Define "not overly big on math". If you decide to major in CS, you will probably need to take 2-3 semesters of calculus and possibly 1-2 other math courses such as statistics, discrete math and/or linear algebra. If you struggle in math courses or haven't taken anything beyond introductory algebra, you should probably look to major in something else.
Either a CS or IT degree can help you to develop some of the skills you need, but neither will directly prepare you to be a penetration tester. CS is very heavy on theory (algorithms, computation, languages) and will also cover OS internals, organization and architecture. Most of this is not directly applicable but this knowledge will provide you with the background that you need to go wherever you want. You won't have trouble learning a new scripting language, developing shellcode or building tools.
An IT degree is more practical and may even include a course on penetration testing (mine did), but it's not as technical as a CS degree and won't give you the same ability to dive deep into technical problems. My IT degree program (at Capella) was pretty heavy on policy, procedure, standards, frameworks, etc. It introduced many technical areas (e.g. forensics, penetration testing, application security) but the coverage was only survey-level and not sufficient to make one employable in any of those areas.
If you can handle the math, I recommend getting a CS degree, possibly with a minor in Business Administration. Study security and penetration testing on your own while you complete school. If you can work part-time in any area of IT while you complete school, even at a help desk, do so. If you don't want to do the math, do the IT degree.
I decided to do the IT degree because I'm already in management and hope to move further up the ranks. I was already pretty technical and wanted to learn more about policy, procedure, etc. I also hate math classes (but love math).
BS in IT, CISSP, MS in IS Management (in progress)