N2K Blog: A better replacement for the incumbent cybersecurity learning model

A Better Replacement for the Incumbent Training Model

A Better Replacement for the Incumbent Training Model 1024 585 N2K

By Jung Lee

Career development opportunities are important for IT and cybersecurity professionals and one of the few external qualifications for employers. Many organizations choose to leverage a five- or six-day bootcamp course to provide individuals on their teams with additional training. This is a mistake.

The single biggest issue with incumbent cybersecurity bootcamp training is a lack of accountability. There is no data to tell an employer that 1) their organization is more secure as a result of additional training, or 2) an individual is better at their job after attending. But online training can provide better learning outcomes for organizations and practitioners alike.

Flaws in the Bootcamp Model

What do incumbent bootcamp training providers do that has historically made them synonymous with cybersecurity training? The short answer: nothing. Beyond the one-week, in-person format and brand recognition (oftentimes employers and individuals alike think bootcamps are the best or only option for training), the quality of course content is no different than their competitors.

Cramming ≠ Learning

Quite obviously, training courses are designed to teach and help students learn. The bootcamp model is built upon learning a large amount of information in a short amount of time; however academic research and experiments highlight that cramming is simply not an effective study method (when the amount of content exceeds one chapter or domain-worth of content). Moreover, academic studies also conclude that cramming leads to poor long-term knowledge retention—which doesn’t do any favors for individuals cramming or their employers relying on their ability to absorb and effectively apply new and often complex information.

Unless the bootcamp attendee pays for and sits for the certification exam, there is no metric to determine whether the training has achieved its objective. Most bootcamps are designed specifically to ensure that students learn just enough cybersecurity content to pass the exam (should they choose to take it) immediately after the course concludes.

Because information from a training engagement isn’t retained long-term, knowledge is not transferred to on-the-job skill improvement. Compounding the issue, employers do not receive actionable feedback in translating skills into day-to-day cybersecurity operations.

An Archaic Training Model

Beyond the unrealistic proposition that students can learn and retain weeks worth of content in just 40 hours of a one-sided lecture, organizations have also realized the significant impact of lost productivity. The week-long, in-person bootcamp model might work well for some mature organizations with large teams to fill the gaps, however, it can cause a dangerous vacuum in other organizations with smaller teams that cannot conveniently fill in for absentees.

The quality of an in-person training course is largely dependent on the instructor teaching it, which is great if you get one of the good ones. There are only so many “rockstar” instructors and course options for practitioners to work with, as schedules are based on the instructor’s availability. The true cost of this archaic training model is time. Attendees and organizations must shift their schedules to accommodate, leaving little room for flexibility to meet the demands of the team or the individual.

It used to be that online learning was no substitute for a traditional classroom setting, but this is no longer the case. Many bootcamp providers have changed very little since their inception in the late ‘80s, whereas online training providers have risen to the challenge of the rapidly changing cybersecurity and digital landscapes.

A Training Vacation?

Since bootcamps haven’t proved effective in the long term, organizations will struggle to justify ongoing spending each year. Bootcamps are already significantly more expensive than any other training programs in the industry, and prices have only continued to increase. It can cost upward of $8,000 per person to attend a bootcamp and sit for a certification exam with a well-known bootcamp provider.

This figure doesn’t take into account the additional indirect costs associated with attending an in-person course. Loss of productivity alone can add up to a staggering $1,920 or more. The real cost of a bootcamp course is the sum of the course (roughly $8,000), the cost of downtime ($1,920), and also airfare ($500), and lodging and meals ($1,000), which totals well over $11,000. If the goal is to reward top performers with a training vacation, though, bootcamp training fulfills that objective.

The pursuit of professional development shouldn’t be cost-prohibitive, and furthermore, there should be a clear path to justifying the return from skills improvement and a certification earned.

Attractiveness of the Bootcamp Model

Even though bootcamps don’t achieve their main goal of effective training or developing talent to demonstrably improve in their roles, there are good reasons that they’ve been the industry default for so many years:

  • “Gold Star.” Rewarding high-performing employees by giving them (and even their families) an opportunity to travel to popular destinations is a tactic in combating abysmal retention rates industry-wide. Training feels like a sponsored vacation, rather than a focused study environment.
  • Networking. IT or security employees are always looking to add to their skillset and their network. Most in-person training is open to the public or hosted at a conference, giving attendees the opportunity to meet fellow practitioners and esteemed instructors and grow their network.
  • Accountability. They’re called bootcamps for a reason. The forced accountability is no doubt appealing to employers, who appreciate the short turnaround and inherent pressure bootcamps place on their employees.
  • Poor online training experience. Many practitioners have had a bad experience with online training. From technical issues to pre-recorded voice-over-PowerPoint content by unprepared instructors, managers, or practitioners tainted by one bad online training experience gravitate toward in-person training.

No Better Alternative?

The final reason in the above list—poor online training experiences—is the single most important issue that has extended the life of bootcamps. Online training has an often less-than-stellar reputation, suffering from issues such as:

  • Poor teaching. Successfully teaching online takes different strategies and approaches than in-person, and good brick-and-mortar classroom teaching does not automatically translate. Teachers who are unaware of or unprepared for these changes in environment struggle to connect and engage with their virtual class, which is less patient and more easily disengaged.
  • Curriculum and course structure not set up for online teaching. The curriculum must be tailored to the new medium. In the cybersecurity industry, courses often include labs or hands-on keyboard training. In-person, it’s common and effective to see over-the-shoulder lab instruction, allowing the instructor to intervene and support in real-time. This interaction is much harder to replicate virtually, and students get left behind if they are lost in a lab environment without proper step-by-step support.
  • Ill-defined expectations. Learners, too, must be prepared for the new medium. Online training is more independent and therefore requires more self-discipline. Learners must hold themselves accountable and study in the same setting in which they eat, sleep, play, and live. If these challenges aren’t communicated upfront, a learner can become easily discouraged and fall behind.

These issues are exacerbated by the rise of ad-hoc online classes. Schools and training companies (read “institutes”) that typically teach in-person have been forced to move online without proper planning or expertise. The forced migration did not make for a graceful transition for instructors or students.

The Fate of Bootcamps Depends on Online Training

The online learning experience must be good enough to draw managers, educators, and students away from dated bootcamps, once and for all. Here’s what it will take to get the job done:

  • A better schedule and pace. This addresses a major issue with bootcamp training: the compressed schedule. Online courses structured around on-demand or live classes allow for better comprehension and retention because instruction is taken in chunks. Moreover, online training gives flexibility for practitioners and employers to train around their schedule, not pre-determined by the instructor or training provider.
  • More customization. An exemplary online course has the flexibility to begin with an initial assessment (or diagnostic exam) to identify strengths and knowledge gaps. This affords a more efficient and customized study plan. Unlike in-person bootcamps with pre-set agendas, on-demand, modular content encourages learners to jump around to focus on weaker areas, wasting less time on the areas they already know.
  • Learner-driven experience. With an online system, learners have more control over how they study and learn. In-person training follows a rigid cadence where teachers have to lecture for the entirety of class to get through the material and then send students home with post-work to reinforce knowledge retention. But an online system creates a more flexible learning path. For example, a student can digest 30 minutes of content then pause to complete a knowledge check specifically covering the content they just learned. This creates more learning moments more often, which is especially important for weak content areas and gives students a more customized and flexible experience.
  • Easier access to the best instructors. Geographic hurdles and canceled flights are no longer a barrier to accessing the best instructors, nor are scheduling conflicts. An online setting allows instructors with rockstar reputations to teach more frequently. And these teachers are trained for the online environment. They are comfortable with remote meeting technology and how to engage online learners through polls, questions, and other engagement moments designed for online learners.
  • Use a peer study model. Online learning does not mean total independence and a failed opportunity to network. Indeed, online learning affords students the opportunity to connect with peers and colleagues with whom they may not normally interact. A cohort model that spends weeks together (not just five days) has more time to bond, share, and hold each other accountable in studying and following through on the exam.
  • Getting more learners involved. A live online environment and interaction, especially typed responses or polls that don’t require the use of a webcam, is an easier option for those who may be too shy to speak up in class. The option of a private, direct line to the instructor or Teaching Assistant (TA) provides an additional avenue to those who wouldn’t normally have the temerity to participate during an in-person class.
  • Increase accessibility to more learners. Modality is important, but here we’re talking about cost. Online training providers need to leverage their own marginal reduction of cost and pass those savings onto their customers. Expensive bootcamp courses are inherently accessible only to certain individuals at certain companies. Online training providers need to position their solutions at a more reasonable cost to assist with upskilling more practitioners in the industry.

Bootcamps Chart

Ensuring Certain Death

Despite the fact that the bootcamp model is absurd, ineffective, and wasteful, it has remained unquestioned because it is the incumbent training solution. But when we stop to ask, “why are things the way that they are?” the only answer we can come up with is, “because they’ve always been that way.”

But Francis Bacon, the 16th century English philosopher, explained, “a prudent question is one-half of wisdom.” By taking the time to question and challenge why bootcamps are the solution, we’ve seen that there is something better. Bootcamps are outdated, and we must take wise action to replace them. Online training alternatives must take this as a call to arms to rise to the occasion and be good enough to serve as the replacement.

The cybersecurity industry has a reputation for experiencing notoriously high turnover. Fortunately, there are basic pitfalls that employers can avoid to improve cybersecurity practitioner retention similar to roles in other industries. N2K takes a data-driven approach to cybersecurity training, with both certification and role-based programs, to ensure your team builds the right skills with training mapped directly to their needs.