Cyber Security Salary Guide: What Does Today’s Cyber Security Workforce Make?
When it comes to the cybersecurity market, much is made of the growing skills gap. Overlooked is how this can translate to enormous potential for professionals. For the second week of National Cyber Security Awareness Month (NCSAM) we break down the myriad of well-paying and rewarding jobs available, and salary data for today's cyber workforce.
By 2020, the cyber security market is expected to grow to $170 billion. Data from Burning Glass Technologies Research from 2015 found that cyber security professionals tend to make about 9 percent more compared to other IT workers, yet there remains a lack of qualified professionals in the field. According to the 2017 Global Information Security Workforce Study (GISWS), released every two years by the Center for Cyber Safety and Education Center and ISC², the workforce gap among cybersecurity professionals is expected to reach 1.8 million by 2022.
ISC² CEO David Shearer notes, in a press release on the latest GISWS findings, that 66 percent of workers surveyed say they have too few qualified workers to effectively combat current industry threats; other research has had similar findings related to the shortage of qualified cyber security professionals. In response, more than 70 percent of employers around the world plan to increase the size of their cybersecurity staff in the coming year, the survey found; one-third of employers plan to increase their cyber security departments by 15 percent.
In 2017, there are about 780,000 professionals in the U.S. employed in the cyber security field, with about 350,000 current openings and a zero percent unemployment rate – an impressive feat for any industry today, which points to the growing demand for improved enterprise security.
Image via Indeed
The ever-growing need for qualified, experienced cyber security professionals means that the field offers tremendous potential for professionals, offering job security, a good salary, and potential for advancement in the field. According to an analysis of data from the Bureau of Labor Statistics conducted by Peninsula Press, cyber security job postings are up 74 percent. We took a look at some recent data on growth in the cyber security field, the most popular cyber security roles, and salary data for today’s cyber security professionals to gain some insights into the current state of the cyber security workforce.
The Most Popular Roles in Cyber Security Today
There are plenty of options for professionals who want to pursue a career in cyber security. Of course, any security-focused job requires strong communication skills and an in-depth knowledge of the current threat landscape, tools and technologies that today’s cyber security teams utilize to identify, mitigate, and prevent threats, and an insatiable desire to stay abreast of the latest advancements in the field.
Without these characteristics, cyber security professionals risk becoming obsolete in a few short years as those with more current, advanced expertise are better equipped to meet the needs of the modern enterprise. There’s no question that the security threat landscape will continue to evolve. As a result, so will the roles enterprises require to build a strong security posture. The future looks bright with a mix of more traditional and newer roles, such as a security incident response specialists and malware analysts.
Here are a few of the requirements for some of the roles that are currently in high demand.
1. Security Architect. These are the people who must be able to put themselves in the mind of a hacker in order to prevent future attacks. They are also responsible for maintaining the security of enterprise computer systems. It is imperative for security architects to stay up to date with the latest security tools and threats.
2. Malware Analyst. All it takes is a quick scan of the daily news cycle to notice the rapid rise of ransomware attacks. This is a massive problem for businesses around the globe. The malware analyst role was designed to address the obstacles that face organizations with regard to threats such as the worldwide WannaCry ransomware attack, which resulted in around $4 billion in losses. In fact, like many cyber security roles, the need for malware analysts is higher than the available talent supply.
3. IT Security Engineer. This is also a relatively new role that is focused on quality control within IT environments, to ensure that security measures are in place to address continuing threats.
4. Security Consultant. Since there is a shortage of professionals with skills in cyber security, many companies turn to outside experts such as security consultants. The specific responsibilities carried out by a security consultant will vary, depending on the threats and current security posture of the client company; however, security consultants have no problems keeping themselves busy due to high demand.
Image via LinkedIn
5. Security Software Developer. There is a never-ending need for developers to create new applications to thwart hackers. The recent focus is on cloud storage, as more companies are leveraging cloud computing for mission-critical applications.
6. Security Incident Responder. Security incident responders must be curious about the motive behind an attack in order to create an efficient response. The demand for security incident responders has grown substantially along with the increase in cybercriminal activity.
7. Security Systems Administrator. The security systems administrator is the professional responsible for defending systems against unauthorized access and establishing security requirements for enterprise networks.
8. Data Security Strategist. As more enterprises strive towards AI and IoT initiatives, expect the demand for data security strategists to rise. This role focuses on optimizing data security functions and data storage. Moreover, the data security strategist must help to create the policies needed to protect stored data.
9. CISO. The CISO needs to champion tasks such as acquiring the necessary funding, resources, and awareness for critical security projects. Moreover, the CISO serves as a leader in driving the organization to make smarter security decisions while delivering positive results around cyber security objectives.
10. Cyber Security Specialist. The cyber security specialist maintains the security of a computer network through testing, updates, and protection.
Required Skills and Characteristics for Cyber Security Professionals
Some cyber security specialists started out practicing ethical hacking as teens. While some teens end up taking the malicious path, many recognized how easy it is to hack into vulnerable systems and then began to translate that knowledge into developing policies and software that can mitigate risks and better protect applications, networks, and endpoints. Other cyber security professionals got their start in the military, working in cryptologic communications or a similar function while pursuing studies in the field.
Success in cyber security, sadly, can often go unnoticed. Too often, cyber security gets attention only of the negative kind – when systems have been breached or widespread attacks impacting hundreds of businesses hit the airwaves. When networks are running seamlessly and hacks have been thwarted, no one notices. Thus, cyber security professionals should be comfortable with being the unsung hero. Few laypersons realize the amount of work and expertise it takes to maintain and enhance network and system security.
Other essential non-technical skills, characteristics, and practices that can help cyber security pros get noticed and advance in their careers include:
- Ask questions. No cyber security professional is all-knowing; it’s impossible with the rapid pace at which the threat landscape changes. There is always someone who has information that you don't, so embrace the sharing of information with your fellow professionals.
- Promote your work. As stated earlier, good security work can easily go unnoticed. As a result, many employees outside of the IT department don’t understand the importance of following sound security practices. Take the lead in promoting a security mindset throughout the organization and take advantage of opportunities to educate other departments.
- Communicate effectively. Cyber security is a highly technical field, but you can't speak in technical jargon when communicating threats and security needs to employees in other departments or non-technical stakeholders. It’s important to have the ability to convey key policies and processes in a way that the layperson can easily understand.
- Take risks. You must be willing to test and break stuff in a lab setting; for many security pros today, this is the fun part of the job. Hackers are always testing new routes for accessing valuable data. Through penetration and other methods, you’ll need to put your company’s systems and applications to the test to identify their breaking points.
- Continue to seek knowledge. In this industry, it is critical to keep up with the always-evolving threat landscape. Enterprises seek to hire experts who keep up with new threats on a daily basis.
Education and Background Requirements
- There are many cyber security programs available from certificates to doctoral degree options, with studies and degree programs encompassing subjects such as:
- Computer forensics
- Internet security
- Cyber security fundamentals
- Data recovery
- Information systems privacy
- Internet security
Often, cyber security technicians only need a security certificate or associates degree, coupled with relevant experience in the field. On the other hand, cyber security engineers must have a Bachelor’s degree or higher.
Certifications can include:
- Certified Reverse Engineering Analyst (CREA)
- Certified Penetration Tester (CPT)
- Certified Ethical Hacker (CEH)
- Certified Computer Forensics Examiner (CCFE)
Experience levels vary substantially, with executive-level positions and senior management roles typically requiring several years or more of on-the-job experience, while entry-level positions are available for new graduates. With the growing demand for cybersecurity professionals, it’s easy for graduates to find good-paying entry-level positions with ample opportunities for advancement.
Existing Information Technology professionals interested in pursuing careers in cyber security can obtain valuable education through a number of online courses. Coursera, for instance, offers a Cybersecurity Fundamentals specialization path which includes classes on:
- Usable security
- Hardware security
- Software security
Those who complete the courses, which cost $49, earn a certificate.
Udemy is another popular online course platform, offering courses in cyber security such as:
- Introduction to Cyber Security
- CCNA Security 2015 Free Video Boot Camp: CCP And More
- Cyber Security: Build a Secure, Resilient Company
For widely recognized training, courses from the SANS Institute or Carnegie Mellon University, Software Engineering Institute, CERT Division are solid options for those who wish to advance their training and further their knowledge.
Salary Data for the Top Cyber Security Roles
There is ample available data on cyber security salaries, with a broad range of findings; however, it’s clear that cyber security careers can be lucrative. According to CIO, cyber security professionals earn an average of $116,000 annually or $55.77 per hour, for instance, while PayScale estimates that the average salary for computer security specialists is around $74,000, with location as a major factor in pay structure. A January 2017 article by Steve Morgan at Forbes, based on data from multiple sources, points out that top cyber security salaries in major U.S. metros can reach as much as $380,000 annually.
According to Glassdoor.com, a cyber security engineer makes an average of $85,000 annually, while the Infosec Institute estimates that the average annual salary for an incident responder is $81,000, although the average varies by location, at about $83,000 in San Francisco and around $70,000 in Georgia. For a vulnerability research engineer, the average salary is around $96,000 annually. Salaries fluctuate based on location and company size, but the data is adjusted for cost of living. In San Francisco, for instance, the salary for a senior cyber security engineer can range between $122,000 and $207,000. In Atlanta, the salary ranges between $72,000 and $107,000.
According to a report from TechRepublic, the 15 cities in the United States with the highest salaries for cyber security professionals include (salary data adjusted for cost of living):
1. Minneapolis, MN: $127,757
2. Seattle, WA: $119,349
3. San Francisco, CA: $119,346
4. Dallas, TX: $117,890
5. Denver, CO: $117,308
6. Chicago, IL: $111,303
7. Austin, TX: $110,190
8. Salt Lake City: $106,207
9. New York, NY: $102,271
10. San Jose, CA: $99,075
11. San Diego, CA: $98,303
12. Washington, D.C.: $92,191
13. Boston, MA: $88,453
14. Los Angeles, CA: $86,072
15. Arlington, VA: $74,254
The DICE IT job board published a report on the top five IT security salaries, which include:
1. Lead software security engineer: $233,333
2. Chief security officer: $225,000
3. Global information security director: $200,000
4. Chief information security officer: $192,500
5. Director of security: $178,333
Of course, salaries also vary depending on experience and education, as well as the company; larger enterprises tend to pay more in order to attract top-tier talent. Here’s a sampling of data from Glassdoor reflecting salaries at various companies; note that this data is generated based on self-reporting from employees and are often based on only a few salary reports:
- U.S. Air Force: $57,000 annually
- U.S. Navy: $115,000 annually
- PwC: $53,000 to $73,000 annually
- Northrop Grumman: $131,000 to $143,000 annually
- Los Alamos National Laboratory: $86,000 to $93,000 annually
Image via Glassdoor
Indeed also publishes findings from its data on the most popular cyber security careers and associated salaries. According to Indeed’s current data (at the time of this writing), average salaries for cyber security careers vary widely, from $11.46 per hour for a Security Officer to $59.42 per hour for a Security Consultant. Other popular roles and average salaries include:
- IT Security Specialist: $52.54 per hour (based on 3,178 salary reports)
- Information Security Analyst: $40.79 per hour (based on 2,422 salary reports)
- Security Engineer: $38.93 per hour (based on 4,655 salary reports)
- Security Analyst: $40.87 per hour (based on 3,032 salary reports)
- Intelligence Analyst: $24.54 per hour (based on 306 salary reports)
- Security Specialist: $14.83 per hour (based on 6,979 salary reports)
- Network Security Engineer: $51.80 per hour (based on 2,587 salary reports)
- Information Technology Specialist: $20.87 per hour (based on 1,732 salary reports)
- Security Consultant: $59.42 per hour (based on 1,061 salary reports)
Image via Indeed
LinkedIn is also a valuable source of information on professional cyber security roles. According to LinkedIn’s data, salaries for cyber security professionals range from $65,000 to $130,000 per year, with a median salary of $92,000 annually. For comparison, we researched the same roles identified above for which Indeed provides salary data on LinkedIn, with data on the salary range and median salary for each role listed below:
- IT Security Specialist: Range - $49,100 - $141,000; Median - $97,000
- Information Security Analyst: Range - $51,000 - $110,000; Median - $76,000
- Security Engineer: Range - $65,000 - $154,000; Median - $102,000
- Security Analyst: Range - $51,000 - $110,000; Median - $76,000
- Intelligence Analyst: Range - $35,000 - $103,000; Median - $65,000
- Security Specialist: Range - $49,100 - $141,000; Median - $97,000
- Network Security Engineer: Range - $65,300 - $133,000; Median - $95,500
- Information Technology Specialist: Range - $35,000 - $105,000; Median - $58,000
- Security Consultant: Range - $50,000 - $103,000; Median - $87,500
Starting pay is also on the rise, increasing 3.8 percent in 2017 over 2016, according to InformationWeek. At PayScale, the overall salary range for a cyber security analyst is estimated at $49,652 - $117,163; when the data is filtered for entry-level professionals, the range is only slightly lower, particularly at the lower end of the range: $45,401 - $96,643.
Image via Payscale
Indeed also provides salary data for popular entry-level cyber security careers, including:
- IT Security Specialist: $113,990 per year (based on 20,317 salary reports)
- Security Analyst: $88,122 per year (based on 8,226 salary reports)
- Entry-Level Analyst: $54,045 per year (based on 1,998 salary reports)
- Network Analyst: $68,484 per year (based on 4,374 salary reports)
- Information Security Analyst: $84,269 per year (based on 9,238 salary reports)
Image via Indeed
While salaries vary throughout the industry based on a number of variables such as location, experience level, role, and company, one thing is clear: cyber security professionals are in high demand and well-compensated, and if predictions are on-target, that’s not likely to change for the foreseeable future. As the threat landscape continues to become increasingly sophisticated and complex, experienced security professionals with up-to-date knowledge of the threat landscape and sophisticated hacking techniques continue to be invaluable to the modern enterprise.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business