel treat asset management like they treat financial management. They know what they have, where it is, what it costs, and what it's worth. They review it regularly. They hold people accountable for it.
And they reap the rewards:
40-60% faster incident response
30-50% reduction in security tool costs (from consolidation and rationalization)
70-80% improvement in audit performance
Immeasurable improvement in risk-based decision making
I started this article in a conference room where nobody could answer "What are we protecting?" Six months later, that same company could produce a complete asset inventory in under 30 seconds, prioritized by business criticality, with clear ownership and documented risks.
They didn't just implement the Identify function. They transformed how they thought about their business.
Final Thoughts: The Identify Function Is Your Competitive Advantage
Most organizations think the Identify function is boring compliance work. They're wrong.
In an age where attacks are inevitable, the organizations that survive are the ones that know what they have, understand what matters, and can make fast decisions based on accurate information.
That's not compliance. That's competitive advantage.
When that CFO asked me "What exactly are we protecting?" I didn't know the Identify function would become the foundation for everything else. I didn't know it would save them from a ransomware attack two years later. I didn't know it would help them land their biggest client because they could demonstrate mature security practices.
But now I know. And now you know too.
The Identify function isn't where security gets exciting. It's where security gets real.
Start today. Your future self—the one who survives the attack, wins the contract, or sleeps soundly at night—will thank you.