How Juventus protects fans, revenue, and reputation during matchdays

In this Help Net Security interview, Mirko Rinaldini, Head of ICT at Juventus Football Club, discusses the club’s approach to cyber risk strategy. Juventus has developed a threat-led, outcomes-driven program that balances innovation with protections across matchdays, e-commerce, and digital platforms.

Rinaldini shares lessons in governance, workforce awareness, and AI-enabled risk management that other high-stakes organizations can apply.

Juventus is one of the world’s most high‑profile football clubs, which naturally makes it a target. How does the club’s global visibility shape your cyber risk strategy compared to a more conventional enterprise?

High visibility impacts priority and time. We run a threat‑led, outcomes‑driven program based on the NIST Framework and tuned to Juventus reality: matchdays, transfer market windows, global fan engagement, and 24/7 media operations where minutes of disruption become headlines.

We have designated certain platforms as business‑critical, such as ticketing and sports management systems, and therefore subject them to heightened security controls and enhanced resilience, particularly during peak, revenue‑sensitive periods (e.g., match ticket sales). Likewise, our data classification framework enables tiered protection and recovery measures, aligning safeguards and restoration objectives to the sensitivity and business criticality of each data category.

For matchdays and sensitive windows we shift to a heightened posture with pre‑approved playbooks to make decisions fast, auditable, and consistent.

We engineer for resilience to preserve essential fan services under stress and we measure continuity and containment (detection/response windows and customer‑visible impact).

Employees and suppliers are consistently made aware that any action undertaken within Juventus carries significant media impact, requiring an even higher level of caution and prudence than would typically be expected in a standard work environment.

Sports organizations often operate under intense public scrutiny. What lessons learned from Juventus’ cyber risk management do you think apply to other high‑stakes environments like finance, healthcare, or government?

Sports organizations are multi-business entities that encompass not only the complexities of a traditional corporate enterprise but also the challenges associated with venue management (for matchdays and events) and the ones related to performance and sports operations. Nevertheless, many of the lessons learned in this context are broadly applicable across a wide range of industries. If I must highlight a few, I would certainly include the following:

1. Governance that moves at business speed. Decide risk ownership, escalation paths, and external‑comms rules before incidents, and rehearse them. That preserves credibility when pressure spikes.

2. Third‑party = first‑order risk. Treat suppliers and platforms as part of your attack surface. Encode security‑by‑contract (notification windows, patch timelines, log handling, continuity, incident playbooks) and test those obligations, not just tools.

3. Continuous awareness and workforce sensitization. Make security a year‑round habit, not an annual course. Combine mandatory onboarding, role‑tailored micro‑learning, phishing simulations, and just‑in‑time prompts; measure behavioral outcomes (e.g., reporting latency, reduction in risky actions) rather than quiz completions. This sustained cadence is what improves real‑world decisions on the busiest days.

Juventus is also a business with digital products, streaming, and e‑commerce. How do you ensure innovation in these areas doesn’t outpace security considerations?

With the lead of the ICT Security team, we operate security‑by‑design with go/no‑go gates in our entire delivery roadmap.

Security is captured as non‑functional requirements at intake; releases must meet baselines for identity, data handling, and observability. Teams maintain threat models and abuse‑case catalogs; pipelines enforce secure defaults and time‑bound remediation SLOs.

We validate the software we develop and the externally exposed APIs with adversary‑emulation, code review and keep feature flags/kill‑switches to decouple rollback from business pressure.

In the end, as we often leverage third parties, we flow down our internal security policies across the supply chain and enforce compliance.

Your workforce is diverse, including both technical staff and non‑technical roles like coaches, players, and front‑office employees. How do you build a unified, security‑first culture across such different groups?

Building a strong cybersecurity culture is challenging when operating across diverse environments and engaging individuals who work primarily “on the field” rather than in an office setting.

To be effective, communication must be tailored, both in language and delivery, while also creating awareness and relevance around a topic that often falls outside their established mindset.

In 2025 we rolled out a 12‑month awareness program with onboarding, micro‑learning, and periodic phishing checks; the cadence emphasizes behavioral outcomes (fewer risky actions, faster reporting) over quiz scores. Compliance training supports a shared baseline of responsibilities across sport and corporate functions.

We also use just‑in‑time nudges and a champions network in each function to keep good behaviors sticky during peak periods (fixtures, transfer windows, major campaigns).

What skills or mindsets do you believe ICT and security teams in sports organizations will need most to address the next decade of threats?

Defining a ten-year strategic horizon is highly complex. Nevertheless, in the medium term, the critical competencies required for ICT and Security teams will concentrate in the following domains:

• Outcome‑centric governance and metrics. Turn posture into board‑literate resilience indicators; make “govern” actionable, not rhetorical.
• Identity‑first, data‑centric security. Deep competence in access discipline and data classification/handling across SaaS, cloud, and edge.
• Detection engineering & threat‑led defense. Treat telemetry and detections as products; continuously test hypotheses against realistic attacker behaviors, embedded in our SOC monthly rhythms.
• Product & API security at developer velocity. Patterns that survive real CI/CD and release pressure, enforced by go/no‑go gates.
• AI‑literate risk management. Safely leverage AI in the data platform while defending against AI‑accelerated threats, explicit in our current season goals.
• Regulatory readiness & supplier discipline. Build NIS2‑aware policies and encode controls in contracts to reduce supply‑chain exposure.