The Bureau of Labor Statistics puts the median information security salary at $120,360 for analysts—but that average conceals a 2:1 spread between roles. A tier-one SOC analyst two years in might earn $72,000; a CISSP-certified security architect at the same company is at $165,000. The field isn't uniformly well-paid. It's top-loaded, and where you land depends almost entirely on which credentials you hold and which specialization you've built depth in.
This guide breaks down what information security roles actually pay, which certifications move the number most, and which courses are worth your time if salary progression is the goal.
Information Security Salary by Job Title
These ranges reflect a consistent picture across BLS, Glassdoor, and LinkedIn Salary data for 2024–2025:
- SOC Analyst (L1/L2): $55,000–$85,000. Entry point for many. Heavy alert triage, limited decision authority. Turnover is high because the work is repetitive and the ceiling is visible early.
- Information Security Analyst: $90,000–$135,000. The BLS median of $120,360 lives here, covering a wide range of mid-career roles with 3–7 years of experience.
- Penetration Tester: $105,000–$150,000. Specialized skill set; OSCP and similar offensive certifications are the standard requirement above entry tier.
- Security Engineer: $125,000–$165,000. Builds and maintains security infrastructure. Usually requires a networking or software development background plus security credentials.
- Security Architect: $145,000–$190,000. Designs security frameworks for entire systems. CISSP and several years of engineering experience are typical prerequisites.
- Information Security Manager: $130,000–$175,000. Bridges technical and business. CISM is the credential that directly targets this range.
- Chief Information Security Officer (CISO): $200,000–$350,000+. At enterprise scale, total compensation including equity can exceed $500,000.
The practical takeaway: the BLS median is not a ceiling—it's roughly where experienced analysts without management responsibility land. Moving past it requires either technical specialization (architecture, penetration testing) or management credentials (CISM, CISSP).
How Certifications Affect Your Information Security Salary
Certifications don't automatically raise your salary. They do two things: they get you past resume filters for higher-paying roles, and they provide negotiating leverage when combined with existing experience. The credentials that consistently appear in higher-compensation job postings:
CISSP (Certified Information Systems Security Professional)
The CISSP requires five years of work experience across two of eight security domains—it's not an entry credential. Holders consistently report salaries in the $130,000–$155,000 range for non-CISO roles. It's heavy on governance and security management, which makes it the right credential if you're moving from technical work into architecture or program leadership, not if you want to stay hands-on in operations.
CISM (Certified Information Security Manager)
ISACA's CISM targets information security management specifically. It's narrower than CISSP and more explicitly tied to the manager and director career track. ISACA salary surveys consistently put CISM-certified professionals at $130,000–$150,000 median. The 2026 exam has revised domain weightings, so if you're preparing now, confirm your study materials are current.
CompTIA Security+
Security+ is required for many government contracting roles under DoD 8140 compliance. Average salaries for holders run around $90,000–$105,000—it's a floor, not a ceiling. Treating it as a terminal credential is a mistake most people recognize by year three of their career.
OSCP and Offensive Certifications
OffSec's OSCP is the benchmark for penetration testing. It's technically demanding and doesn't require years of prior experience to attempt, though solid networking and scripting fundamentals are necessary. Pen testers with OSCP typically clear $115,000–$145,000 depending on sector and seniority.
CISA (Certified Information Systems Auditor)
Information systems auditors follow a parallel track. ISACA's CISA is the standard for audit and GRC roles. These positions often sit in finance or compliance functions and pay $95,000–$130,000 at mid-career—slightly below pure security roles, but with more structured paths in larger organizations.
Top Courses for Salary-Relevant Information Security Skills
The courses below are selected for their relevance to credentials and roles that show up in higher-paying job postings—not for completion rates or production value.
CISM-Aligned 2026 - Information Security Manager Training Course
Updated for the 2026 CISM exam domains on Udemy (rated 9.4), this is the most directly salary-targeted option on this list. CISM holders consistently report salaries above $130,000, and this course is built around exam preparation rather than general awareness. If the management track is your goal, this is the right starting point.
Certified Information Systems Security Professional (CISSP) - Seventh Edition
Covers all eight CISSP domains aligned to the seventh edition on Coursera (rated 8.7). Appropriate for professionals with existing security experience who want structured exam preparation—the CISSP remains the most recognized credential in the field for mid-to-senior roles, and this course doesn't pad its coverage with introductory material.
Information Systems Auditing, Controls and Assurance Course
Coursera, rated 9.7. Targets the audit and controls track—directly useful for those pursuing CISA or GRC roles in financial services or regulated industries. Covers the technical underpinning of auditing frameworks well and pairs with the CISA study track if you're moving into compliance-heavy environments.
Information Technology Essentials Course
Udemy, rated 9.2. A foundation-level course for career changers who need to close gaps in core IT knowledge before pursuing security credentials. Security certifications assume substantial foundational knowledge; if your background is entirely outside IT, this is a necessary precondition before Security+ or anything above it.
Geographic and Industry Salary Variation
Where you work matters as much as what credential you hold.
By Location
San Francisco, Washington D.C., New York, and Seattle consistently pay 20–40% above national median for equivalent roles. D.C. has outsized demand due to government contracting—DoD and federal civilian agencies employ tens of thousands of security practitioners, and clearance holders command an additional 10–20% premium on top of market rate. Mid-tier metros like Austin, Denver, and Raleigh have grown substantially but remain 10–20% below the top markets. Remote work has compressed this spread but hasn't eliminated it; many high-paying roles, particularly those requiring clearances or handling regulated data, still require physical presence.
By Industry
- Financial services: Among the highest-paying sectors. Regulatory requirements drive substantial security investment, and CISM or CISSP are frequently required, not just preferred.
- Healthcare: HIPAA compliance creates steady demand, but salaries run 10–15% below financial services at equivalent roles.
- Technology and SaaS: Variable. Large tech companies pay at the top of market with equity. Startups often pay below median with equity upside that may or may not materialize.
- Federal government and contracting: Base salaries are lower than private sector equivalents, but clearances increase your market value significantly if you later move to defense contracting or private sector roles.
- Consulting: Senior consultants and partners at major firms can clear $200,000+, but the path is longer and the work more demanding than equivalent in-house roles.
FAQ
What is the starting salary for an information security job?
Entry-level roles—typically SOC analyst or junior security analyst—start at $55,000–$75,000 in most markets. With a relevant credential like CompTIA Security+ or Network+, you're more likely to land at the higher end of that range. D.C.-area roles with any clearance eligibility commonly start at $75,000–$90,000 due to supply constraints.
Does a CISSP significantly increase your salary?
For roles that require it, yes. The CISSP functions as a filter credential for senior analyst, architect, and program manager roles that pay $130,000+. If you're already in a role that doesn't require it, the immediate salary lift is limited—but it opens doors to postings that previously screened you out. The five-year experience prerequisite means it's not a shortcut; you can't bypass the underlying experience requirement.
How does information security salary compare to software engineering?
At the median, they're close—software engineers average around $130,000 nationally, modestly above the $120,360 BLS median for security analysts. At the senior end, security architecture and software engineering are roughly equivalent. The gap opens at the very top: senior software engineers at large tech companies with equity frequently reach $300,000–$500,000 in total compensation, which most security roles don't match outside of CISO positions at large enterprises.
Is a degree required to earn a high information security salary?
Increasingly, no—for individual contributor roles, certifications plus demonstrated experience carry more weight than a degree in most organizations. Government positions and large enterprise roles often formally require a degree for initial screening, but this is slowly changing. A degree still helps with initial screening at traditional organizations and can compress the time to mid-career compensation levels, but it's not a prerequisite for the credential path.
What's the realistic salary ceiling in information security?
At the CISO level, $300,000–$500,000+ in total compensation is achievable at large enterprises. Below that, security architects and senior managers with CISSP or CISM can reasonably target $160,000–$200,000 with 10–15 years of relevant experience. The ceiling is highest in financial services and technology; government and healthcare are considerably lower at equivalent seniority levels.
How long does it take to reach a $100,000 information security salary?
With a relevant credential and a few years of experience, most practitioners reach $100,000 within 4–6 years of entering the field. In high-demand markets or with a specialized focus—cloud security, OT/ICS security, or cleared positions—the timeline can compress to 2–3 years post-credential. The fastest typical path: entry-level SOC role → mid-level analyst with Security+ or CySA+ → specialized role with CISSP or CISM preparation underway.
Bottom Line
The information security salary range is wide enough that "what does this field pay" is the wrong question. The right question is which tier of the market you're targeting and which credentials unlock that tier.
If you're entering the field, Security+ and a SOC analyst role gets you in at $65,000–$75,000 in most markets. If you're mid-career and targeting the $130,000–$150,000 range, the CISM or CISSP is the most direct path—not another generalist course. The CISM-Aligned 2026 course is the right place to start if you're on the management track; the CISSP Seventh Edition course fits if you're targeting architecture or senior analyst roles.
Security rewards specialization and credentials far more than tenure alone. The practitioners clearing $160,000+ didn't get there by staying generalists—they picked a track and credentialed into it deliberately.