Cybersecurity: Did Bootcamps Break Us or Save Us
The cybersecurity awareness and training industry tops a billion dollars in revenue and will only grow as regulatory frameworks that require companywide learning programs spread.
At the same time and given Higher Education’s inability to adapt or keep up in digital fields, a training program that tops hundreds of billions of dollars grew overnight. In fact, a study by CompTIA (bias disclosure: a test vendor) found 91% of all employees use certifications in hiring.
Classes to pass the certification exploded overnight. I worry the bootcamp model broke us.
I do not want people equating a four-day class in how to pass a test to equal deep learning based in cognitive science. Not when it comes to cybersecurity. The mission too important to hunt for a quick fix in awareness and training.
I know, like CMMC these certification classes are not meant to teach cybersecurity skills. Still, I personally believe the domains of knowledge assessed on the certified classes too hard to master in a four-day seminar.
I don’t blame anyone, but human nature. You can never lay shame on someone for taking the path of least resistance when it comes to securing food or shelter for them and theirs. Once you introduce a high stakes test humans will immediately start mixing a broth to corrupt the reliability and validity of that test.
At the same time these increased cost and regulations caused expected resentment in the cybersecurity professional community. Many feel their experience has established these skills and they feel preyed upon by a certificate mill industry. They have a point.
The entire tech industry, however (I included) could benefit from a good dose of humility. Nobody knows it all, and if you know more, others in the class benefit. Those most successful in bootcamp classes are probably humble folks in other online spaces.
In a “bootcamp” style class, whether to train employees or to prepare for a certification test ,the learning gets crammed into a very short time frame over long extended days.
Almost all cognitive science research supports longer durations for learning. In fact, retention ability decays very quickly. Further long-term transfer to other domains increases when high quality feedback gets connected with bursts of content, activity, and reflection.
The Domain of cybersecurity, especially when preparing to move from one industry framework or another, however, cannot happen overnight. Yes, as I stated these classes do not train you in cybersecurity, but it will take specialized knowledge to move from a HIPPA audit to a 171 assessment for example.
These domains of knowledge too complex for quick learning just to check off a compliance box.
Myth of Auto-Didactic Learner
No bootcamp lives in a vacuum (until Space Force starts orbital unit training) so when people claim to only want self-paced learning, they should make sure they have community support somewhere.
Nobody learns alone. No one gets self-taught. Full stop.
Community is the Curriculum.
The original MOOCS, which helped kick off the coding and cybersecurity bootcamp craze, never focused on size. they focused on people. When David Cormier coined the term the massive modified open, not the size of the class.
It meant using network theory to encourage the spread of open resources and pedagogy through ever growing learning communities.
So even a four day or four-week self-paced online class needs some element of community. You need peers to have discussions. You need groups to work on scenarios and case studies that will reflect what cybersecurity and assessors will do in the field. Most importantly you need high quality feedback from your instructors.
Not opinion. Stable and replicable finding from cognitive science research and based on principles of Universal Design for Learning to ensure all learners can succeed.
Bootcamp Models Dont Meet Diverse Workforce Needs
You need a lot of resources to check out for four days and go to an intensive bootcamp. Childcare, carpools, community volunteering, the bootcamp model do not reflect the needs of the modern workforce.
Bootcamp models do not help diversity, equity, and inclusion when the only option involves four days of unpaid work. We need to provide learning communities that allow for flexible and supportive learning modalities. As a nation we must root cybersecurity trainings in groups that face historical exclusion in the tech and cyber industry.
These four-day learning bonanzas also hurt organizations. As a CEO do you want your entire cyber/IT team out of pocket for four days? What if like many small businesses as CEO you are your entire cyber/IT team? Can you be out for four days?
A Better Way forward with CyberDI and Southern Connecticut State University
At SCSU, we have developed and iterated on the CyberDI curriculum that they will deliver on our online and offline campuses as an LTP through four rounds of iterative design with the goals of using principles of cognitive science in curriculum development and delivery.
Real science. Not bootcamp marketing or certificate mill hype.
In our five-week class model you meet twice a week for live classes each week. Instructors schedules these classes either at noon, the evening, or the weekends depending on local audience needs. They offer hybrid and fully online versions. The lectures and discussions get recorded so if life gets in the way anyone can catch up.
Every practice and process in the CMMC model gets covered through systematic and explicit instruction following the “Instructor does, class does, you do” model. This predictability, science tells, us, improves learning.
Social learning, not just explicit instruction, gets baked into the model. We have two weekly office hours where instructors and community members just drop in to get specific technical help or to ask general questions about course content.
We know from research, building scaffolds that gives learners support drives success.
Our course navigation is simple and works in Blackboard, Canva, Microsoft Teams, or my favorite a simple HTML website. In every module you are asked to read, write, and participate. We give you access to easy to navigate resources.
You can see above how each model gets laid out in a Google Classroom example. We know from decades of research ease of navigation drives learner efficacy and success.
Most importantly you take part in production-based learning driven by feedback designed to elicit growth against the course objectives. Feedback, both formal and informal, drive learning. The teacher guide we provide has tips on writing feedback. The instructors who teach the CyberDI classes on SCSU campuses will get on going coaching in their questioning and discussion techniques. They get additional training on how to write and deliver feedback for growth.
We do hope you choose a training program based in cognitive science and not just certificate mill marketing hype. The classes CyberDI will teach on our campuses meet this criteria.
Just wanted to end with a quick shoutout to the subject experts who helped write and shape the curriculum
- Leighton Johnson- Wrote our Domain Scenarios
- Paul Netopski- Wrote our CMMC Assessment Process Chapter
- Vincent Scott- Co-wrote history of CMMC and Domain Scenarios
- Tom Cornelius- Open Source contributor. We utilize Comp;iance Forge’s CC BY-SA Scoping Guidance.
- Gregory McVerry co-wrote CUI scenarios, co-edited textbook with Dr. Tucker
- Lauren Tucker-lead author on instructinal guide, co-edited text book
- Richard Dawson-Wrote 162 aligned introductions for 17 Comains
- Dana Mantilla-Video Instructor who interviewed top talent
- Brian Rogalski-co-wrote CUI scenarios
Academic Advisor: Leslie Weinstein
- Allison Giddens
- Vincent Scott
- Margaret Glover
- Paul Netopski
- Matthew Carson
- Jake Williams
- Amira Armond
- Ryan Heildron
- Vic Malloy
- Kyle Lai
img credit: Bootcamp dreams. by jgmac1106 shared under an CC-BY-SA license a A remix of: Work boot” by Bigbadvoo flickr.com/photos/bi… is licensed under CC BY “Storm Clouds Gathering” by izoo3y flickr.com/photos/iz… is licensed under CC BY-SA “Cha-Ching” by spcbrass flickr.com/photos/sp… is licensed under CC BY-SA