For college and university students, or even tech professionals thinking about a career switch to cybersecurity, a big question remains hotly debated: What bachelor's degree will help get them hired, secure the best starting salary and set the stage for successful advancement?
The traditional undergraduate computer science degree continues to gain in popularity among college and university students. The most recent statistics from the U.S. Department of Education show that schools awarded nearly 105,000 computer science degrees in the 2020-2012 academic year, an 8 percent increase from the previous period.
At the same time, undergraduate degrees in cybersecurity are gaining traction. In a field with a well-documented talent shortage, those who earn this bachelor's degree have numerous options to secure a good starting and even mid-level position such as cybersecurity analyst. The U.S. Bureau of Labor Statistics is projecting 32 percent employment growth opportunity in this one area alone.
There remains, however, a healthy debate among cybersecurity and tech experts about which of the two degrees will serve tech pros the best as their careers develop. A recent debate on Twitter, now called X, illustrated that each side has its supporters:
If you think this is wrong, it's only so in the short term. In the long term, a computer science degree will benefit you FAR more in cybersecurity. https://t.co/Fu6nDA6atS— Jake Williams (@MalwareJake) September 11, 2023
In a follow-up email to Dice, Jake Williams, who is on the faculty at the Institute for Applied Network Security and who posted on X about the issue, expanded on his answer. He noted that cybersecurity degrees help tech professionals learn applied security techniques but often gloss over foundational computing concepts.
“It's been my experience that those graduating with cybersecurity degrees hit the ground running better than those with computer science degrees,” Williams, who formerly was a member of an elite U.S. National Security Agency hacking team known as the Tailored Access Operations unit, said. “This makes sense since the former focuses more on applied techniques. After a year or two in the field, those with computer science degrees usually leapfrog ahead since they are better able to understand the foundations on which the technology they're securing is built on.”
No Right Answer
While experts debate which degree is better, Williams is also quick to point out: “There's no wrong answer when it comes to education.”
What makes coming up with a definitive answer a challenge is that cybersecurity is a computer science discipline that involves the entire stack, from the silicon right up to the user, noted Casey Ellis, founder and CTO at Bugcrowd. This leaves too much ground to cover for someone studying for a four-year degree, whether it’s traditional computer science or cybersecurity.
Ellis, however, agrees with Williams and others who said that a computer science degree can help tech pros as part of their long-term career goals, especially compared to a cybersecurity degree.
“There's so much ground to cover [in cybersecurity], and such an obvious absence of the right skills connecting to the right problems, that delaying entering the workforce by three or four years to go deep on a particular area often nets out to deferred opportunity in that time,” Ellis told Dice. “On the other hand, the kind of deep contextual knowledge you can get from a good CS degree allows you to go further and be more flexible as the needs of the market change.”
Another computer science degree supporter is Krishna Vishnubhotla, vice president of product strategy at security firm Zimperium. He noted that, by learning the fundamentals of computer science, tech pros can understand systems and applications, and how attackers can take advantage of vulnerabilities within them.
“When you understand these fundamental concepts, anticipating risk areas around security or privacy becomes more apparent and intuitive. It is like learning the first principles of thinking,” Vishnubhotla told Dice. “You can layer on other cybersecurity knowledge to better understand the many ways to solve the problem and to what degree it needs to be solved for each use case. However, the market perceives that a cybersecurity course is the most efficient way to learn security without wasting time on a degree.”
Does Any Degree Matter?
While some debate whether tech pros should pursue a degree in computer science or cybersecurity, others aren’t even sure a technical degree matters.
For many, a college degree is less important than a commitment to learning a technical discipline, along with communication skills and analytical skills, said Melissa Bischoping, director of endpoint security research at Tanium.
“I don’t have a computer science degree, but I have learned about the fundamentals of computer science during my career as I’ve navigated my way through various technical problems that I needed to solve,” Bischoping told Dice. “It has not hindered my progress because I did not gain the knowledge through a formal degree program, but I did have to invest in learning the material on my own.”
When hiring for her team, Bischoping noted that she looks for two qualities: tenacity and initiative. These are more important than a specific degree.
“Tenacity is key because this industry often involves long hours trying to solve problems that may lead to several dead ends or failed attempts along the way,” Bischoping added. “Having the drive to continue working and stay motivated in the face of those challenges is key to long-term success in the field.”
For others, it’s having the hands-on experience that comes with understanding code, as well as figuring out (often through experimentation) how vulnerabilities can be exploited and what can be done to better secure networks and infrastructure.
“Students emerging from cybersecurity programs are well versed in history and lessons learned over the past decade or so. However, people with a cobbled-together virtual lab of mobile, cloud, containers, network devices and servers running exploits and who try to circumvent the vulnerable spaces between tech—those are the people we need on a red team,” Stan Black, CISO at Delinea, told Dice. “Add into the mix a working knowledge of coding practices and you have someone that can fortify your operations in a way traditional security has failed for decades.”