An organization’s best defense against online attacks and data theft is its team of cybersecurity professionals. Protecting an organization’s systems and networks from unauthorized access and malicious activity is central to cybersecurity.
A set of protocols, such as managed detection and response (MDR) services, allow cybersecurity personnel to take action against cyber-attacks.
While smaller organizations often outsource their cybersecurity needs to contractors, larger companies typically have dedicated staff with specific and specialized responsibilities in cybersecurity.
Whether you’re looking for a job with a dedicated cybersecurity firm that serves multiple client businesses or a role within a specific company’s cybersecurity department, the eight titles below represent some of the most common career paths in this growing field.
Compensation varies quite a bit between roles, but in general, cybersecurity professionals often earn between $90,000 and $360,000 annually.
Related: Information security analyst jobs & what they pay
What types of careers are there in cybersecurity?
Company-specific cybersecurity positions (as opposed to those within cybersecurity firms contracted by client companies) typically fall under the organization’s information technology (I.T.) department.
Larger organizations tend to have the budget to employ their own cybersecurity professionals, but dedicated cybersecurity companies also hire for the same types of roles.
Within the cybersecurity field, there are roles ranging from entry-level to executive-level. Security administrator is an entry-level role, while mid-level positions include incident responder, ethical hacker, forensic analyst, threat hunter, and compliance and risk analyst. Security architect is a senior-level role, and the executive position belongs to the chief information security officer.
Here’s what each of these jobs entails and how much they can pay.
Security administrator
- Job level: Entry
- Annual compensation range: $74,000–$134,000
A security administrator manages and monitors a company’s security systems, such as firewalls, the intrusion detection system (IDS), and the intrusion prevention system (IPS).
They are also in charge of setting and maintaining system permissions. In other words, they manage employee access to certain elements of the company’s systems and infrastructure.
Certain types of employees may not need access to a certain program, server, or system. Some might need user-level access, while others might need administrator-level access. A company’s security administrator typically manages all of these privileges, making changes as needed when employees join or leave the organization or change roles.
Incident responder
- Job level: Mid
- Annual compensation range: $103,000–$185,000
An incident responder specializes in monitoring and handling security breaches and incidents. For example, if there’s a ransomware attack that occurs, the incident responder will lock down any machines that have been affected and call the incident-management team together. They will conduct a triage to determine what the causes were and the degree to which the malicious change has affected the entire system.
The incident responder will then coordinate with the users, the forensic team, and the insurance company (which will become involved if there’s a major breach and regulators and authorities need to be notified). If personal information or customer data gets leaked, the incident responder may communicate with the actors behind the ransomware attack, those affected, or both.
Ethical hacker/penetration tester
- Job level: Mid
- Annual compensation range: $163,000–$303,000
An ethical hacker (also known as a penetration tester) conducts simulated attacks on systems to search for vulnerabilities in an organization’s systems and infrastructure. They then provide recommendations and action plans companies can use to remedy these vulnerabilities.
In addition to digital penetration strategies, these vulnerability tests may include social engineering, wherein the professional uses misleading phone calls, emails, or in-person conversations with employees in order to gain confidential information that can be used to penetrate an organization's systems.
A successful penetration test can show how secure or how vulnerable an organization’s network is to outside hacking.
Forensic analyst
- Job level: Mid
- Annual compensation range: $72,000–$118,000
A forensic analyst is part of the incident management team that handles any known breaches or issues. If a breach is suspected to have occurred, they usually review an organization’s logs to determine what transpired.
A forensic analyst examines all of the information they can from secured devices to try to recreate the events that took place from beginning to end and to see whether or not data has been exported out of an organization’s network.
Such breaches may be tied to criminal activity such as a ransom, so forensic analysts work to collect any and all relevant information to support any legal action that might be undertaken.
Threat hunter
- Job level: Mid
- Annual compensation range: $138,000–$254,000
A threat hunter proactively searches for any threats to an organization’s network or systems. They look for any indication of compromise, and they remain up-to-date with all the latest developments in the cybersecurity field.
If an attack occurs, they monitor it and make sure that it cannot be completed. They then attempt to determine the source of the attack and whether it is a first-time attempt or a repeated attempt from the same source.
Compliance and risk analyst
- Job level: Mid
- Annual compensation range: $137,000–$237,000
A compliance and risk analyst typically conducts audits and checks on the efficacy of the key controls in place to make sure that an organization’s security protocols are functioning as they should.
They run regular reports and monitor systems for alerts. If a breach occurs, they assess what the possible repercussions may be, analyze whether there is any monetary or reputational risk to the organization, and make recommendations based on their findings.
Security architect
- Job level: Senior
- Annual compensation range: $166,000–$269,000
A security architect designs and develops the overall security infrastructure within an organization. For example, they might create a "ring" architecture with a series of security layers designed to protect the firm’s information from a breach or hackers attempting to break in at multiple levels.
The network architecture will typically have a firewall in place, as well as systems known as the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) to prevent malicious and unwanted traffic from entering the network.
The security architect will build systems around the DMZ (a term borrowed from the demilitarized zone between South and North Koreas), which is a buffer between the internet and an organization's private network. They will also build a firewall so that malicious sites will be blocked.
Security architects also keep track of logging to make sure that there’s no pattern of malicious actors dropping anything into the organization’s network. They also oversee a process called network access control, whereby users are prevented from adding new devices into the network so that only the system architect can control the network’s components and endpoints.
Chief information security officer
- Job level: Executive
- Annual compensation range: $277,000–$475,000
A chief information security officer is a senior-level executive who is in charge of everything related to technology within a company. They are in charge of the security, the networking, the application development, and all of the data the organization owns.
They typically oversee and supervise the security architect, who often manages the other cybersecurity staff.
Cybersecurity jobs and pay at a glance
| Position | Level | Base Pay (Low) | Base Pay (High) | Additional Pay (Low) | Additional Pay (High) | Total Pay (Low) | Total Pay (High) | Median Total Pay |
|---|---|---|---|---|---|---|---|---|
Chief information security officer |
Executive |
$169,000 |
$274,000 |
$108,000 |
$201,000 |
$277,000 |
$475,000 |
$359,000 |
Security architect |
Senior |
$120,000 |
$183,000 |
$46,000 |
$86,000 |
$166,000 |
$269,000 |
$210,000 |
Compliance and risk analyst |
Mid |
$94,000 |
$156,000 |
$43,000 |
$81,000 |
$137,000 |
$237,000 |
$179,000 |
Threat hunter |
Mid |
$105,000 |
$193,000 |
$33,000 |
$61,000 |
$138,000 |
$254,000 |
$183,000 |
Forensic analyst |
Mid |
$61,000 |
$97,000 |
$11,000 |
$21,000 |
$72,000 |
$118,000 |
$92,000 |
Ethical hacker/penetration tester |
Mid |
$110,000 |
$205,000 |
$53,000 |
$98,000 |
$163,000 |
$303,000 |
$217,000 |
Incident responder |
Mid |
$75,000 |
$133,000 |
$28,000 |
$52,000 |
$103,000 |
$185,000 |
$136,000 |
Security administrator |
Enrty |
$61,000 |
$110,000 |
$13,000 |
$24,000 |
$74,000 |
$134,000 |
$99,000 |
The lowest estimated base pay in the cybersecurity field is $61,000 for both security administrators and digital forensic analysts, compared to the highest at $169,000 for the chief information security officer, according to career data site Glassdoor as of mid 2024.
The low-end base salaries for all of the roles listed above exceeded the national median salary for all jobs, which is $59,436 according to data from the U.S. Bureau of Labor Statistics.
Starting salaries for entry-level roles in cybersecurity tend to be comparable to other positions in tech, like software engineers ($93,000) and machine learning specialists ($92,000).
Still, base pay can vary significantly based on location. Base salaries for chief information security officers in New York City are listed as high as $375,000, while in Durham, North Carolina, base salaries for the same position can be as low as $165,000, according to jobs site Indeed.
More on high-paying employment opportunities:
- Machine learning engineer salary: How much do AI techs make?
- Physician assistant salaries: From PA school to certification
- Delta pilot salaries: What the world’s biggest airline pays its flightdeck
What credentials are needed to work in cybersecurity?
An educational background in computer science, information security, and cybersecurity can pave the way for a successful career in corporate cybersecurity. Schools at the tertiary level such as New York University and the University of Texas at Austin provide coursework leading to a master’s degree in cybersecurity.
A certification such as the CISSP (Certified Information Systems Security Professional) serves as a benchmark in IT security and would be a good entryway into cybersecurity for someone with no experience or whose experience is limited. However, experience in the field and relevant skills can significantly increase the chances of being hired.
At the same time, taking on an entry-level position and performing well can lead to other opportunities, including working toward certificates and gradually working one’s way up to other higher-level cybersecurity positions.
What are the downsides to working in cybersecurity?
While pay in cybersecurity can be lucrative, there are downsides to the work. Expect long hours sitting at a desk, typing away at the computer and watching monitors. Some employees should also expect to be available on-call at any time of the day or night (including off-hours, weekends, and holidays) to handle potential emergencies.
Complex security issues may take a long period of time to resolve and could involve working with other groups or departments in an organization or even communicating with law enforcement.
What’s the difference between cybersecurity and information security?
Cybersecurity refers to the protection of digital data. By comparison, information security covers a broader responsibility — the protection of any and all data an organization handles, including physical records and intellectual property as well as digital systems and data.
Related: Veteran fund manager picks favorite stocks for 2024
