Deciding between a computer science and a computer engineering degree
When I was a computer security undergraduate, between 2011 and 2014, the alleged shortage of 'cyber' security professionals, and how such people could apparently demand a salary of ~£60K, were hot topics. The government had paid somewhere in the region of £670 million to GCHQ to address this, and the NCSC was established. There were several regional partnerships between the government, industry and academia being formed around Britain. So, it seemed, a computer security degree was to be preferred over a conventional computer science/engineering degree, if one wanted a highly-paid and interesting career and have expertise that would always be in demand. That wasn't why I got into INFOSEC, though, as my field of study. It was Bruce Schneier, when he was writing for The Guardian, who inspired me. Plus I'd already been something of a hacker, even though my understanding of Linux was patchy before that.
What I liked about the computing security programme was the course content was broad and varied, yet it gave me a very in-depth understanding of operating systems and networking technologies. There was a substantial element of digital forensics also, which is a good way of learning what operating systems do under the surface. As a stand-alone academic field, it was perfect, and I couldn't imagine studying anything else. The course had one major disadvantage, though: The lack of programming-related content. It was entirely possible to graduate without having done any programming. I don't think that's the case today, though.
Here I'm going to argue that, for most people, it's better to opt for a computer science or computer engineering programme instead of computer security, for the basic reason that most security professionals don't actually begin their careers in security. You're most likely going to be competing with computer engineering graduates for your first job (or two), and they'll have a huge advantage. Certainly, there are GCHQ-accredited degree programmes that do teach to a high standard, but I'm not sure whether employers actually take that into account.
If you are still insistent on studying for a security degree, I recommend putting a lot of effort into acquiring the following skills over the three years:
- Software development - Python, C#, C++, PHP and maybe Java. It's definitely handy to understand SOLID coding patterns also. A Web site and GitHub account hosting multiple personal projects would also prove useful.
- Databases - SQL, MySQL, etc.
- Systems administration - Active Directory, Linux command line, and that sort of thing. Enough to manage user accounts, move files about and troubleshoot server and network issues.
- If possible, get some experience with Microsoft Azure and/or AWS.
And be prepared to put in about 18 hours per day studying.
How to become a security professional
Organisations tend to hire management people and professionals who are at a much later stage of their careers for security positions. That's the actual reason why salaries in the computer/INFOSEC industry appear grossly inflated. It's not the shortage of security professionals, per se, but the need for the expertise and experience of professionals already earning those salaries.
In fact, they don't need to hire security professionals, when they're already employing technical support engineers, database admins, systems architects and software engineers who know how to enhance the security of the things they're managing. When it comes to application security, for example, they're going to want my advice, over that of a recent security graduate, because I know precisely what vulnerability reports are referring to and when to act on them (or not), I know how to implement security features in line with best engineering practice, I know how to plan the changes and what to discuss with the right people, and I know its potential business impacts at different levels. Most importantly, it's part of my job description, rather than a distinct role, and that's the case for pretty much all my colleagues. Of course, security degrees and certifications are rather vestigial at this point.
So, if you want to become a security professional, the chances are you're going to need to work your way into that, and start out as a junior programmer, technical support, etc., then someday take some aspect of security on as an additional responsibility
This is where computer science graduates have a big advantage: They're going to have more development experience with several programming languages, potentially with several projects to show off, and they'd be better equipped for the technical interviews, in which one is asked to refactor a sample of code and produce routine SQL tasks.