3.5 Million Open Positions and Salaries That Reflect the Desperation

Cybersecurity Ventures projects 3.5 million unfilled cybersecurity jobs globally in 2025. We're already feeling the squeeze in 2022. That talent gap isn't just a headline — it's the single biggest driver of what computer security jobs pay right now. Organizations are throwing money at anyone with demonstrable skills, and the numbers back it up.

If you've been searching for real salary data instead of vague promises, you're in the right place. I've spent years hiring security professionals, watching compensation packages climb, and coaching people into this field. Here's exactly what the market looks like, what drives pay differences, and how to position yourself for the higher end of every range.

What Computer Security Jobs Pay in 2022: Role by Role

The Bureau of Labor Statistics (BLS) reports a median annual wage of $102,600 for information security analysts as of May 2021. That's the middle of the pack. The top 10% earned more than $165,920. And that's before you factor in bonuses, stock options, and the remote-work premium many employers now offer.

But "information security analyst" is a catch-all title. Let's break it down by specific roles I've hired for and worked alongside.

Security Analyst (Entry to Mid-Level)

This is where most people start. You're monitoring SIEM dashboards, triaging alerts, investigating phishing incidents, and writing reports. Expect $65,000 to $95,000 depending on your metro area and whether you hold a Security+ or similar cert. In a Security Operations Center (SOC), Tier 1 analysts on the lower end can still clear $70K in cities like Dallas, Atlanta, or Denver.

Penetration Tester / Ethical Hacker

Pen testers simulate what a real threat actor would do to breach your network. It's hands-on, technical, and in extremely high demand. Salaries range from $85,000 to $140,000 for mid-career professionals. Senior pen testers and red team leads regularly push past $160,000, especially in financial services and defense contracting.

Security Engineer

These are the builders. They design and implement security architectures — firewalls, endpoint detection, multi-factor authentication systems, zero trust frameworks. The range is $100,000 to $155,000 for mid-to-senior roles. If you can architect a zero trust environment and explain it to a CISO, you're worth every dollar on the higher end.

Incident Response and Digital Forensics

When a data breach happens, these are the people who contain it, investigate it, and figure out how the attacker got in. I've seen incident response consultants bill $300-$500 per hour during active breaches. Full-time IR roles pay $95,000 to $145,000, with DFIR managers and directors exceeding $170,000.

CISO (Chief Information Security Officer)

The top of the ladder. A CISO at a mid-size company earns $175,000 to $275,000. At Fortune 500 companies, total compensation regularly exceeds $400,000 when you include equity and bonuses. After the wave of ransomware attacks in 2021 — Colonial Pipeline, JBS, Kaseya — boards started treating CISOs less like IT managers and more like C-suite executives. That shift has driven compensation upward dramatically.

The Geography Factor: Where You Work Still Matters (Mostly)

A security engineer in San Francisco might earn $165,000 while the same role in Birmingham, Alabama pays $115,000. Cost of living explains some of that, but not all of it. Proximity to government agencies, defense contractors, and tech hubs inflates salaries in the D.C. metro area, the Bay Area, and Seattle.

That said, remote work is reshaping the landscape. I've watched multiple organizations hire fully remote security analysts at national-average rates because they can't find local talent. If you're skilled, your zip code matters less than it did in 2019.

What Actually Drives Higher Pay in Cybersecurity

It's not just about years of experience. I've seen three-year veterans out-earn ten-year veterans because they focused on the right leverage points.

Certifications That Move the Needle

Not all certs are created equal. Here's what I've seen make a tangible salary difference:

  • CISSP: The gold standard for management-track roles. (ISC)² data consistently shows CISSP holders earning $25,000+ more than non-certified peers.
  • OSCP: For penetration testers, this is the cert hiring managers actually trust. It's hands-on and brutal — and it commands a premium.
  • CISM: Targeted at security management. Valuable if you're aiming for a director or CISO track.
  • Security+ / CySA+: Great for breaking into the field. Won't make you rich, but will get you past HR filters for entry-level roles.
  • Cloud certifications (AWS Security Specialty, Azure Security Engineer): Cloud security skills are scarce. Adding one of these to your resume can bump an offer by $10,000-$20,000.

Hands-On Skills Over Paper Credentials

Certifications open doors. Skills keep you in the room. Employers pay premiums for people who can demonstrate practical capability — running phishing simulations, configuring endpoint detection and response tools, analyzing malware, or building security awareness programs from scratch. If you can show you've reduced credential theft in an organization or built a security awareness training program that actually changed employee behavior, that's worth more than another line on your resume.

Specialization Beats Generalization

Generalists are useful. Specialists get paid. If you become the person who deeply understands cloud security, application security, or operational technology (OT) security, you're competing with a much smaller talent pool — and salaries reflect that scarcity.

How Do You Break Into Cybersecurity With No Experience?

This is the question I get asked more than any other. Here's the honest answer: you build skills before you apply. The talent shortage is real, but employers still won't hire someone who can't demonstrate baseline competency.

Start with foundational knowledge. A solid cybersecurity awareness training program gives you the vocabulary and conceptual framework — social engineering, phishing, ransomware, data breach prevention, security policy fundamentals. You need to speak the language before you can work in the field.

Then get practical. Set up a home lab. Practice on platforms like TryHackMe or HackTheBox. Learn how phishing attacks actually work — both the technical delivery and the psychological manipulation. Understanding phishing awareness training for organizations from the defender's perspective is one of the fastest ways to demonstrate real-world value to an employer.

Here's a realistic entry path I've seen work repeatedly:

  • Months 1-3: Complete security awareness training. Study for Security+. Learn basic networking (TCP/IP, DNS, HTTP).
  • Months 4-6: Pass Security+. Build a home lab. Start doing Capture The Flag (CTF) challenges.
  • Months 7-9: Apply for SOC Tier 1, help desk, or IT support roles with a security focus. Volunteer to run phishing simulations at your current employer.
  • Months 10-12: Land your first security-adjacent role. Start working toward CySA+ or a cloud cert.

That timeline isn't a fantasy. I've watched people execute it successfully in under a year.

The $4.35 Million Reason These Salaries Keep Climbing

IBM's Cost of a Data Breach Report 2022 puts the global average cost of a data breach at $4.35 million — the highest in the report's history. In the United States, that average jumps to $9.44 million. Every dollar an organization spends on qualified security professionals is a fraction of what a single breach costs.

The Verizon 2022 Data Breach Investigations Report found that 82% of breaches involved the human element — including social engineering, credential theft, and misuse. That's not a firewall problem. That's a people problem. And solving people problems requires skilled professionals who understand both the technical and human sides of security.

This is exactly why computer security jobs pay as well as they do. The cost of not having these roles filled is catastrophic.

Industry Sectors That Pay the Most

Not all employers pay equally. In my experience, these sectors consistently offer the highest compensation for security roles:

  • Financial Services: Banks and fintech companies face relentless attacks and heavy regulatory pressure. They pay accordingly — often 15-20% above market average.
  • Healthcare: HIPAA penalties and the sensitivity of patient data drive investment in security teams. Senior roles pay exceptionally well.
  • Federal Government and Defense Contractors: Clearances are a salary multiplier. A security engineer with a TS/SCI clearance can earn $30,000-$50,000 more than an equivalent commercial role.
  • Big Tech: Google, Microsoft, Amazon, and their peers treat security as a core product function. Total compensation packages (including equity) can be staggering.
  • Consulting: Security consultants and vCISOs often earn more than their in-house counterparts, though the lifestyle tradeoffs are real.

The Skills You Build Today Determine What You Earn Tomorrow

The cybersecurity job market in 2022 is unlike anything I've seen in two decades. The combination of a massive talent gap, escalating threat actor sophistication, and boards that finally take security seriously has created a compensation environment that rewards preparation and penalizes complacency.

If you're already in IT, the jump to security is shorter than you think. If you're starting from scratch, the path is clear — it just requires discipline. Either way, the payoff is significant. The median security analyst already earns more than the median software developer in many markets, and specialized roles push well into six figures.

Start building your foundation now. Invest in your security awareness knowledge, learn how attacks like phishing and social engineering actually work in practice, and get your hands dirty in a lab environment. CISA's cybersecurity training resources offer additional guidance on developing your skills.

The organizations writing those six-figure checks aren't looking for perfection. They're looking for people who understand the threat landscape, can communicate risk to business leaders, and are willing to keep learning. That's a bar you can clear — and the market will reward you for it.