McDonald’s, Spherical Cows, and iTunes: A Defense on Behalf of Bootcamp Instructors & Thoughts on Modular Education

I sometimes participate in an alumni Discord server, where we recently had a bit of heated debate regarding the value of our bootcamp program and what we wish could have been different. Two major themes were:

  1. The training on its own was not sufficient/rigorous enough to make us “job-ready” relative to the inflated expectations of the hiring market.
  2. The career paths laid out, “penetration tester” and “SOC analyst” and “Red Team” vs “Blue Team” felt binary in an industry that is filled with niches.

I would like to take some time to exercise some empathy on behalf of our instructors who have been taking a lot of flak as well as suggest an alternative that might be a compromise between student and shareholder value.

お任せ — “I’ll Leave it up to You”

Jiro Dreams of Sushi

This is literally what you are asking for when you order o-makase, the prix fixe of sushi. The chef and their staff are sourcing fish by season and market conditions, and you are leaving your dining experience at their discretion.

When you choose to attend a security, web development/UX, or data science bootcamp, that is essentially what you’re doing. You can, of course, take individual classes on how to write Python or how to conduct a penetration test, just like you can choose to order sushi a la carte or make it yourself if you wish. But if you’re considering a bootcamp, like I did, most likely you are admitting that you do not have the Herculean research and self-discipline abilities to bootstrap yourself from ground zero to a job.

But that’s ok, because most of us don’t. It’s likely why, even though you can have some flexibility in the classes you can enroll in, university curriculums are fairly fixed in a way to guide you through the path you need. Don’t give into the survivorship bias of those who brag about figuring things out by themselves — no one is telling the story about how they burned out on their own and gave up.

So if you have the cash or are game to take on loans (like someone paying with credit card at Sushi Nakazawa), you can accept the help of veteran industry professionals who have taken the time to craft a curriculum for the average student who likely knows close to nothing. Getting somewhere at a cost is often better than nowhere, depending on your needs and contraints.

I left it up to the faculty at Fullstack Academy, and I’m better off for it.

The “Tyranny” of the Majority (or Neoliberalism)

The hidden double edge in this Faustian pact lies in the fact that to serve the business growth needs of an investor-backed enterprise, the product offering must appeal to as wide of a market as possible. And who is this market?

Those who want to change careers quickly, with little/no prior background, at a lower cost than an undergraduate/graduate program.

In the eyes of the shareholders, we (prospective bootcamp students) are not some struggling inner-city high schoolers reaching for a better future by learning AP Calculus — we are a statistic that makes the Series A/B/C funding worth it. It’s a data-driven world, and money makes it go ‘round.

McDonald’s has a robust research program and could well produce a Michelin-starred burger. But it doesn’t, because it can make a lot more money with an easy to reproduce product that hits the spot and is cost-effective for the buyer and seller. Similarly, I’m sure a bootcamp program could aspire to the standard of 1970’s Berkeley, but it would be naïve to pursue such a vision unless it was a sponsored nonprofit/academic center.

Imagine our needs/constraints laid out on a bell curve. In a given sample/population, there will be some of us with more or less time to spend studying full-time, technical aptitude, etc. The majority of the group will cluster around the average (X̄).

The “Bell Curve”, or Normal Distribution. Image by Julie Bang © Investopedia 2019

Let’s assume you are the next Kevin Mitnick and you breeze through all your courses because you are a .1%’er. You demand that the curriculum be adapted to your needs, otherwise it’s a waste of your time and money.

Assume now in our dramatized hypothetical, that your instructors agree and pivot towards having everyone learn how to write assembler code instead of that Mickey-Mouse Python. Most of your classmates cannot learn this overnight, and end up failing the course or dropping out. The program’s reputation, while impressive an old-school elite, drives students that would have otherwise done fine in the old curriculum towards a more beginner-friendly competitor.

On the flip side, we might also see a “No Child Left Behind” situation where a desire to let more students complete a program results in the more advanced students feeling frustrated.

Real-world instructors in for-profit schools thus face a dilemma: they must craft and sell an appealing dream (working in tech), but one that is attainable for the average student and profitable for the company. It is not a surprise, then, that the general modus operandi is to make a cohort of students close to hirable in approximately one business quarter, then rinse and repeat. As long as most students can find a job within 3 months to a year, it’s a job well done.

As mentioned earlier, this is probably a satisfactory deal for a good amount of people. I wouldn’t have seen myself becoming job-ready within half a year just studying on my own — there is plenty of value in guided instruction at a rigorous pace accompanied by peer accountability. It wasn’t a 4 year CS program, but that’s not what I paid for either. A bootcamp guarantees not a job at the end of the tunnel, but a foundational skillset that you can build upon, provided you put the work in yourself.

Explain Like I’m Five

Consider the infosec vendor/services landscape:

https://www.optiv.com/navigating-security-landscape-guide-technologies-and-providers

And this certification progression chart:

https://www.reddit.com/r/cybersecurity/comments/e23ffz/security_certification_progression_chart_2020/

How would you approach these with a greenhorn who only knows how to vaguely ask, “How can I get into cybersecurity”? Would you really go through each nitty gritty section, knowing that they don’t have the context to understand? Let’s face it — unless they already have a background in IT, Software Engineering/Devops or Intelligence, it’s going to be difficult for someone to immediately understand nuances like security engineering vs architecture, threat hunting vs incident response.

There’s an academic joke I enjoy about how physicists like to model the world:

There is this dairy with cows and everything. The dairy farmer wants to increase his production of milk. To do this, he hires three consultants — an engineer, a psychologist, and a physicist.

After a week, the engineer comes back with a report. He said: “If you want to increase milk production, you need to get bigger milk pumps and bigger tubes to suck the milk through.”

Next came the psychologist. He said: “You nee to make the cows produce more milk. One way to do this is to make them calm and happy. Happy cows produce happy milk. Paint the milking stalls green. This will make the cows think of grass and happy fields. They will be happy.”

Finally, the physicist came to present her ideas. She said: “Assume the cow is a sphere….”

Although silly, this reminds me how models that “look” wrong (in this case, grossly oversimplified) can still be useful for understanding how things work. Too much information and complexity can be overload for someone with no pre-existing mental models, and while an over-simplification may be “wrong” in a technical sense, it can actually be useful in a pedagogical one.

If you’re like my instructors, you’d try to ELIF (explain like I’m five) and paint broad brushstrokes in the “Blue Team vs Red Team” dichotomy — a grown-up version of Cops & Robbers. SOC (Security Operations Center) Analyst and Penetration tester are fine starting point examples of what a career on each side might look like, and are a vivid illustration of the adversarial nature of InfoSec. This is enough complexity, in my opinion, for a pure beginner.

Let’s take a detour to the screencap below. Anyone who has done the Penetration Testing with Kali Linux or Hack the Box labs should find it easy to comprehend, but we could not expect the same from a complete novice. Knowledge has to build upon itself.

https://resources.infosecinstitute.com/topic/hack-the-box-htb-machines-walkthrough-series-valentine/

Command line output like this felt intimidating until my instructors taught me about well-known ports and the OSI model, how to interact with sockets, etc. It was necessary to first start off with necessary blocks of knowledge to build upon, despite it seeming trivial later on. In the same way, the crude early understanding of SOC and penetration testing roles provided clear paths of skill development that could fork later on. I believe that learning fundamentals in this “simplified” world helped insulate my early learning from noise and rabbit holes (it is very easy in security to fall into these).

Show Me The Money

Perhaps due to my business background, I come off as a sellout by empathizing with the bootcamp business rather than advocating for students. You may argue that it’s easy for me to take this position because I already have a job, and you‘re probably right.

But I consider myself and our alumni adults that entered a business transaction, not a moral contract, and believe it’s more productive to think about what could be rather than what should have been.

I’ve already discussed my thoughts on why the bootcamp experience (as it is) must by necessity disappoint certain people. In my opinion, this is more a failure of framework/mindset than curriculum planning — by trying to use a one-size-fits-all classroom, bootcamps have ended up with a satisficing solution rather than one that addresses diverse needs optimally.

Given that bootcamps want to grow revenue and students want different experiences, how can we arrive at a win-win?

Portfolio Diversification

Many moons ago when I worked in advertising, I had a client that manufactured cell phones. Their goal was to occupy a larger market share within the US, but they were struggling to compete with Samsung as an Android device.

After weeks of strategy sessions and brainstorming, we had to point out that their strategy of focusing on the early adopter techie crowd was actually driving themselves into a corner. What Apple and Samsung understood very well was that there is a place for ultra-luxe, flagship, and budget models, each one fitting the needs and wants of a subsection of the market.

The bootcamp experience as it stands is a bit like buying Model T Ford: “You can have any color as long as it’s black”. The one concession I’ve seen is part-time programs for those who can’t afford to quit their jobs, but realistically they are not so different curriculum-wise.

The iTunes Model

There’s a saying that there’s two ways to make money — you either bundle things together or “unbundle” them to sell individual pieces. iTunes disrupted the record industry by making it possible to buy individual tracks rather than the whole album.

What is ironic in the battle between bootcamps vs higher education is that while bootcamps are “disruptive” in focusing on expedited practical training, they are also backwards in insisting on bundling the entire curriculum together. In an undergraduate program, on the other hand, you can choose to fulfill a math obligation with pre-calculus or linear algebra depending on your level of expertise. And if you have enough AP credits or have transferred, you don’t even need to have 4 whole years of school.

Provided that there are enough students in the classroom, why couldn’t we have the same for bootcamps?

Conveyer-Belt Sushi

It’s not o-makase quality, but conveyer-belt sushi is an experience in choice. You can be a heathen and eat only California rolls, or you can pick and choose whatever flavors pique your interest. You can also eat as little or as much as you’d like, provided the plate you’re looking for is available.

This model, in my opinion, stands to help bootcamps maximize revenue potential by fulfilling needs it could not with the current format, allowing:

  • Inexperienced/undecided students to test the waters with a preparatory/foundations course rather than commit to a huge purchase.
  • Advanced learners to participate in more rigorous versions of the same topics, satisfying their intellectual needs.
  • Those with prior foundational experience to specialize (like college majors) in niches like digital forensics, web application testing, etc. (upsell to existing students, and you can bring in adjuncts on contract)
  • Strong self-learners to work through self-paced material and labs without instructor/peer support (curation of materials is their core need).

Perhaps even more importantly, this model would support the reality that a career in tech involves lifelong learning, not just a one-time program.

Completing a bootcamp program is not the goal in itself — it’s to get a person tangibly closer to their career change/progression needs. Bootcamp operators would do well to provide modular options that stand to reach a longer tail of customers by fitting their needs more closely.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store