Cyber Security Earnings and Career Trends

Will retraining as a pentester earn you a pay rise? With three years on the job as a security engineer, is your present boss short changing you? 

If you want to benchmark your current salary, or you just want some evidence of what infosec pros earn in real life, we’ve found a really nice survey you should check out. 

Kudos to Andrew Luke, who has compiled the Infosec Income Questionnaire.

This is the author’s second edition of the survey. The idea is to provide a snapshot of infosec pay. This should be useful for both job hunters and hiring managers as evidence of fair market value. It’s also good general information for anyone considering moving into information security from other specialisms. 

As well as salary details and job role, the anonymous survey invites participants to share some useful ancillary information, such as years of experience, level of education and mode of working (onsite/remote). It therefore gives us some good current intel on infosec working trends in general. 

Here’s a closer look at a few of those trends…

Infosec professional earning

If we look at the USD declared earnings we see that the results show.

  • The average salary is $158,213
  • The lowest salary is $9,500
  • The highest salary is $800,000

The lowest salary comes from Argentina.

The highest earner declared themselves as having a title of “Red Team, Bug Bounty Hunting, Security Engineer” and works in Richmond, VA, USA.

The most frequent job title was penetration tester.

Organizations like to keep security in-house

When a company needs to bring on board infosec capabilities, it has two options: either hire salaried employees, or else rely on drafted-in contract workers or outsourced security providers (i.e. consultants). 

More than three quarters of survey respondents seem to be employees rather than consultants. From an employer’s perspective, this makes sense. Unlike other tech tasks (e.g. systems architecture or software implementation), security is an ongoing requirement rather than a one-off project. It makes sense to invest in your own in-house team. 

If you want to train for a tech career and also want the stability of a salaried position, cybersecurity is an area definitely worth focusing on. That said, if you prefer to operate as a lone wolf, there are opportunities out there, too. For instance, we’ve seen that a lot of the survey respondents who are consultants give their job role as ‘penetration tester’. If you like the idea of going into lots of different organizations with a fresh pair of eyes and checking for weaknesses, this might be the role for you.

Time for a gender rebalance

So far, more than 90% of survey respondents are male. The gender gap is even wider than we saw recently in the ISC Cybersecurity Workforce Study, 2020. This suggested that women only make up only around 25% of the global cybersecurity workforce. 

It all goes to show that there’s a massive underutilized pool of talent available. The big question is how do we redress the balance? 

A lot of it is linked to both perception and training. At StationX, we’re doing our bit in giving people a solid grounding and making the profession as accessible as possible, regardless of background. Cybersecurity most definitely shouldn’t be a ‘boys club’!

Career transitioning is very common

What did respondents do before they moved into cybersecurity? The results point to a popular path. Many people seem to have spent a few years doing something else IT or development-related before making the switch to infosec. 

So let’s say you are currently in a systems admin role and are feeling a bit stuck in a rut. Chances are, you’re already well grounded in IT fundamentals. When you think about it, you’re probably also pretty versed not just in day-to-day tech operations, but also in wider business procedures and processes. 

So far, so good. But how do you actually make the switch to cybersecurity? 

It’s all about filling in those knowledge gaps. The beauty of on-demand online learning is that you can do it in your own time, and without piling up the student debt. There’s no excuse not to fill those gaps. And as this survey shows, plenty of others have found their own way to make the leap. 

Flexible working: here to stay?

Some tasks (red teaming attack simulations, for instance), can theoretically be done from anywhere. In other roles (e.g. all-purpose security engineer), you’d generally expect employers to want their people onsite all day. 

But of course, the pandemic has changed a lot; and right now, just 16% of respondents operate exclusively onsite. The flexible/mixed operating model is the most popular one at present, with the majority of workers dividing their time between home and workplace. 

As workforces return to the office in greater numbers, will cybersecurity staff be expected/forced to follow suit? This will be an interesting stat to revisit in a year’s time. 

Do the salary figures in this survey tally with your own experience? Are you still expected to travel into work – or does your boss let you work remotely? Consultant or employee: which is best? Let us know your thoughts below… 

You can contribute to the live survey and view the results here.

  • Bob says:

    Great summary of data points on CyberSec. Also be interesting to see what education (formal/informal/certs) folks have pursued to get jobs.

  • Travoski Simms says:

    Thank you Nathan, this article has been very insightful.

  • Forgot My Name as Usual says:

    another good job well done by our Man Nathan.

    on one chart i read 99999999999999’s (Salary) and S/He was directly from the Milky Way, the person was a pentester, so, i focused on others 250,000 Euros salary was one of the highest in 2020.
    i too am from the milky way & almost over the hill as well, but i will tug on.

    Thanks Nathan……

  • Joh says:

    Worked two years as a Soft Dev. and now I’m trying to break into InfoSec !

  • Waldemar says:

    Thank you Nathan, after your two courses which I finished this year, I will start studying in September in Toronto School of Management for Diploma in Cyber Security Specialist. Thank you again

  • Dray says:

    Thank you Nathan for everything, from teaching, opening our eyes to encouraging us I salute you. I really must up my learning game

  • GoldBlade says:

    Great work !! Motivates me a lot.

  • Awesome information. Very helpful. Thanks says:

    Awesome information. Very helpful. Thanks

  • Legal Eagle says:

    All I can say is Damn !! I have to get started. I ordered the CompTIA bundle a while back and haven’t used it much.

    I’m a lawyer in the USA. I make much less than most of these salaries and I hate my job.

  • Swamy says:

    Thankyou for a valuable insights of the current job trends.

  • IT Partners says:

    Thank you for sharing such a useful content on cyber security.

  • Judah says:

    Wow, The description with the statistics is really Awesome . Thank You very much Nathan Sir.

  • What is DMARC says:

    This is such an important contribution

  • Ariya Rathi says:

    Nice, The Stuff with the statistics is really Awesome .

    Thank You very much for share.

  • shrishty says:

    Great blog! it is really helpful and knowledgeable.

  • Will Pape says:

    Just finished Cybersecurity Volume 1. A great addition to the Cybersecurity: Technology & Policy Executive Course, I completed over the Summer via Harvard Kennedy School of Government.

  • Sarah Isla says:

    Hello, nice post! You have covered all the beneficial details. Keep sharing such helpful content with us!

  • Mohammad Jamshed says:

    nice motivated

  • Pat says:

    Hi Nathan
    Your blog and resources are great . Keep sending it . you are doing an excellent job . If you could share something from OT cybersecurity would be helpful
    Thanks

  • >