The Risk
Giving cybersecurity a sporting chance
Doug Goon is the Assistant Director of Information Technology (IT) for Intercollegiate Athletics at the University of Minnesota. He oversees the IT staff and service desk, who provide support for all Athletics students, staff and facilities, and acts as liaison for interdepartmental projects. Goon has over 20 years of IT experience at the University of Minnesota and has worked under three different IT directors. Prior to his role as director, Goon served as associate director, service desk manager and field technician. Goon draws upon his departmental experience, technical expertise and strong rapport with coaches and staff to lead an efficient, personable and engaged IT department.
What are some of the cyber-strategies for post COVID-19 recovery that are mission critical for you at the University of Minnesota?
For Intercollegiate Athletics, COVID-19 resulted in staff turnover and the relocation of many of our technologies so that staff could continue performing job duties safely. I led my team through strategy sessions where we discussed moving away from a familiar and well-monitored environment of in-office devices, connected to our campus network, receiving daily security updates and how our IT work would change as a result.
One outcome of the shift to mobile workplaces was the need to develop a strategy to effectively communicate to our end users the importance of connecting their devices to VPN once a month so devices received security updates and other patches while operating in a new workplace setting.
The goal of this is to eliminate the scenario where a staff member returns to the office to connect an unpatched or compromised device to our campus network.
What were some of the best ways that you transitioned from responding to the crisis to preparing to thrive in a new landscape?
A critical first step was to evaluate how our IT service needs have changed. Like many others, our business IT service needs evolved with the pandemic to demand more digital and remote services. Our organization chose to transition toward a “flex work environment” for our staff (a hybrid of office and work from home).
This meant outfitting offices with IT solutions in an era where meeting in person was less common and digital conferencing has now become the default.
IT was charged by our administration with the task of preparing our conference meeting spaces for the post-COVID-19 work environment. To do this, we invested significant resources toward enhancing our conference meeting spaces with new technologies and ready-accessible user trainings.
Can you share some insights for schools protecting themselves, their students and their faculty?
Identity management is a key area of focus for protecting our students and faculty. I’m very thankful our campus CIO Bernard Gulachek had the vision and foresight to designate two-factor authentication as a critical need that was rolled out campus-wide long before COVID. As a result of implementing two-factor for any campus service or web page, we’ve had very few (if any) instances of compromised accounts or identity theft.
While a pain point for users initially, having a 16-character password minimum, annual reset, and strong password complexity requirements is a key component needed to work in concert with two-factor authentication.
What are some of your critical data security priorities for the next 12 to 24 months?
Athletics IT will have a heavy focus on data security for business critical and high-risk systems. In the business of sports, there is overlap into the field of medicine and this means HIPAA compliance for many devices and users. My team and I must prioritize answering the question, “How do we ensure the same level of HIPAA data protection and risk mitigation while accommodating for a mobile office work environment?”
Ticket sales are also critical to our revenue stream in the business of Athletics. With sales comes credit cards and with credit cards comes PCIDSS compliance. While PCI and HIPAA are different, much of the IT work surrounding risk mitigation will be the same and I anticipate similar obstacles with a shift to a mobile office work environment.
What is your advice for maintaining continuity, while anticipating future demands for cybersecurity?
For us in Athletics IT, security is very much a never-ending uphill battle. My team and I spent countless consulting hours with our central security group (UIS – University Information Security) where security officers advised us on this very topic of maintaining continuity. A standout topic was IT asset management with an emphasis on accuracy.
With new cybersecurity risks arriving at our doorstep each day, and the constant need to update, patch, and secure our systems, striving for zero vulnerabilities across our technologies became both unreachable and unrealistic.
It is key that we make certain device asset information is easily accessible so we know what technology is where, who is using it, and what purpose it serves. IT must have high confidence in asset data, especially at a large campus such as the University of Minnesota, which has locations spanning across the state.
With this achieved, our UIS group advised us our energy would be best spent monitoring change in risk. By monitoring the change over a set duration, this positions IT to use time wisely by prioritizing risk remediation based on device purpose in addition to risk level.