Professional development

Top 10 highest-paying jobs in information security

Rodika Tollefson
August 10, 2020 by
Rodika Tollefson

It's a good time to be in the information security field. Not only are the jobs plentiful, but the shortage of talent to fill those jobs motivates employers to offer top salaries to candidates.

The pay varies widely based on variables like geographic location and sector. However, Infosecurity Magazine estimates that infosec salaries will grow 7 percent overall this year, which is more than double the increase across all sectors in the United States.

Below are some of the highest-paying jobs in information security.

Please note: Median or average salary estimates were calculated as the average of different salaries found from multiple sources.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Penetration tester ($71,660 median)

Also known as an ethical hacker, a penetration tester probes information systems and networks to find and exploit security vulnerabilities. Although some of the other security practitioners (like engineers) may also perform this as part of their job, organizations are increasingly hiring penetration testers whose job is to do nothing else but assess weaknesses and holes that the not-so-ethical hackers could exploit.

TechRepublic identified penetration testing as one of the top three most-in-demand cybersecurity jobs in 2017. Not surprising, considering that ransomware has become such a big problem across all industries.

Security consultant ($84,000 median)

Consultants are outside experts who may be hired for a broad range of needs by organizations of all sizes. Smaller organizations that don't need or don't have resources for a full-time, in-house security expert may hire an independent consultant to fill that role. Larger companies also hire consultants to provide specialized outside expertise and augment the work of their in-house security team.

Managed security services providers (MSSPs) also have experts on staff who can serve as consultants to their clients — and companies that can't fill in-house jobs because of the severe shortage of cybersecurity talent often turn to MSSPs as a solution.

Because the job may entail broad responsibilities, security consultants need to have wide knowledge of security best practices, systems, protocols and so on, as well as the ability to implement these based on each customer's unique needs.

Information security analyst ($95,510 median)

An information security analyst is responsible for planning and implementing measures that protect the security of an organization's computer systems and networks. More specifically, analysts typically analyze the vulnerabilities in a system and recommend countermeasures.

The U.S. News & World Report ranks infosec analyst as No. 2 in best technology jobs based on criteria such as salary, job growth and employment rate. It's also one of the 20 fastest-growing occupations across all industries, ranking No. 16 among all types of jobs, according to the U.S. Bureau of Labor Statistics (BLS).

As organizations adopt new solutions to stay ahead of hackers and data breaches, they're driving a high demand for information security analysts. The BLS projects that demand for this role will grow 28 percent between 2016 and 2026, much faster than the average 7-percent growth for all occupations.

Network security engineer ($114,000 average)

The network security engineer's main job is to keep unauthorized intruders out of the network infrastructure. Essentially, this is the person at the front line of defense. The job is multifaceted and can include everything from deploying hardware and maintaining the WAN/LAN architecture to strategizing how to respond to threats.

With all the threats that organizations face, from malware and phishing to ransomware and botnets, a network security engineer's job is never done. But it's not just malicious actors they worry about — they also need to protect the IT network against natural calamities and other things that may impact it.

Information security engineer ($120,570 median)

Some employers use the term engineer and analyst interchangeably, and there may be some overlap between the two. But while an analyst usually works to identify risks and gaps in information systems, the engineer's job is to design and maintain IT solutions that provide security — such as firewalls, encryption and other technology.

An information security engineer may also develop policies and plans for information security, create incident response strategies, monitor security systems and perform penetration testing. The title of engineer usually commands higher pay compared to an analyst, even when employers extend an analyst's duties into the engineering role.

Application security engineer ($120,700 average)

The application-security engineer's job is to review and test security code, perform penetration testing and identify exploits for applications including desktop, cloud and mobile.

One of the buzzwords tossed around by enterprises currently is DevOps — integrated cross-teams whose purpose is to unify software development (i.e. "dev") and software operations ("ops) rather than working in silos. It's becoming a mainstream practice for companies that build their own applications and hence need agile and rapid deployment.

With increased awareness about IT security, there's a growing trend to integrate security into DevOps, which further contributes to the demand for this job.

Information security director ($137,000 median)

Think of a security director like a deputy chief information security officer (CISO) — this person has strategic oversight of various aspects related to IT security, ranging from budgets and staffing to policies. In smaller organizations, the director may actually take on the CISO's role.

Like other senior levels, a security director will need to not only have extensive experience in the field, but also a variety of security certifications, along with soft skills like communication and people management.

Chief information security officer ($140,000+)

A CISO, or sometimes a CSO (chief security officer) may be the pinnacle of an information security career to some, although the pay doesn't always come with it. While a few elite CISO may earn close to $500,000, many make just a little over $100,000.

A member of the executive team, the CISO not only oversees the organization's information security, privacy and compliance but also often interacts with the board of directors, C-suite executives and other top stakeholders. Depending on the size of the organization, the CISO may report to a chief technology officer or directly to the CEO.

A CISO needs equal technical and business acumen, especially since the paradigm shift that information security is a business problem, not an IT problem. Expect to see demand grow for this job, as regulators in various industries turn up the heat on cybersecurity and start to require companies to designate a CISO.

Information security architect ($140,820 average)

An information security architect is a senior role in charge of designing organization-wide network and computer security architecture. An architect may also lead a team designing and building a new system.

As more of a "big-picture" job, the architect may also oversee infosec awareness programs, create and manage policies, respond to and analyze security incidents and conduct risk assessments.

Information security manager ($152,500 average)

As the name implies, this job is about managing the security program, including policies, hardware maintenance, identity-theft prevention and other aspects. An information security manager may also oversee employee schedules and security budgets, as well as create and implement information security strategies.

The security manager is more likely to interact with the C-suite and other senior roles, so it's a job where strong communication and interpersonal skills are as valuable as technical skills.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


If you're considering a career in the IT industry and think you may want to climb the ladder someday, do some research on what track you should take. Some of the lower-level jobs are better suited than others for working your way up to the leadership level.


Rodika Tollefson
Rodika Tollefson

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at