Jay Soelberg, is a cybersecurity instructor at the College of Western Idaho (CWI) with over 26 years of real-world IT experience across industries like finance, retail, higher education, and legal services.
A summary of the episode
Solberg discusses CWI’s cybersecurity program, which provides hands-on learning and certification-ready training to prepare the next generation of cyber defenders.
He explains the program’s flexible in-person and online options, as well as the benefits of CWI’s designation as a CAE by the National Security Agency. He emphasizes the importance of professional certifications and hands-on learning to ensure students are prepared for the evolving field of cybersecurity.
Listen to the episode
A full transcript of the interview
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today, our guest is Jay Solberg, a cybersecurity instructor at the College of Western Idaho. The topic for today’s show is Building Cyber Defenders Hands-on Learning at CWI. Let me tell you a little bit about Jay before we bring him on.
Jay Solberg brings over 26 years of real world IT experience across industries including finance, retail, higher education, and legal services. He holds an AAS in Electronics, a BS in IT security from Western Governor’s University and an MS in technology management from the University of Idaho.
Jay Soelberg:
Since joining CWI in 2022, Jay has focused on preparing the next generation of cyber defenders through hands-on learning and certification ready training. With that, welcome Jay. Thank you for joining me today.
Yes, thank you for having me. I appreciate It.
Steve Bowcut:
All right. This is going to be fun. Let’s get, as we want to do on this show, let’s get a little bit more background about you before we get into some of the questions that I want to ask.
So maybe you could tell our audience, so you’ve got a lot of experience in different fields. So what drew you to cybersecurity and then maybe a two part question. So what inspired you to transition to teaching cybersecurity?
Jay Soelberg:
I think what brought me into cybersecurity from the start was seeing the transition over that 26 plus years of people just having things open and everything’s flowing to people now having to take account for all of the little pieces of information and what might get out, and each of those fields that I’ve been in finance, higher education, legal, how they’re bent on security was different from previous, but we still had all of our generals, so that brought me into the security mindset and plus I was a US Navy veteran doing telecommunications, so of course security was top of mind there.
Then after all of these years of being out in the industry, I wanted to give back to the industry, as you said here, I started out with an AAS degree and I’ve taken each step in my education, I wanted to give back to those same folks.
I’ve been in their seat and I know how it feels to just be starting on this path. So I wanted to be that not sage on the stage, but somebody more intimate with them saying, I know that you can do this because I’ve been there and I’ve done it.
Steve Bowcut:
Excellent. Okay. I find that an interesting response. So I’m old enough that I remember the days, and you kind of alluded to this, when we really didn’t pay that much attention to data, the importance of data, the responsibility that we have to protect other people’s data once we have it that grew over time, that mindset, a paradigm if you will, grew over time.
And I find it interesting then that you took that, your recognition of that and then translated that into the field of cybersecurity working in the field of cybersecurity.
So maybe a little more pointed then would be, so the experiences that you have in these different sectors like finance and retail and higher education, how have they specifically shaped your perspective on cybersecurity threats? What kinds of threats that you’ve seen and therefore are interested in?
Jay Soelberg:
For one, you have regulatory things that you have to take care of in certain fields, especially finance. We had the FDIC and others that said, Hey, you have to follow these things and it gives you a regimented look at what you need to protect.
Coming into higher education, very early on in higher education they were, “Hey, we have to have everything open”. The professors from different places have to be able to share this information so we can’t lock things down.
And once we realized that intellectual property was being exfiltrated out of the schools. “Oh wait a minute, maybe we do need to protect this kind of stuff.” just those kind of shifts in perspective of each one that I’ve been in, the legal field you would think would have very tight security, but also early on it wasn’t that way.
Once that we’re not only dealing with individuals intellectual property and their personally identifiable information, we’re dealing with small businesses that are trying to get a foothold in market and we have to keep that secure because if somebody else gets it, they’re going to steal that piece of market share, that piece of intellectual property.
So bringing all of those different kind of views into my background shows me maybe somewhere that a certain entity might not see. It’s like, oh, there is this regulation that you do need to protect, but there’s also this piece that you may not be thinking about that I have to bring in.
Steve Bowcut:
Excellent. Right. So that paradigm shift that I was alluding to earlier or trying to describe earlier, it has grown on us culturally and it feels like maybe for the first, I don’t know, decade or two, we were a little bit behind the threat actors playing a little bit of catch up.
But my sense is that I think we’re doing much better now, and maybe it’s just I know more about the industry than I knew a decade ago or two decades ago. I don’t know. Or maybe I know less about the threat actors, I don’t know.
But it feels like we’re doing much better identifying those threats, the risks and the threats that create those risks and how to mitigate those as an industry. So thank you for that.
Alright, so let’s talk about CWI cybersecurity program specifically, and I’m going to pay particularly attention to this kind of an anecdotal thing here just well, what’s today, Thursday? So a few days, four days ago, on Sunday, two moms of young men at church came to me and said, I understand that you are into the cybersecurity industry and I’ve got a son and he’s a high school student and he’s really interested in cybersecurity.
What could you tell him about getting into that industry? And I think, whoa, you asked the right person. That’s what I do. So I’m going to point them to this podcast episode once we’re done with this. So for students that are kind of exploring their options, maybe you could give it a brief overview of CWI’s cybersecurity program.
Jay Soelberg:
We take people from any walk of life that has an interest in this area and some of those folks probably don’t have a technical background. So we start out with that knowledge of, okay, you’re not necessarily technically bent.
So we start out with hardware and those kind of pieces. We bring them into networking so that they understand how packets flow through a network and how the communication gets done through protocols and through ports and those kind of things.
We give all of that kind of background structure in that first year and even talk about the operating systems, whether that be Windows, Mac or especially Linux in our field. We bring them up to speed on those pieces.
And then when I get ’em, since I’m the second year instructor, that’s when we start getting into the things that they all get excited about because they saw ’em on TV and movies of ethical hacking and all the different tools that they’ll have to get into and play with.
And digital forensics is another big piece that we do. Incident response and how are you going to deal with a hack and investigate that hack, and then to finish it all off, we have them do a capstone project and I know one of my colleagues, she’ll have them get together in groups if they want and work on projects.
I encourage each individual student to use their creativity to come up with something that really fires them up, something that really gets ’em excited. I want them to get those creative juices going and then explore that capstone project on their own and build it out if they do need to get with another student.
Okay, that’s great. Maybe you two could combine. I’ve had students create malware and try to do a phishing campaign where they might be able to release that malware. One was good with the malware, the other one was good with this social manipulation that you need in phishing campaigns.
So they came together and worked together to build that. But I don’t discourage groups, but I also am not one that says, okay, let’s put these four people together and see what they can come up with.
I know in the IT world that we’re kind of known not to be very personable and very creative kind of people. So I try to encourage that in my students to get more personable, get out there and do some networking and get out there and let the creative juices flow, see what really fires your imagination and go for it. See what you can do.
Steve Bowcut:
Excellent. I love that. So as I understand it, and I could be wrong, so correct me if I am, the programs that you have at CWI, you offer both traditional and in-person tracks and an accelerated high flex option. So maybe you could talk about those and what type of student might benefit from each.
Jay Soelberg:
Okay. Yeah, I’m a traditional in-person instructor. I have done the high flex. But in-person of course is for those folks that have to have something a little more regimented. Someone there that says, you have to have this done by this time and this is what’s going to happen and have that regulated.
You have to be in this classroom from this time to this time. With our high flex, you don’t necessarily have to be in the classroom. It usually starts out maybe that first week or two weeks they’re in the classroom getting acclimated to the instructor and how their workflow is going to be.
And then they can come in on something like this, like a Zoom, or we also have instructors that use Discord and we’ll teach through Discord since so many students already have that in place. But when it comes to the high flex, there’s also a fully remote.
We have a fully remote instructor. And to be good in a high flex or a fully remote situation, you have to be the disciplined one because now you have to, once you get off that Zoom call that class, you’re the one that has to say, okay, I have to do my lab now I have to do my homework now.
I have to follow through on what instruction I just went through. And sometimes when you’re sitting in that nice comfy couch at home, you don’t necessarily want to, you’re going to switch off that Zoom and immediately pop up YouTube and you’re going to go through all the YouTube or you’re going to doom scroll till 2:00 AM and then fall asleep and start over.
So you have to have that more disciplined set of abilities to make sure that high Flex works. And I think High Flex is fantastic because it’s where you’re at. You’re in a comfortable environment so you don’t feel stressed of other people might be judging you. You’re right there in your comfort space.
So I think that’s a great thing. But also the camaraderie that I have in the in-person classes, I really do encourage them to look at each other as a team. They’re my IT team and I want my IT team to work together and help each other out because that’s what they’re going to do out in the real world.
Steve Bowcut:
Exactly. No, I agree. The in-person format gives so many additional opportunities for learning how to work as a group, learning to exchange ideas with other people. So just to help me understand then, so with the high Flex or the fully remote, are those just certain classes or could you literally get a degree from CWI fully remote?
So if a young person lives in, say Arizona where I live and they wanted to get an associate’s degree from CWI, is that even in cybersecurity? Is that possible or do they really need to have some proximity to the campus?
Jay Soelberg:
Usually it’s some proximity, but we have Mountain Home Air Force base not far from here, and some of our students are airmen from that base. And we do have it where they do it remote from the airb base. And we’ve had a few of them as they’ve started into the program about halfway through or whatever have been shipped off to another station.
One was shipped off to another station in Europe and still wanted to finish his associate’s degree here. So he was able to do that fully remote at an eight or whatever hour time difference.
Steve Bowcut:
Yeah, that was fun.
Jay Soelberg:
And he did make it work. So we don’t necessarily say, yes, we have a fully remote program, but it’s a flexible, which is why we have the high flex.
Steve Bowcut:
Perfect. Okay, so CWI is a designated center for academic excellence, which is an NSA certification. So what does that specifically mean for students? What benefit do the students get because you have this certification?
Jay Soelberg:
And I happen to be the point of contact for the CA committee.
Steve Bowcut:
Perfect. We’re asking the right guy.
Jay Soelberg:
You’re asking the right guy. One of the great benefits that the students get, but they don’t realize is since it is the CAE community, we have schools all over the nation.
Just recently I went to a symposium by them and they said they have almost 500 higher education institutions that are now part of this community, and we all like to share curriculum and share information and share thoughts and ideas.
There is an area out with the CAE community called Clark where other faculty members can put up curriculum that covers the gamut of cybersecurity stuff and it’s free and open source that you can go out, you can grab that and go in and work with it and say, okay, I’m going to change this. I’m going to work that in and use that curriculum to do your courses.
We also have access to federal agencies, not just NSA, but National Science Foundation, FBI PMO, the program management office. We have access to those kind of minds to be able to draw from, and that feeds back into our curriculum of understanding that, okay, this is what the federal government’s looking at, here’s what states are looking at.
And then of course here we have technical advisory committees that also advise us what the local community needs. So we get the local as well as all the way out to the federal.
Steve Bowcut:
Perfect. Okay. Thank you. Alright, so I want to shift focus here a little bit and have what always turns out to be an interesting conversation, at least for me as we talk about professional certifications.
So not everyone in academia is a big fan of professional certifications, but I know it’s something that from what I’ve seen, it’s my understanding that that’s something you kind of focus on and prepare your students for.
So let’s talk about the value you see if in fact you see value in students gaining professional certifications along with their more formal academic degree.
Jay Soelberg:
I do. And just to kind of clarify, I don’t necessarily, and my fellow instructors, we don’t necessarily teach to a certification. We teach the concepts and the things that need to go on that they would succeed at taking those exams.
But I am one that likes the certification exam because especially coming out of an associate’s degree, this shows a little more oomph on their resume and it’s someone outside of CWI, someone outside of us that has set up a certain bar, a certain level that people need to meet and we can have our students go and take that and say, yes, I do meet this.
It’s not just saying, you meet CWI’s level, you meet this level. And that’s a nationally recognized or even internationally recognized level. So being able to have that is a good thing. I don’t think it’s a good thing to teach exactly to that so that they can pass that. And that is the intent.
I think it’s more of let’s teach this material and guess what the material you’re learning, you can pass the security plus or whatever the case may be.
Steve Bowcut:
Yeah, excellent. And I know from experiences I watch the job boards and the requirements that employers are looking for, oftentimes even with advanced degrees, they still want these certifications. So having these certifications I think can help people find a job in cybersecurity. Okay, thank you. Appreciate that.
Jay Soelberg:
Well, and to add on to that, sorry, the automatic systems for resumes are looking for those keywords.
Steve Bowcut:
You can just be kicked out right?
Jay Soelberg:
You get kicked out if you don’t. So I think that’s a disadvantage and I really think systems should be fixed on that, but to help them get through those ATS systems, it’s good to have ’em.
Steve Bowcut:
Yeah, oftentimes that’s the case and I agree, yeah, that’s probably not the right way to do it, but they see lots and lots of resumes and they have to find some way of filtering and sometimes that is how they do it. Do you have the certifications that we’re looking for regardless of the degree and or experience that you may have.
Alright, so earlier you mentioned labs, and so let’s talk about this idea of hands-on learning and the importance of hands-on learning. Maybe you could describe that a little bit, maybe even some examples of your labs if you can.
Jay Soelberg:
Okay. Yeah. Most people think of college courses as, like I said earlier, the sage on the stage standing in front of a classroom doing his lecture and then say, okay, go home and read the book.
That’s not what our program is. Here we are a career and technical education program, a CTE program, which is intended to be a shovel ready job, so to speak.
Steve Bowcut:
Oh, very good. I like that.
Jay Soelberg:
So we have to give them hands-on skills with tools that they will see out in industry so that when they graduate, our program industry understands that they know how to use these tools, they’ve already been using them, and we try to make these labs as real life as possible so that they can get in and do real life tasks and real capabilities.
We are doing a lot more with competency based kind of curriculum saying here is a job role, and with that job role, let’s say it’s a cybersecurity analyst, there’s certain tasks that a cybersecurity analyst has to do.
So we try to get our labs and our lectures and those kinds of things around those tasks teach ’em to those tasks so that when they get into a situation of having to do an interview for a job, they can say, oh yes, I’ve done this task and I know these things, and able to be able do those.
Steve Bowcut:
Right. Okay. All right. So let’s just zoom in on that a little bit and let’s talk about the kinds of entry level roles. And so in my mind, as I referenced earlier, there’s these two young men that go, they go to my church, Eli and Jameson, and they’re not going to go to CWI. They don’t have any proximity to your campus at all. But let’s say hypothetically they were.
So what kinds of entry level roles or internship opportunities do you think that they could be looking at as they complete their degree at a place like CWI?
Jay Soelberg:
I have had a couple that have gone out of, well, I should say a few students that have gone out and have started into help desk positions and even done internships in level one, IT security kind of positions. I definitely tell students as soon as they come in, don’t ever look down your nose at a help desk position.
I came from a position of being a regional manager and I still spend a lot of my time answering phone calls doing help desk and it’s a great social piece. It gets you more comfortable with dealing with people, especially people that are in a high stress moment.
And it also gives you a large breadth of knowledge. You have to answer questions about all the things within that business. So it really gives you great skills that are going to benefit you for the rest of your career.
So they would be looking at a lot of help dispositions and a lot of that first tier security stuff. Of course with AI coming up, that’s changing a lot of these things. And that’s something that is on my horizon and something that I’m thinking about manipulating my curriculum a little bit to try to address that.
Maybe some of these lower level things like a security operations center analyst, a SOC analyst, some of those lower level pieces are now being taken and identified with AI. So now we have to have that human element in there, which is kind of that next tier level instead of what we know is entry level.
So I’m trying to see about maybe I’ll teach ’em to that next level and bringing that human element into, okay, the AI has identified these pieces, now we go on from here.
Steve Bowcut:
Right, right. Very good. Alright, so a couple more questions before I let you go. So what advice do you have for high school students or early adult learners who are thinking about cybersecurity?
So what would you tell somebody if they came to you? I’ve been thinking maybe cybersecurity is something I want to get into. What kind of advice would you give them?
Jay Soelberg:
I would say definitely go out. We are in the information age now, go out to things like YouTube and other areas, maybe Amazon and look at some books.
But get a little idea of if you have the passion for cybersecurity and cybersecurity is broad. There is what I said earlier about Security Operations Center, it’s what we call blue teaming. That’s the defense side of cybersecurity.
Maybe that’s something that you might be interested in. Maybe you are interested in the more offensive side, the ethical hacking and penetration testing, the red team side, but there’s also the response side, the digital forensic side. Okay, this is what happened. How did that happen?
Now we have to go through and find out, or maybe you become a forensic investigator for local or state police or maybe even federal agencies. There’s a broad range. So get out there and look at some of those things.
And if you find something that really fires you up, do a home lab and the bar to entry is fairly low. If you have a laptop with 16 giga ram, you can build a lab, download virtual box, put on a vulnerable machine, put Callie in there, start going at it.
If the defense side is your thing, you can still do the same thing. Put a PF sense on a virtual machine, get in there and start figuring out how to build rules for your firewalls.
But I cannot state enough how much doing home Labing will improve not only your skills, but your insights and your confidence in things. And confidence is a must have because your job is changing every day. And especially with AI now, it’s almost changing on an hourly basis.
Steve Bowcut:
Exactly.
Jay Soelberg:
So if you can get in and play with that stuff and the comfort of your home where you’re not messing with production, that’s going to build your confidence to be able to come to your employer and say, you know what? I have these skills, so I think I’m ready for that next step.
Steve Bowcut:
Yeah, I love that answer because it is a broad field, and my experience has been, and you’ve probably had more exposure to this than even I do, but young people oftentimes will approach cybersecurity with a preconceived notion of what cybersecurity is.
It’s all ethical hacking, and I want to be a hacker, but I don’t want to get in trouble, so I’m going to be an ethical hacker. Or maybe it’s all defensive. And what that does is it excludes people who think, well, I’m really not that technical, but I am interested in people and why people do the things that they do.
But we need people like that in cybersecurity as well. Right? I mean, social engineering is a part of every attack vector. So we need people who understand that and can communicate those things to decision makers. So I appreciate that answer. That’s excellent.
So as we finish up here, so as we’ve talked, it’s constantly evolving. This field is, so how do you do that? How do you stay current? And AI, you’ve mentioned that a couple of times now, and I think that is probably the thing that’s probably looming largest before you if you think about your curriculum and how you’re going to develop it.
How do you do it? Do you just use your expertise to see what’s happening in the industry and the threats, or?
Jay Soelberg:
Definitely keep your ear to the ground. I follow a few different blogs and news sites. One of the best ones is the Too Long Didn’t Read Security newsletter. And that is definitely one to get because he does have a lot of good insights.
But keeping up with those things and what’s happening out in the industry and what people are finding with adversarial attacks and malware attacks and ransomware and all of those things, you can get all of those pieces.
And also following folks on YouTube, and I know I keep coming back to that, but you have people that have more insight than you go out there and utilize them, stand on the shoulders of greatness and learn from them.
And then go back to that home lab that I was just encouraging and start playing with something that you just heard about or read about. Get in there, get your hands wet and find out if this is something that should be used in your environment.
Find a business case. Is there a business case for what you just heard or you just read something and say, oh yeah, I think that could affect my industry. So maybe I need to bring that to my powers that be and say, okay, how do we attack this and what do you need from me to get that done?
Steve Bowcut:
Right. Perfect. Okay, so Jay, we’re out of time, but thank you so much for spending some time with us today.
We appreciate you giving some time those people who are trying to make a decision about whether cybersecurity is the best academic course for them to pursue. So thank you.
Jay Soelberg:
Absolutely.
Steve Bowcut:
And a big thanks to our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of The Cybersecurity Guide Podcast.