I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure the grammar is accurate.
I mentioned in a previous post that we’d dig into this one, and here we are.
If you’ve spent any time researching how to break into cybersecurity, you’ve probably run into some version of this debate online.
The Gatekeeping Problem
Here’s something I want to address: the debate between degree vs. certs vs. experience sometimes gets weaponized into gatekeeping, and that bothers me.
I’ve seen people online dismiss certifications as meaningless. I’ve seen degree holders talk down to self-taught professionals. I’ve seen experience-first dismiss the hard work and effort someone who has studied for an exam has put in. All of that is just people talking to talk, and it keeps individuals out of a field that genuinely needs more people in it.
The reality is that the person who spent the years earning a degree, the person who passed their Security+ in four months while working full-time, and the person who taught themselves by doing CTF challenges on weekends are all bringing something real to the table. The field is better when it includes all of them.
If you’re on any of these paths right now - keep going. The goal isn’t to win a debate about which path is superior. The goal is to get to a place where you can do the work and contribute.
With that being said… Let’s get into it.
The Degree Path
A four-year degree in cybersecurity, information assurance, or computer science is still the path that a lot of people default to and it has real value.
The biggest advantage of a degree isn’t the knowledge itself, it’s the symbolism. Large organizations, government agencies, federal contractors, and positions requiring certain clearances will sometimes filter candidates by degree before they even look at anything else. If that’s the world you want to work in, a degree may not be optional.
There’s also something to be said for the structure a degree provides. You’re forced to sit with subjects you might skip if you were self-directing. Things like networking fundamentals, operating systems, math, and policy. For people who thrive with structure and need accountability to push through harder material, a traditional academic path works well.
That said, not all degrees are created equal. A degree from a program that integrates real labs, certifications, and practical skills is very different from one that’s mostly theory and writing papers. WGU is one example of a program that has worked this out - their cybersecurity track bundles certifications directly into the degree plan, so you graduate with both the diploma and the credentials. That’s the kind of combination that actually makes sense. My biggest caveat with WGU is that it really has minimal structure. Everything is based on you, which can be its greatest strength but also its biggest weakness. There are hands-on labs, notes, recorded/live cohorts, and reading material, but it all depends on you to seek those out and apply them to your study. My recommendation has always been that if you need a degree to check a box, WGU is the way to go.
What a degree gets you: Credibility with large employers and government roles, structured learning, access to internship pipelines, and a baseline that satisfies HR filters.
What it doesn’t guarantee: A job. Technical ability. Practical experience. Employers at smaller companies and in the private sector often care far more about what you can do than what school you attended or what certifications you have.
The Certification Path
Certifications are the most talked-about entry point into cybersecurity right now. The CompTIA lineup - A+, Network+, Security+ represent a clearly mapped path that someone can start on today, complete in months, and use to compete for real roles.
I’m a believer in certifications. Not because they prove everything, but because studying for them forces you to actually learn the material (yes, I even think memorization is a form of learning). When I sat down to study for my Security+ (granted it was 501 and we’re about to retire 701), I walked away understanding things about threat frameworks, networking security, and risk analysis that no amount of casual reading would have taught me. The exam forces accountability.
The certifications that carry weight in the industry right now include CompTIA’s lineup for beginners, the SSCP and CISSP by ISC2, and GIAC certifications. The further you go, the more specific your certs should get. If you plan on targeting a specific role do your research on what their requirements are and what their infrastructure looks like. You don’t want to specialize in AWS when that organization uses Azure.
Here’s the honest part though - a certification alone does not make you hireable in a vacuum. Security+ on a resume with nothing else attached to it is a starting point, not a finish line. Employers want to see that you can apply what the cert tested you on. That’s where the next section comes in.
What certs get you: A structured way to learn, proof that you can absorb and apply a body of knowledge, and a baseline that many job postings use as a minimum requirement.
What they don’t guarantee: Experience. Context. The ability to troubleshoot a real network at 2 am when something breaks.
The Experience Path
Experience is the variable that ties everything together. It’s also the one that’s hardest to get when you’re starting out, which creates one of the most frustrating catch-22s in the field. You need experience to get the job, but you need the job to get experience.
The way most people solve this is by coming through a related IT role first. Help desk, systems administration, network support, NOC work - these aren’t glamorous, but they are the foundation. You’ll learn how infrastructure actually works, how users actually behave, and how things break in ways that theory alone won’t teach you. Then, when you transition into a security role you’re protecting systems you already understand.
Military service is another path that deserves far more credit than it gets. The discipline, the structured exposure to operations, the real-world scenarios, and in many cases direct technical training these all translate well into cybersecurity. People who come from a military background often have clearances, operational mindsets, and experience working under pressure that you don’t really get anywhere else. Just make sure you get into the right Military Occupational Code/Air Force Specialty Code.
Hands-on platforms like the ones we talked about in the previous post also contribute real experience, especially for offensive security and detection work. These aren’t just study tools. They’re environments where you practice actual techniques on real infrastructure.
What experience gets you: Context that makes everything else make sense, practical problem-solving ability, and the credibility that comes from having actually done the work.
What it can’t replace alone: In some environments experience without credentials hits a ceiling. For certain roles, promotions, and clearances, employers need something documented to check the box.
What Actually Gets You Hired
The honest answer is a combination, but the combination looks different depending on what kind of role you’re going after.
For entry-level roles at smaller companies and MSPs: certs plus some hands-on practice are often enough to get an interview. Security+ and a TryHackMe profile that shows you’ve actually been doing rooms goes a long way.
For mid-level roles in corporate environments, employers want to see a progression. A cert or degree that shows foundational knowledge plus a year or two of related IT or security work. The degree matters less here than your ability to talk through real scenarios.
For government, federal contracting, and clearance-required positions, the degree becomes more important. Combine it with certs and any relevant experience, and you’re in a strong position.
For advanced or specialized roles: experience and demonstrated skills become the primary filter. Nobody asking you to lead incident response cares much whether your Security+ is current. They want to know what you’ve handled.
My Personal Take
My path has touched all three, and I wouldn’t change any of it. The military gave me discipline and an operational perspective I couldn’t have gotten any other way. My certifications gave me structured knowledge and credibility on paper. My degree is giving me a credential that opens certain doors. The hands-on work I’ve done is what makes all of it stick.
If I were advising someone starting from zero today, this is what I’d tell them: figure out what sector you want to work in, then build the credentials that environment respects. If you want to work for the federal government someday, start working toward that degree while earning your certs on the side. If you want to get hired at a startup or a mid-size company in the next 12 months, certs plus hands-on practice are the faster path.
There is no universal answer. There is a starting point: just start.
The best path is the one you’re actually on.
- Jose F. Caro
I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure the grammar is accurate.
