Do you “know” yourself? Do you “know” your people and organization? Do you “know” what risk is? Do you “know” what your risk tolerance is? Do you “know” what threats exist to you? These questions lead to the Identify function within the NIST Cybersecurity Framework. You know, the maxim, “Know thyself.”
Organizations are an entity and, as an entity, reflect the people that make up that organization. Under NIST, to know the organization, its risk profile, threats, vulnerabilities, priorities, requirements, and capabilities, we use the function Identify.
Activities in the identify function include establishing a proper inventory of assets, including the people, data, systems, technologies, skills, vulnerabilities, applicable laws and regulations, and the tolerable threshold for risk. As unique as any individual, no two entities (organizations) are the same. Even within the same industry, per se banking, organizations have different risk definitions. Though two organizations may use the same technology, their inventory or vulnerabilities may vary significantly based on their tolerance to risk. When performing the activities to identify the traits within an organization, the results may be surprising, showing that more risk than known or desired exists within the organization.
Cybersecurity requires understanding an organization’s mission, vision, and strategy and applying this understanding to create a secure environment to succeed.
In the function Identify, we take a holistic look at the organization, its people, processes, technology, risk, risk tolerance, applicable laws, regulations, and policies, and use this information to inform other functions within cybersecurity. From this function, we know what to govern and can begin shaping how governance builds out the other functions.
When learning about technology, specifically switches, routers, and firewalls, the first three steps are to power it on, log in, and issue a deny-all command. When learning about technology, specifically collaboration or business tools, the first three steps are to power it on, log in, and enable everything.
Both are right.
However, when learning about cybersecurity, you must understand the business you support and the unique personality of that business. When performing the function of Identify, cybersecurity requires understanding an organization’s mission, vision, and strategy and applying this understanding to create a secure environment to succeed. Cybersecurity is more holistic than a set of black-and-white rules or issuing a deny-all command. Cybersecurity requires understanding an organization’s mission, vision, and strategy and applying this understanding to create a secure environment to succeed.
Where cybersecurity must come in with this is the wisdom to know the delicate balance where we mitigate the apparent threats, expect and look for the not-so-obvious, and do it where the business can be a business. Because it doesn’t matter if you are for-profit, or not-for-profit, you must be able to provide a meaningful and timely service, or you won’t have the revenue to be a business.
Identify includes the tangible and intangible about the organization and the technology the organization relies on. To assist with this function, NIST provides additional guidance and standards. A helpful resource providing a process of risk management to identify risk holistically is NIST Special Publication 800-39 Managing Information Security Risk.
Again, understanding the organization’s mission, values, and tolerable risk is crucial. Without this understanding, security cannot correctly identify an organization’s threats and will be ill-equipped to apply the proper tooling and process to support its business effectively. This leads to the analogy that everything looks like a nail when all you have is a hammer. However, understanding the objectives of the business allows the unique tailoring of policy, process, and tools to enable the business in a secure environment.
Considering the industry’s adoption of zero-trust, we see the identity function employed in securing data wherever it lives. To accomplish this, we must know the data, the systems it resides in or passes through, the person or applications that access organizational data, and maintain the ability to authenticate and authorize access to the data. It is essential to know that zero-trust is not a deny-all framework. This methodology removes implicit trust in organizations’ systems and applications. In zero-trust architecture, we identify every aspect of the organization, its data, access to that data, risk, and risk tolerance, and mitigating controls.
In closing, do not take shortcuts when performing this function. It is an ongoing activity that should be revisited frequently. Technology changes, business objectives shift, new goals are introduced, the market creates new demands, and performing the identified function to acknowledge the systems, processes, and risks never ceases. The danger exists in treating this (and any of the functions) as a static procedure done once with a static output. Set regular intervals to revisit this function, including upon significant organizational changes, such as changes in senior leadership. In performing this function, though cheeky, “Know thyself.”