🏛️Is College Worth it for Cybersecurity?

I recently graduated from Tennessee Technological University and received my Bachelor of Science in Computer Science with a concentration in cybersecurity. It's a common question: "Is college worth it for _______"— fill in the blank. I want to discuss my experiences and opinions to help give you an answer on whether college is worth it for a career in cybersecurity.

First, I think it is necessary to discuss what we will compare college against. If not college, what routes do you have to get a career in cybersecurity?

Bootcamps: 12-24 week bootcamps that are (usually) remote. Focus on getting you the skills necessary to land an entry-level job.
Self-taught: Hands-on learning through self-teaching, such as books, podcasts, YouTube videos, online platforms (TryHackMe, HackTheBox), and/or certifications.
College: Traditional 2-4 year university in Computer Science, Cybersecurity, or other related field with classes dedicated to cybersecurity skills such as cryptography, software security, etc.

I find these three to be the most common routes, but I'm sure there can be other ways such as getting your foot in-the-door with a more "entry-level" friendly position such as IT Help Desk -> Cybersecurity. But for the sake of brevity, we will compare bootcamps, self-teaching, and college.

Cost

The most important factor for most people will be cost. Ensuring a good return on investment (ROI) is critical in making any financial decision. The other categories in this blog post will help you determine the ROI on each route.

Bootcamps: Bootcamp costs can vary, so I aggregated some of the "top" bootcamps ("top" is defined by top results on Google). I used the search term "cybersecurity bootcamp" to create the following list: FullStackAcademy $12,995, SpringBoard $10,900, BrainStation $15,000, University of Tennessee Knoxville $12,000, Emory University $10,995. With this, we can calculate the average bootcamp cost to be $10,315. Bootcamps do not typically offer financial aid, but rather installment plans to help ease the financial burden. Some bootcamps may offer cybersecurity certifications such as CompTIA's Security+ as part of the tuition.
Self-taught: Self-learning cybersecurity is practically free. There are so many resources that exist today. There are tons of Reddit communities, Discord servers, online learning platforms (TryHackMe, HackTheBox, CTFTime), YouTube channels (John Hammond, NetworkChuck), podcasts, eBooks, etc. The knowledge you can gain from self-learning is basically limitless and majority of the content is free.
College: The average in-state tuition for a four-year university is $9,750/year according to EducationData.org. If you go out of state, the tuition cost increases significantly: an average of $27,457/year. Multiply this by four to get a rough estimate for total tuition costs for a four year degree in state and out of state, respectively: $39,000 and $109,828. An important consideration is that attending university makes you eligible for financial aid through the school, government programs (FAFSA, etc.), and even scholarships— all which can reduce total costs.

Skills

The next aspect is the actual skills developed. Cybersecurity can be a competitive field to get into, and so you want to ensure that the skills that you might pay for are beneficial to you. Technology is an ever-changing landscape: a technology you use today may be outdated in two years time. Ensuring an education of relevant, beneficial skills is key.

Bootcamps: Most bootcamps have similar curriculum, and focus on introductory topics to cybersecurity. For example, a common curriculum would be something like: CIA Triad, Intro Linux, OSI Model, Firewalls, Encryption, Intro to Programming (typically Python), Active Directory & Group Policy, Penetration Testing Methodology, Common Vulnerabilities (OWASP Top 10), incident response, and digital forensics. Bootcamps are typically breadth over depth.
Self-taught: A bit self-explanatory, but you choose what you want to learn. If you know without a doubt you want a career in offensive security, then you can heavily emphasize that in the content you consume, helping provide a bit more depth over breadth. I still recommend being well-balanced, because no matter what area of cybersecurity you want to do, you need to be able to at least understand the others. Maybe as a pentester you won't be creating firewalls, but knowing what and how a firewall works is still crucial.
College: College develops similar skills to that of a bootcamp, but with a bit more focus on depth. Remember, college is typically 2-4 years so your first 1-2 years will be introductory courses (similar to bootcamps), your later years will be more advanced courses. What these "advanced courses" are, depends on your schools curriculum (an example could be digital mobile forensics). Some schools offer extremely deep cybersecurity curriculum, while others (cough, cough, Tennessee Tech) have limited advanced cybersecurity courses as part of the curriculum. Another note, for what it's worth: college requires you to also develop other skills outside of computer science or cybersecurity through general education (GenEd) requirements. GenEd requirements can also help you develop critical thinking, writing, and communication skills— important for roles like security consulting, incident response, or leadership positions.

Resume Opportunities

Skills are important: they get and keep you a job. But, to get to the job, you first need to interview. And your resume is what leads to interviews. The three different routes offer different resume-building opportunities.

Bootcamps: Bootcamps offer limited resume opportunities. You will be limited to including your bootcamp as education, skills developed, and maybe projects if it was part of the curriculum. If the bootcamps offer certifications, such as Security+, then that can also be an additional resume item. Beyond these, bootcamps do not add much more value to a resume. Some bootcamp programs offer career services, like mock interviews and resume reviews, which can help iron out your resume and prepare you for interviews.
Self-taught: This route is probably the most limited in terms of resume opportunities. There is no formal education, so that section will be empty. However; skills, certifications, and personal projects can add value to help make up for the lack of formal education. You can also focus on certifications (Security+, OffSec's OSCP, TCM's PNPT, etc.) but these can be a bit hefty financially. You can also showcase your skills through blogs, open-source contributions, or online platform leaderboards.
College: In my opinion, college is the most opportunistic. You will have a formal college education on your resume (which we will discuss later as to why this is important), skills, and projects. Not only this, but most schools offer competition opportunities: Collegiate Cyber Defense Competition (CCDC), Collegiate Penetration Testing Competition (CPTC), National Cyber League (NCL), Department of Energy's CyberForce, and more. These competitions are a great resume item because they show initiative outside of formal education and can also help verify your skill (if your team is placing top 10, then it's safe to say you've proved your cybersecurity skills). Additionally, many schools offer cybersecurity clubs where you can highlight your involvement even more, and even take up leadership positions.

Networking Opportunities

Bootcamps: There is not as much data on bootcamp statistics as there are for universities, but from what I could find: the average bootcamp cohort size is 15-30 students. Beyond these 15-30 students, you may get to know the instructors, but overall, the amount of people you will interact with in a bootcamp is limited. Also, connecting with people who attended the same bootcamp as you is not as trivial as searching for someones formal education on LinkedIn.
Self-taught: You must go out of your way to network with people. This could be through different communities (Reddit, Discord) or from LinkedIn cold-connecting (is this a term?). Either way, it won't be near as natural as a bootcamp or college, but it is definitely possible to make lasting connections. Self-taught learners can also attend industry conferences like DEFCON, BSides, or local OWASP chapter meetups to network face-to-face with cybersecurity professionals.
College: College inherently can open many networking opportunities due to the size. According to CollegeBoard.org, the average student body population size at a university is 6,354. Networking sites like LinkedIn make it easy to find and connect with fellow students and even alumni— opening the number of networking possibilities even further. Additionally, many schools offer semesterly or yearly job fairs where you can network directly with recruiters and hiring managers.

Career Opportunities

Lastly, the end goal: careers in cybersecurity. I am not going to necessarily analyze each one because they should all offer the necessary skills to land an entry-level job in cybersecurity. But, sometimes, skills are not the only thing necessary for a job. According to "Skills, Certifications, or Degrees: What Companies Demand for Entry-level Cybersecurity Jobs" , 60% of entry-level jobs require a degree and 24% prefer a degree. This means that roughly 16% of entry-level jobs do not require nor prefer a degree. So, with a degree, you are eligible for (60+24) 84% of jobs. Without a degree, you are eligible for (100-60) 40% of jobs.

So, while bootcamps, self-teaching, and college can all develop fundamental cybersecurity skills, there is a significant gap in career opportunities for those without a formal college education. Should it be that way? I personally do not think so, but unfortunately, degrees have seemingly become a resume screener rather than a proof of skill. However, as bootcamps grow in popularity and recruiters & hiring managers adapt to the current cybersecurity educational opportunities, demonstrable skills through certifications, labs, competitions, and personal projects will take precedence over a formal education and hopefully begin to narrow the margins. But, as of 2024, the gap between college and non-college education still exists in the cybersecurity job market.

Personal Experience & Opinion

Ultimately, it is up to you to make a decision that best fits you. There are a ton of factors to consider: I outlined just a few. But, I now want to highlight my personal experience with college, and then my opinion if I were to do it over.

Like I said at the beginning, I attended Tennessee Technological University for my B.S. in Computer Science with a concentration in cybersecurity. I was lucky enough to be offered scholarships and actually ended up making money by going to school. I came into college with basically zero cybersecurity experience— the most I had was a couple of HackTheBox video walkthroughs that I watched, but most definitely could not replicate. My freshman year, I made it an effort to get involved with our cybersecurity club CyberEagles, and also the Capture The Flag Cyber Interest Group (CCIG). I also really focused on self-learning: I created a blog to detail my HackTheBox, TryHackMe, and CTF writeups. This is the resume I was using freshman year, and it somehow got me an internship:

It's absolutely terrible, it showcases basically zero cybersecurity knowledge, and I somehow got an internship freshman year as a cybersecurity analyst with The Chemours Company (fortune 500). I remember asking my manager what stood out about me, and they liked my passion— specifically the fact I had a blog detailing my self-learnings. From here, I focused mostly on extracurricular activities rather than actual school courses: GFACT & GPEN certifications, more HackTheBox & TryHackMe writeups, becoming the lead of CCIG, and a bunch of competitions (CCDC, CPTC, CyberForce, NCL, MITRE eCTF, etc.). I did an overhaul of my resume and was able to get an internship offer as a security engineer with Microsoft for my sophomore and junior years. Now, I am a full-time security engineer with Microsoft I credit most of my success with internships to self-teaching, but I also acknowledge the fact that these internship opportunities would not be available to me if it weren't for the fact I was enrolled in university: most internships require you to be an actively enrolled student... something bootcamps or self-teaching itself could not afford you the opportunity of.

Now, for my overall opinion. If I were to graduate high school and do it all over again (or for a different scenario: if I was wanting to change career paths, what would I do?). First, I want to operate under the assumption I will not be getting significant scholarship. I understand not everyone is afforded the opportunity to make money by attending university, so for the sake of being as general as possible, I want to make that assumption.

Note: I know my "objective" opinion may seem bias, but I truly came into this thinking I was going to be against a college education for cybersecurity. However, when writing this blogpost, I realized that all the statistics point towards it being beneficial and a good ROI.

I would choose an in-state university (or an out-of-state with low tuition) that offers a well-developed cybersecurity curriculum. I would do research on the schools and specifically, their offered courses What kind of cybersecurity courses do they offer? Is it only a few classes? Or do they have advanced technical classes s like embedded security? Additionally, I would try and see what cybersecurity clubs they have, what competitions they do, etc. I would want a school that offers good cyber courses and also has an active community for cybersecurity. I would personally avoid any degrees in "Cybersecurity" and stick solely with "Computer Science". If you get bored of cybersecurity, you can switch to any field within CS with a CS degree, but not vice versa.

Outside of this, I would invest heavily on self-learning. Sure, you'll learn skills from your courses (and especially if you choose a good curriculum), but most of the industry skills you'll want to develop will come from outside resources. I would focus heavily on certifications wherever available, especially scholarship programs that offer certifications such as RuralTechnologyFund, U.S. CyberGames, etc. I would once again create a personal website/blog for things like competitions, malware analysis, and/or security research.

The combination of an in-state, cybersecurity program mixed with a heavy emphasis on self-learnings will place you in a great position for a career in cybersecurity. In-state will help keep tuition costs down and allow you to be eligible for more scholarships. A good cybersecurity program will ensure you can be active in clubs and competitions. And a focus on self-teaching will ensure you develop skills that classes do not teach, give you opportunities to build your resume, and overall show your true passion for cybersecurity. Being enrolled in a degree program will also make you eligible for internships to help build work experience before graduation and then once you graduate, you will have a degree and have a wider job opportunity net.

Hopefully you find this blog post helpful. If you're looking to break into cybersecurity, there are a lot of paths available and I've highlighted just a few. Do your own research, figure out whats best for you and your ROI, and I'm sure you will make the best decision.

PreviousBlog NextA Review of OffSec's OSCP+

Last updated 3 days ago