Introduction
I just spent ~$15k and 15 months getting a cybersecurity degree from WGU. Would I hire someone with just this degree? No. Was it worth it? Barely, and here’s why.
I’ve been giving this very expensive piece of paper some serious thought and found myself questioning a few key objectives of the program; what did I actually learn from this experience, how much can one stand to learn about the cybersecurity world from this degree, how up to date is the curriculum, and most importantly, can a beginner break into the industry with just this degree? To add more to the discussion, how does WGU and similar online universities compare to traditional colleges?
As a disclaimer, this is an opinion piece about my experience in college and the cybersecurity world. I write this mostly for beginners; this is not really for people looking for career changes or government positions.
Personal Background
A little background about myself, I’ve been in the cybersecurity industry for several years, mostly as a penetration tester but I’ve also been a senior manager of a pentest team, and a security architect. Before getting my first full time job as a Pentester, I spent some time in community college. I absolutely despised the experience, found myself miserable and dropped out. I instead broke into the industry through certificates, social networking, self-study, and personal projects. Everything I’ve learned has been self-taught and I have not had any official education before attending WGU.
The big question is why did I decide to go for this degree even though I already started a stable career? The unfortunate truth is that, even in a nimble industry like this, HR departments still have degrees as hard requirements. Degrees are still a primary requirement for recruiters, although certificates and extracurriculars help set you apart. These certificates are also more of a proof of competencies than degrees will ever be in this industry.
What Did I Actually Learn?
So with that context established, let me get to the heart of it. To put it simply, I didn’t learn anything useful. Don’t get me wrong, there were some fundamental lessons sprinkled in the program but anything that was useful, I had learned long before even considering WGU or any university. It feels like everything the program had to offer is very entry-level. Shocker I know. The WGU cybersecurity program focused heavily on entry-level IT concepts and skills.
While these skills are essential for becoming an effective cybersecurity professional, there is too big of a focus on them in this program. A beginner would also waste an enormous amount of time learning irrelevant concepts like project management, business, and laws and regulations. And don’t expect to learn anything meaningful in those domains either. This shortcoming left the most bitter taste in my mouth so to speak since I had really hoped a more futuristic and practical program like WGU’s would make better use of their system. A system that already outsources most of its coursework to industry certificates.
So if the program taught me nothing valuable, what’s the alternative for someone just starting out? I truly believe that with the time it takes to complete the WGU program, a person is able to learn significantly more relevant, advanced, real-world, and practical skills. I believe anyone trying to learn the basics of cybersecurity is better off doing it with free resources online and hands-on experience. CTFs, labs, projects, and other cybersecurity resources are a much better use of time for a beginner trying to understand the industry and learn tangible skills. HackTheBox, TryHackMe, and similar platforms are a great way to learn the basics of pentesting. For me personally, my homelab/home data center was, and remains to be the biggest source of learning and hands-on experience with enterprise-level infrastructure and systems.
How Up-To-Date Is the Curriculum?
Beyond just the lack of practical skills, another major issue is how outdated the curriculum actually is. To properly gauge this, I baselined the technologies and concepts I see in my day-to-day professional career against what was shown and taught in the WGU curriculum. I found the foundational concepts to be pretty well up-to-date as expected, but unsurprisingly, the technologies shown were not.
The program generally relied on industry certs but the few classes that didn’t, really fell behind in the quality of content. For example, the Emerging Technologies in Cybersecurity class is an objective assessment that did not rely on a certificate. What were these emerging technologies? Well none other than Nmap! A ubiquitous software released in 1997 that is practically always the first thing anyone in this industry learns. The same class also sought to teach the benefits of WPA over WEP. For reference, WEP was deprecated in 2004 and the first version of WPA was released in 2003. Real emerging technologies, such as containerization, cloud security, and devops security, did not even get a mention anywhere throughout the program.
The cloud security class in the program doesn’t even cover the basics of cloud security. Instead, it’s mostly about laws and regulations and recycled concepts from other classes. I would love to see more focus on the common misconfigurations and secure design patterns of cloud resources, especially IAM. WGU did update the program to include AI related security but the little I did see from that didn’t seem promising. The AI-related coursework focused on the general mathematics and data science that power the transformer model, rather than the security implications of LLMs and their underlying systems.
Would I Hire a Graduate Without Any Other Experience?
Given everything I’ve discussed about the lack of practical skills and outdated curriculum, here’s the million-dollar question. If you’ve read the rest of this blog, it should come as no surprise that my answer would be no, not even at entry level. It’s really an unfortunate reality of not just WGU, but the education system in general. Universities love to focus on conceptual knowledge that has no real world or practical value.
I understand that fundamental concepts are essential building blocks of any skills, but they’re just that; building blocks. If universities continue to teach only essential concepts without proper technical and practical skills, they will remain worthless in the real world.
How Does WGU Compare to Traditional Colleges?
With all this criticism, you might wonder if traditional colleges are any better. I admit, I don’t have much experience in traditional colleges. As mentioned, I spent some time in community college and that, along with what little I’ve heard, is what I will base this comparison on. The biggest differences are the self-paced classes, self-teaching nature of the classes, and the ability to just fly through classes.
WGU allows you to take as little or as much time as you want for each class, and most classes simply require you to pass an exam to finish them. Semesters last six months but you can take as many or as few classes as you want in each. The classes simply give you course information, basically written guides to each class, and practice tests to get you ready for the objective assessment.
Some classes have “performance” assessments which were basically written assignments with a rubric that you have to pass to finish the class. If you fly through classes like I did, you can finish one class every one or two weeks. I personally loved this formula and found it so much more tolerable than the traditional college experience. If you’re proficient at self-teaching, and don’t mind the lack of instructions, WGU could save you some serious cash and time.
What’s the Verdict?
With my venting and gripes out of the way, where does WGU fall under? If you’re just looking to get the piece of paper that tells HR you’re not dumb, WGU and similar online universities are a great way to do that. Keep in mind that by attending a university, including traditional ones, you are not learning enough, or the correct skills to succeed in the cybersecurity field. That’s the sad truth behind universities. In my opinion, self teaching and true practical learning will remain the undisputed best methods to succeed in this industry. I believe the era of universities is finally on the way out for a lot fast-moving industries such as this one, but until that day comes, WGU is one of the better universities to throw money at.