There are many paths to consider when choosing a cybersecurity program. You could get a 2-year community college degree or a 4-year bachelor’s degree. Within those programs you could decide to major in computer science, or business, or political science, or even criminology. You could even forgo college and decide to attend a security boot camp designed to help you pass a specific security certification. All of these paths can lead to a job in cybersecurity.
So, what should you choose?
The answer is, it depends on what is best for you and your situation. I can’t tell you what the best option would be for your situation, but I can give you some information to help you with that decision.
I think the best way to understand the difference between the education paths is to visualize a pyramid. The bottom, wide portion, represents the knowledge gained at a 4-year university, and as you go up, the focus narrows till you get to the point, representing a certificate, where the knowledge is very specific.
How do you pick between these options?
Some of it comes down to time, money, and whether you’d like to prioritize breadth or depth. If time and money are rare commodities for you, and if you’d like to prioritize depth, your best bet is a boot camp focused on a certification.
Certs
Certifications are a very viable option and can lead to great entry level cybersecurity jobs. There are plenty of online or in-person bootcamps to choose from. Taking one of these bootcamps, combined with reading good books on the subject, can help you pass one of the many cybersecurity certifications. Opinions vary on the value of certifications, but I do know of several employers who value certifications more than degrees, including a cybersecurity consultant who works with Fortune 50 companies.
One of the challenges that you will face in the certification route is that you need to know exactly which field of cybersecurity interests you. Do you want to work in a SOC? Or do you want to do pen testing? Maybe code review sounds good to you. How about computer forensics? You get the point; there are a lot of fields in cybersecurity, and you would need to pick a certification for that particular area.
There are some general certifications, like Security+, but I believe that those are more valuable when they’re combined with a 2- or 4-year degree. However, if you are not planning on getting a degree, your best bet is to pick an area of cybersecurity that interests you and to study that topic in depth.
2-year Associate Degree
Moving down from the point of the pyramid, you are starting to broaden your range of knowledge. A 2-year associate degree adds on some general education classes, such as math, history, and English. But why would you need these skills for cybersecurity? One of my former students, who now works for a pen testing company for Fortune 10 companies, says that his job is about 50% cybersecurity and 50% writing up reports, so he highly values individuals who can produce legible findings for their valuable clients. A cybersecurity certification won’t refine your writing skills, but a 2-year degree will.
Another upside of getting a 2-year degree is the cost of tuition. Several community colleges, at least in California, offer either the first year or even both years tuition free. How can you beat that?
4-year Bachelor’s Degree
This is the final, broadest level of our pyramid. With a 4-year degree you’ll learn the theory behind cybersecurity that you don’t necessarily learn in 2-year or bootcamp programs. You’ll learn how and why cybersecurity works the way it does, beyond the surface of implementation. You will learn, for example, the history of cryptography and how it evolved to where it is now. This is important to understand if you are tasked with selecting a solution involving cryptography. Solving such a task requires a surprisingly broad background in cryptography—a background you’re most likely to develop in a 4-year degree program.
I should probably disclose that as a professor at a 4-year university, I’m a bit biased. I believe that, assuming you have the time and money, a 4-year degree is worth the cost because beyond learning cybersecurity, these programs are designed to make you a more well-rounded human being. I believe this is important for many reasons. First and foremost is the sheer number of ethical issues in cybersecurity. If you are in charge of making ethical decisions for an organization, you’ll need some background to pull from. A 4-year degree allows you to take courses in history, critical thinking, ethics, justice, and many other topics that you can add to your ethical decision-making repertoire. There are also math courses to build your computer science background and writing courses to round out those report-writing skills.
Computer Science Degree
This leaves one final discussion on what to major in at a 4-year college when pursuing cybersecurity. The obvious choice, and again I am biased, is to major in computer science. This gives you a very well-rounded background in operating systems, programming languages (both scripting and compiled), networking, machine learning, databases, web programming, and, of course, security. A computer science degree prepares you for many different areas of cybersecurity.
One drawback is that a 4-year degree is not as focused as the top of the pyramid, the certification route. So, it is possible that you will, on your own time, need to prepare for and take a certification. The upside is that you will have a very strong background and therefore would not need to study as much for the cert as if you were to do a cert without the 4-year degree.
Which college should I choose?
Maybe you should check out the National Cyber League (NCL) Power Rankings!
CryptoKait 
Excellent post! There’s a lot in here that I hadn’t considered! I especially like the pyramid analogy – spot on!
In case it’s helpful for readers to also have a non-4-year perspective, below are the things I’ve heard or observed on my cybersecurity career journey.
Full disclosure:
I went the route of low-cost, self-study for the CompTIA Network+ and Security+ certifications first, as a way to see if I could even understand the material and to see what areas of interest there might be for me in IT, before making the decision to spend any more money. I had actually been advised by a consultant for Fortune 500 companies that those two certifications were all I would need to get hired somewhere. I decided to return to school, though, at my local community college for an associate’s degree (having never completed a degree prior to that) and completed a 2-year degree in cybersecurity. I found the school experience to be extremely valuable for networking, and I was hired right after graduation based on the strengths I’d had an opportunity to demonstrate in school.
These are the things I learned along the way:
• Attending school gives people a chance to see you in action. You can develop a reputation, and it can travel by word of mouth, and that can be a path to job.
• A 4-year degree is generally mandatory if you intend to go into management. Without a 4-year degree, you may hit a ceiling for promotion and also for raises.
• A cybersec consultant for Fortune 50 companies advised me that certifications mean much more than a degree in cybersecurity. If you get a degree, he recommends a business degree (over a computer science or cybersecurity degree) for longer lasting value and for the kinds of skills businesses need that a cybersecurity degree won’t teach. He believes that cybersecurity degrees become outdated quickly in comparison to business degrees, which is why he values certifications more, because those must be kept up-to-date, and they also validate your skills.
• Even though a 4-year degree is listed as a requirement on some job applications, that requirement is not usually set in stone. Many companies are more interested in your character than your technical expertise, because skills can be trained – character can’t. Note that Kait has written on the phenomenon of men applying for jobs when they meet 60% of requirements while women tend to only apply when they meet 100% of requirements:
https://cryptokait.com/2018/01/27/why-i-wrote-my-first-workshop-proposal/ & https://cryptokait.com/2019/02/07/everything-you-need-to-know-about-ncl-at-wicys-2019/
• Veterans may want to consider programs which offer them significant discounts and which were designed from their inception to be 100% remote, such as the program at UMGC.
• For an infamous cybersecurity club experience, I’ve heard RIT recommended repeatedly. The RITSEC club has a Twitch which you may want to check out: https://www.twitch.tv/ritsec
• If you’re already experienced, WGU’s move-at-your-own-pace degree is an excellent time-saving option. Though non-traditional, the degree still has a good reputation with employers.
• A number of programs and scholarships exist to address the cybersecurity labor shortage. If you’re strapped for cash and afraid to take on debt, the best degree program may be the one that you can get a scholarship for. Check with your local workforce solutions office to see if there are government-funded incentives to go into cybersecurity, as well as with your local college advisors to see what scholarships you might qualify for.
Dr. Zeichick is absolutely right – the best path to a career in cybersecurity is highly individualized. The “best path” is going to be the path that’s best for you and your circumstances. Don’t be afraid to get started just because your road won’t be the same as someone else’s. What’s important is that you start, and that you work hard on your own path.
LikeLike