Dr. Doug Jacobson, is a professor at Iowa State University College of Engineering and the director of the ISU Center for Cybersecurity Innovation and Outreach.
He received his PhD in computer engineering, an MS in electrical engineering, and a BS in computer engineering, all from Iowa State University. Faculty profile.
Listen to the episode
Summary of the episode
- Research in cybersecurity: He has worked on designing scalable cybersecurity testbeds, including a project called ISEAGE. This testbed is used in various courses, competitions, and research projects at Iowa State.
- Focus on cyber education: Jacobson is involved in developing materials to promote cybersecurity awareness among the general population, including a project on cybersecurity for agriculture. He also wrote a textbook on cybersecurity literacy aimed at a general audience.
- Cybersecurity educational opportunities at Iowa State University (ISU):
- Undergraduate: Bachelor’s degree in Cybersecurity Engineering, minor in Cybersecurity for computing disciplines.
- Graduate: Master’s degree and graduate certificate in Cybersecurity, available both in-residence and online.
- PhD: Offered in Computer Engineering or Computer Science with a focus on Cybersecurity.
- Student involvement and activities: Students at ISU have opportunities to engage in various cybersecurity-related activities, including cyber defense competitions, research projects, and interaction with industry professionals.
- Industry advisory board’s role: The board influenced the creation of the cybersecurity major at ISU, emphasizing the need for graduates with in-depth cybersecurity skills.
- Future of cybersecurity education: Jacobson emphasizes the expanding need for cybersecurity professionals with diverse skill sets. He encourages students to stay curious and be willing to continuously learn in this rapidly evolving field.
The following is a full transcript of the interview:
Steve Bowcut:
Welcome to the Cybersecurity Guide podcast. My name is Steve Bowcut and I’m a writer and an editor for Cybersecurity Guide and I’m the podcast’s host. Thank you for joining us today, we appreciate your listening. On today’s show, our guest is Dr. Doug Jacobson. Professor Jacobson is a professor at the Iowa State University College of Engineering.
We’re going to be talking about cybersecurity educational opportunities at ISU. Let me tell you a little bit about Dr. Jacobson. He’s the director of the ISU Center for Cybersecurity Innovation and Outreach. He received his PhD in computer engineering at MS in Electrical Engineering and at BS in Computer Engineering, all from Iowa State University. With that, welcome, Doug. Thank you for joining me today.
Doug Jacobson:
Thank you, Steve. Glad to be on.
Well, I’m happy to have you on today. This is going to be an interesting conversation, particularly for students who have the option of going to Iowa State and are considering possibly pursuing cybersecurity in their education. So, those are the things that we’ll talk about. But, before we get to that, I would like our audience to get to know you a little bit better. Tell us, how did you first become interested in cybersecurity?
Doug Jacobson:
First of all, it was a long time ago.
Steve Bowcut:
Was it? Okay.
Doug Jacobson:
Yeah, Ali and I, I was in networking and he was in operating systems. We kind of thought, “Well, what’s some cool ways we could work together?” We thought, “Well, security sounds like a fun thing.” This was back in ’90, ’91 timeframe. We ended up being fortunate enough to get some funding from NSA to do a couple projects early on. Together, that just kind of snowballed, led to our first degree in 2000, our center being formed in 2000. We’ve just been rolling ever since.
Interesting. Was that primarily focused on network security, protecting networks or?
Doug Jacobson:
At the very beginning, yeah, our focus was [inaudible 00:02:14] network operating systems we get coming at the two sides that we both brought to the table. Our first research projects were network security.
Okay, excellent. Bring us, now, forward. Is there anything that you’re currently researching that’s relevant to cybersecurity that you could share with us?
Doug Jacobson:
Yeah, I actually have several research threads. A good part of my career, I’ve been working in testbed design. How to build cybersecurity testbeds that are scalable and can be used. Actually, I created a testbed called ISEAGE.
Okay. When you’re saying testbed, in the common language today, people talk about honey pots. Is that the same thing or is there a difference between the two?
Doug Jacobson:
More people talk about cyber ranges, so that’s the new [inaudible 00:03:12]
Steve Bowcut:
Okay, okay. Type of cyber range, yes. Very good, okay.
Doug Jacobson:
Basically a place you can play and do all sorts of naughty things without hurting the real internet.
Steve Bowcut:
You’re not inviting in the adversaries to track them, but you can go in and play in a realistic environment?
Doug Jacobson:
Yeah, yeah. Yes, so we’re playing in a realistic internet-style environment. That project, actually, we now use the results in that project in, oh, a dozen of our courses. That cyber range, we use it for all our competition space, we use it for training. It’s used in research projects.
That foundational testbed has actually become kind of an integral part of a lot of work that goes on here at Iowa State. In using the test bed, I do some work now in critical infrastructure protection of a power grid. My other aspect of research is in cyber education.
Steve Bowcut:
Oh, very good. Okay.
Doug Jacobson:
We actually have a research team here called CyberEd. Its goal is to develop materials, all types of materials, to push cybersecurity out to the more general population. We have faculty to do a great job at developing courses that are taught for other cyber people, but this is really, one of our big projects is cybersecurity for agriculture.
How do we provide and build materials for farmers to make them safer? I have a team of about six students that are working on various aspects of that project, trying to bring forth that type of education. They’re from a diverse background, people from College of Ed who are part of our team. People who do game development.
Steve Bowcut:
That’s awesome. I’ve long maintained that the biggest strides that we can make in cybersecurity is on the educational front. Teaching people what they can and should do, what to watch for. I think all of the statistics that I’ve seen bear that out, that that’s how you can best protect your organization as well as your personal computers and systems, is through education. Very cool.
Doug Jacobson:
Yeah, I actually wrote a textbook on cybersecurity literacy. It’s actually written for grandma and grandpa.
Steve Bowcut:
Very good.
Doug Jacobson:
Yeah, that’s something that I’ve working on. Been a passion of mine for 15-plus years, is how to-
Okay. Would it be fair to say that that has been a through line? I always like to look for what has been a through line through your academic career. Is it cybersecurity education? Would you say that’s maybe the major one, or one of them?
Doug Jacobson:
Yeah, I think that is probably the biggest through line. Everything that has involved students, even our research projects heavily involved students. Our educational focus on delivering courses has always been on very hands-on opportunities. A lot of our courses are very hands-on and how do we use that as a way to better teach students?
Okay. We’ll try and explore that a little bit more as well, but first, talk to us about what educational opportunities a student would find at Iowa State University. What degree programs or certificates? What do you have to offer somebody looking to be educated in cybersecurity?
Doug Jacobson:
Yeah, we starting at the undergrad level, we have a bachelor’s degree in Cybersecurity and Engineering, which is ABET accredited. That program was set up in 2019, it was when we actually graduated our first student in that program.
We have a minor in Cybersecurity that’s taken by a lot of our computing disciplines. Software Engineering, Computer Engineering, Computer Science. Those are students that want to add some cyber to their degree program, but not necessarily going out and having cyber as their primary work focus.
Then at the graduate level, we have a master’s degree in Cybersecurity, we have a graduate certificate in Cybersecurity. All of those are offered both for in-residence students or they can be taken a hundred percent online. We have a pretty good clientele across the country, taking those degree programs. Then the PhD, we offer a PhD in Computer Engineering or Computer Science, but the research focus could be in Cybersecurity.
Exactly. Okay. I think I’ve identified this trend that we’re seeing. Well, I think it’s fairly obvious. We’re seeing more and more of that through academia, that the institutions are offering degrees specifically in Cybersecurity. As opposed to, if you go back 10 years, maybe even five years, what you saw was you could have an emphasis in, so it was a Computer Science degree or a Computer Engineering degree with an emphasis in cybersecurity. But, more and more, we’re seeing Cybersecurity degrees, which, it looks like something you’re doing as well.
Doug Jacobson:
Yes. Actually, the minor did come first. We actually built the minor-
Steve Bowcut:
Did you? Okay.
Doug Jacobson:
Then our Industrial Advisory Board came in and said, “That’s not sufficient. We need a major.”
Okay. Excellent. The advice of the Industrial Advisory Board is something we’ll talk about here in just minute as well. But, I would like to paint a picture for a student considering Cybersecurity and Iowa State. What kinds of research projects could they be involved in? Or, you talked about using your test lab and your testbed, is that something that they would be involved in an undergraduate degree or competitions that you do? What kinds of things would they experience?
Doug Jacobson:
Yeah, well, lots of things. We have a very active student group, student club. That’s where we tend to funnel all of the external speakers through that. That’s a way that the students can interact with industry. Competitions, we run our own cyber defense competitions, modeled slightly after the national competitions.
Ours are a little unique in ours is a model of students designing, building, defending. They’re given, basically, a open-ended scenario with some amount of legacy, a lot of free will to build whatever they want to build. Then they obviously have to build it and then they come in and defend it for a day against some very, very good adversaries. Highly-talented adversaries. We’ve been doing those since 2005.
Steve Bowcut:
Okay, wow.
Doug Jacobson:
We currently run six of those a year. Two for Iowa State, we do one for community colleges. We do one where we invite other schools to come and play. We do one for high schools and we’re now doing international competitions with the country of Kosovo.
Steve Bowcut:
Oh, wow.
Doug Jacobson:
Our students compete against the students in Kosovo. There’s lots of opportunities. Those competitions are all built by the students, so I hire a cadre of students to run those competitions. We hire students to be involved in pretty much every research project that we have, that faculty have, have some number of undergrads involved with it. There’s ample opportunities for students to get involved in all sorts of cool and fun activities.
Steve Bowcut:
Wow, it sounds like it. They’ll get their hands dirty, not that we get our hands dirty in cybersecurity, but it’ll be hands-on.
Doug Jacobson:
Yes. Very hands-on.
Excellent. Let’s pivot back a little bit. You mentioned the Industry Advisory Board. I wanted to ask you about how Iowa State is responding to Industry’s claim that they need more and more trained cybersecurity people. There’s a skills gap out there that has been written about widely and people talk about. It’s always interesting to me to see how academia is responding to that need.
Doug Jacobson:
Yeah. So yeah, as I mentioned, our advisory board, which has been in place for 10-plus years, they were happy with the minor, they liked what they got. But, they came back to us and said, “We need more depth. We need an undergrad pool and we need you to create this undergraduate degree.” The question back to them was, “You hire?” They said, “We would hire everybody you produce, plus.” So far, they have. They helped shape the degree.
Given that we were in computer engineering, they’re very interested in a degree that was focused a lot on this embedded and IoT and that type. More so than going out and protecting the bank. They’re very interested in our students, given that our undergrad students actually take the same required computer-y courses as our computer-y students.
Then they have eight or more cyber courses that lay on top of it. They really helped shape what they want. That has helped a little bit, that input to it. They provide input to our high school outreach program to try to build a pipeline.
Steve Bowcut:
Oh, good.
Doug Jacobson:
Then the next level of discussions have been at a more broader, statewide level. We’ve been involved with trying to get our community colleges across the state to all be able to offer two-year degrees.
Then, we’re also working with our employers and the community colleges for an undergraduate certificate to upskill students who have a terminal two-year degree in the workforce. What can we provide them to upskill the current workforce? Companies who are like, “There’s not enough people out there to hire. How do I make my current workforce move from help desk, SOC, on up the ladder?”
A more advanced position. Through all of that, have you gained any sense of where the shortfalls in trained skilled workers falls? Is it the more advanced threat intelligence for nation states guys? Or is it the “We don’t have enough people to staff our SOC”? Or is it across the board?
Doug Jacobson:
It really is across the board. It depends, so that’s the interesting dynamic of the advisory board, because we have some very big players. Large multinational-type companies who have one view of what they’re looking at. Then we have people that represent smaller manufacturers and they have a totally different view of what they want. The board agrees that they are going to disagree, in essence.
They don’t disagree, but they really are looking across this gamut. Because some of them, I have a couple on the board that, they’re only looking to hire my students with advanced degrees. Due to these are the national labs, due to the nature of the work they do. But, they see the undergrad degree as a pipeline to the grad degree to them.
Steve Bowcut:
Right, exactly.
Doug Jacobson:
They all take a bigger picture to this.
Right, okay. Excellent. We like this show to be a resource, a real, tangible resource for students. Let’s talk about if you were to put together a reading list or your top picks for a reading list. We don’t want to limit it just to books, but it could include books or papers or lectures or websites or YouTube videos or conferences. If you put yourself in the place of someone who’s still considering starting their undergrad work in cybersecurity, where could they go and get a good feel for what would be expected of them, what the work would be like, that kind of thing?
Doug Jacobson:
Boy. Yeah. I draw on where I get my information and where I get the feed. I tend to like things that are pushed to me, versus me going out and finding things. I get busy and so, I subscribe to a large number of various feeds.
When I talk to students who start to get into this field, that’s what I encourage them to start to do. Not they need to look in depth, but if you get a fair number of feeds, your Recorded Future and TechTarget and SandS and so on, you start to see the breadth of the landscape.
You start to see aspects of cybersecurity that maybe really trigger an interest, as opposed to, you pull up a book on cybersecurity. Yeah, you get a view that way, but if I’m seeing, “Oh, there’s these really cool threat vectors against this sector or this sector or does this type of thing. Oh, I have an interest in electronics and power and maybe that’s an area that I’m going to.” It helps them kind of make that transition.
The other thing I think it helps them do is get to the point where they can be better at triaging information. Because that’s one of the core, fundamental aspects of cybersecurity. When I talk to kids or potential students about wanting to be in cybersecurity, it’s something that, man, it changes during the day.
Steve Bowcut:
Yeah, that’s true. It does.
Doug Jacobson:
If you want a career where you wake up the next morning, you got to learn something new, you’ve found the career.
Steve Bowcut:
There you go.
Doug Jacobson:
That’s the kind of things that I-
Okay, excellent. Perfect. No, that’s great. We’re about out of time, but I like to end with this question. A lot of students have an experience when they’re trying to decide what they want to major in, what they want to do as work, as a career. They’re quite concerned, sometimes even anxious about making all those decisions correct.
I think those of us who have been through that experience, first of all, we would probably say, “Don’t worry so much about it. Figure out what you really are passionate about and take a couple of years to do that if you need to.” But, I think it’s helpful for students, if you could look into the future and tell students what they need to be prepared to do five years or 10 years down the road, is it AI, or where does the future for cybersecurity lay?
Doug Jacobson:
Well, first of all, yeah, cybersecurity’s going to do nothing but expand as far as the need for cybersecurity. I think what we’re seeing and we’ll continue to see, however, is the breadth of skillsets required.
Students and organizations really are looking to hire across the breadth of skillsets. We as institutions are trying to train across that. What I want students to think about is that you may look at cybersecurity and you think about, “I’m going to be in a basement in a SOC, in a dark room with [inaudible 00:20:04]” No. Yes, you can.
Steve Bowcut:
You could, yeah.
Doug Jacobson:
Yeah, but so really trying to open in their eyes to the fact that a cybersecurity team is an extremely diverse group of people. The biggest thing I tell kids to bring to the table is that willingness to learn and the willingness to embrace and find out new things. That curiosity too. It’s a fun area to be in, because your adversary is another person.
Steve Bowcut:
Right. Yeah, exactly.
Doug Jacobson:
I can’t think of another, very few other disciplines where your adversary is probably more talented than you. They’re playing by a set of rules you don’t even know, a game that hasn’t even been defined and you’ve got to try to play to break even [inaudible 00:20:59]
Steve Bowcut:
Yeah. Understand their motivations, understand their skillset and all of those things, yeah.
Doug Jacobson:
How much more fun can that be?
Right. Very good. Anything else that you could think of, advice that you would give to students?
Doug Jacobson:
Like I said, if you’re thinking about this as a potential career, there are lots of opportunities in high schools and so on to start to trying to get a taste of this. Lot of capture the flags, high school programs, et cetera. Explore and play and see if it’s-
Steve Bowcut:
Yeah, try it. See if you like it, right?
Doug Jacobson:
Yeah, try to see if you like it, because this is a very rewarding field if it’s something you’re interested in.
Steve Bowcut:
Excellent. All right. Well, we’ve used our time, but thank you so much, I really appreciate it. This has been a fun and interesting, and I’m sure it’ll be informative for our audience. Thank you for your time today, I appreciate that. A big thanks to our listeners for being with us and please remember to subscribe and review if you find this podcast interesting. Join us next time for another episode of the Cybersecurity Guide Podcast.