Week-Long Cert Boot Camps Are A Lie

Week-Long Cert Boot Camps Are A Lie 864 486 CyberVista now N2K

Week-Long Cert Boot Camps Are A Lie

Though week-long boot camps are the status quo in InfoSec, boot camps are the wrong solution to a learning problem. Week-long boot camps don’t sound too bad: get sent off for a week outside of the office, sit through five or six days of lectures, take some practice exams, punch your way through the exam, and earn your cert in under a week. Worth it, right?

Unfortunately, not. This montage doesn’t match up with reality for a large number of practitioners. Before you decide to pursue a boot camp for your next cert, consider the many issues with the week-long boot camp format.

Pass Rates Are Full of Hot Air

It’s everyone’s first question when considering any training provider and with cert boot camps, in particular: “What’s your pass rate?” It seems like a fair question. After all, you want to know how effective a provider is, don’t you?

Maybe you saw that a boot camp provider boasts a pass rate greater than 93%. Seeing a pass rate like this should send your spidey senses tingling for two reasons.

First, the program you’re reviewing isn’t an approved or authorized training provider. Any training provider that has gone through the approval process (meaning that they have had their content reviewed and vetted) through (ISC)2, ISACA, EC-Council, or CompTIA is cautioned or even prohibited from using marketing language that discloses the pass rate of the certification exams. Training providers of this caliber rarely, if ever, publish pass rates.

“Seeing a pass rate should send your spidey senses tingling…”

Second, the figure is probably fake. Training companies that do tout high pass rates have no way to accurately track all their students and have no reason to honestly represent their pass rates – who is going to confirm their numbers are correct? Restaurants can’t give themselves Michelin stars. Automotive manufacturers can’t grant themselves five-star crash-test ratings. Yet, there are no unbiased third parties to verify training provider pass rates. Many providers boost their rates through the use of convenience sampling. In these instances, providers are getting passing-confirmations from students that they expected to pass and avoiding collecting data points from those students they expected to fail.

Time Is Never Time Enough

Our research indicates that the average practitioner should allocate 300 hours of exam preparation to earn the CISSP, 200 hours of studying and lab practice to earn the CEH, and at least 250 hours of preparation for the CISM and CISA exams, respectively. Do you think 40 or 48 hours of condensed prep will cut it? It won’t. Some providers even have the audacity to offer two-day boot camps! These abbreviated time spans completely downplay the sheer volume of information covered on each certification exam. The majority of cybersecurity certifications (including those listed specifically in DoDD 8140/8570) cover large swaths of topic areas. Even if you have held multiple positions in cybersecurity, you likely have not collected experience in all of the domain areas covered on each exam.

Some folks think they will be able to do a bit of reading ahead of the boot camp and some studying in the evenings after the lectures. Sadly, this, too, is simply not enough. In order to retain the material for the long-term, you’re going to need time to review, rest, and recover. Academic research and experiments highlight that cramming (studying the material for the first time a few days before the exam) is not an effective study method when the amount of content exceeds one chapter or domain of content. For this reason, squeezing in four to eight domains of content in the days leading up to the exam won’t be enough.

Retention Is Forgotten

Maybe you think you’re good at cramming. Maybe cramming even worked well for you when you were in college or high school. Maybe it even helped you back when you took a Microsoft certification. Ask any CISM or CISSP, it’s not going to cut it for these certifications.  

If you can find one, ask a colleague who passed a cybersecurity certification by brain dumping at the end of a boot camp. Does he or she recall the information from Domain 3? How about Domain 5? Nope and nope. Several academic studies conclude that cramming leads to extremely poor long-term retention. The certification you’re earning is not just a means to an end, it has intrinsic value in the form of foundational and professional knowledge. Your certification will mean less if you can’t actually back up the letters behind your name with any real knowledge.


They Make Failures More Painful

You probably already know that these boot camps aren’t fun. Over those five or six days, you’d likely have to wade through 1,000+ PowerPoint slides of material. Nevermind that the lectures are miserable and the classroom might be 50 shades of taupe – now you know that it’s not an effective way to prepare.

“Nevermind that the lectures are miserable and the classroom might be 50 shades of taupe – now you know that it’s not an effective way to prepare.”

So, if you sit for the exam at the end of the boot camp woefully underprepared and fail, you will have invested your time, energy, and significant sums of your money (or your employer’s) and come back to work a week behind, all without what you set out for in the first place – your certification. It really stinks.  

The Only Good Boot Camp Candidate Doesn’t Need It

We’ve made the case that week-long boot camps don’t work for most practitioners. So who exactly who are boot camps a good fit for?

They may work for seasoned practitioners (those with at least 10 years of experience) because these students already have years of experience stored across several domains and could benefit from a simple review or refresher of content. That said, those folks are also great candidates for self-study. They’d save themselves the time, effort, and trouble of the week-long boot camp. Did we just talk ourselves out of any suitable boot camp candidates? Yup.

There’s A Better Way

If you value your time, your career, and your sanity, join our fight against the status quo. Consider a training solution that is designed to work through learning science, customized to your experience, and fits within your schedule.