I had actually graduated in computer security, but that was several years ago, and I have since made my career in software development. Currently I have a backlog of emails and LinkedIn messages from recruiters regarding various security-related positions around the UK. Most of them go unanswered, unfortunately, since I don't really have the time to answer them all fully.

As well as rebranding itself the 'National Cyber Security Academy', the university at Newport has an interesting approach to addressing what's commonly held to be an INFOSEC 'skills gap'. The 'Applied Cyber Security' degree is more vocational and supposedly provides students with at least some experience of the real-world environments. The more conventional academic programme is somewhat more demanding than the one I studied several years ago. And, of course, there are still the computer engineering programmes also.

Given the choice, should one study computer security or computer engineering? As someone who opted for a security degree programme, excelled at it, attended numerous interviews over the course of 18 months and actually did security/forensic jobs on the side, I argue that computer engineering is actually the better option in terms of marketable skills and job security. Plus a computer engineering/science graduate has an equal chance of geting into the security industry several years after graduation.

A degree programme isn't going to make one a hacker - that comes with true expertise and a strong motivation to learn how computers work. A degree programme instead provides a foundation in a broad subject area, so the subject modules are actually introductions to various subject areas.
So, trying to learn security through an 'ethical hacking' course is ass-backward. What's the point of running vulnerability scans if you don't know exactly why a vulnerability is a vulnerability, why it might be critical or the context in which it might be a problem? What's the point in learning about application vulnerabilities and secure coding if you don't have a background in programming? What's the use of learning how to draft security policies without an awareness of how information resources need to be configured in the workplace? There's a whole load of things that need to be learned alongside the security course content.

Experience

First of all, when the news reports a shortage of 'qualified' candidates, what exactly is meant by 'qualified'? We only need to look at the job postings to see the vast majority of open positions are senior-level and require several years's experience in something specific. A large part of the problem is that the security field lacks an entry level and a defined career path, both of which are needed to make INFOSEC a viable career choice. And the things is the experienced IT professionals knew far more about security in their areas than I did on graduating.
Basically security should really be considered a specialist area within the computing field, not an isolated subject.

Computer Security or Computer Engineering Degree?

So, given all the above, is it best to study computer security or computer engineering? Both degree programmes are very different. As I've pointed out, it's computer engineering degrees plus experience that get one hired.

Both are good programmes, as they teach skills that are expected of any engineer. But they're not equal. There are differences in what's taught and how the material matches the skills graduates actually need. The main problem with computer security and INFOSEC programmes is that most graduates are going to start out doing entry-level IT work. Yes, I've known a few graduates who went straight into security, and others ino something completely different, but they're the exception. The fact is that both computer science/engineering graduates and computer security graduates are most likely going to start out doing entry-level work, perhaps on the service desk, perhaps doing systems administration, or peraps as junior software developers, and there are certain basic skills needed for those roles. Also importantly, technical interviews are very common for candidates applying for these roles.

This is the main problem with choosing computer security over computer engineering as a degree programme. I have seen it argued that degrees and certs are just a way of getting one's CV past the HR department. This is true to some extent, but not entirely. Hiring managers still read CVs, and if they want an application security professional, they'll look for someone with proven coding and testing skills. If they want someone to handle database security, a hiring manager would look for proven database server and SQL skills. I've always been aware that working in computer security position requires hard technical skills.

A degree programme isn't going to make someone an expert or teach anything in depth - that requires experince and practical skills. A degree gives a broad foundation in a subject area, and provides context, plus there's a limited amount of things that could be covered within a three-year period. Ergo, a computer security course cannot make one an elite hacker, just like a programming course wouldn't make someone an expert programmer.
Looking back, I graduated knowing only a fraction of what experienced developers, sysadmins and service desk people collectively knew about security.