Cybersecurity Career Statistics 2026: Salary, Jobs & Workforce Gap Data

The most important statistic in cybersecurity careers is the one that creates every opportunity in the field. According to the ISC2 2024 Cybersecurity Workforce Study, based on responses from 15,852 cybersecurity practitioners across North America, LATAM, APAC, and EMEA, the workforce gap is at a historic high.

• 5.5 million people are currently active in cybersecurity worldwide (ISC2, 2024)
• The global cybersecurity workforce gap stands at 4,762,963 professionals (ISC2, 2024)
• That gap grew 19.1% year-over-year from 2023 to 2024
• The workforce itself grew only 0.1% in the same period, marking the first time growth has stalled since ISC2 began tracking the metric
• Nearly 47% of global cybersecurity workforce demand is going unmet (ISC2, 2024)
• 67% of organizations report staffing shortages on their security teams (ISC2, 2024)
• 90% of organizations report having skills gaps within their security teams (ISC2, 2024)

The regional breakdown tells an even more interesting story. The Asia-Pacific region has the largest absolute gap at 3,374,580 professionals, and it grew by 26.4% in a single year. North America has a gap of 542,687, up 4%, while Europe's gap grew 12.8% to reach 392,320 unfilled positions.

To put this in plain terms: there are simply not enough people. And the organizations doing the hiring are not some niche corner of the industry. We are talking about banks, hospitals, defense contractors, cloud platforms, and every enterprise company that touches sensitive data, which at this point means every enterprise company, period.

The salary data for cybersecurity is strong across the board, but the variance between roles is significant. Entry-level positions are well-compensated compared to other software roles at the same experience level, and senior positions break into territory most developers never see. Here is a breakdown of what the data shows.

Entry-Level and Analyst Roles

• SOC Analyst (Tier 1): $65,000 to $90,000 (Training Camp, 2025)
• Information Security Analyst (BLS median): $124,910 (Bureau of Labor Statistics, May 2024)
• Cybersecurity Analyst, entry-level: $75,000 to $95,000 (Refonte Learning, 2025)
• Digital Forensics Analyst (BLS median): $67,440 (BLS, 2024)

Mid-Level Engineering and Specialist Roles

• Cybersecurity Engineer: $116,000 to $208,000 (Training Camp, 2025)
• Penetration Tester / Ethical Hacker: $90,000 to $130,000, with senior testers reaching $180,000 (Training Camp, 2025)
• Application Security Engineer: $146,000 to $177,000 (Training Camp, 2025)
• Cloud Security Engineer: $120,000 to $200,000 (Training Camp / Refonte Learning, 2025)
• Network Security Engineer: $92,000 to $172,000 (Training Camp, 2025)
• Incident Response Lead, mid-level: $125,000 to $155,000 (Refonte Learning, 2025)
• Security Consultant: $110,000 to $150,000 (Training Camp, 2025)

Senior and Executive Roles

• Information Security Manager: $150,000 to $225,000 (Training Camp, 2025)
• Security Architect: $110,594 to $136,809 median; $140,000 or more for senior (NMSU Global, 2025)
• Cybersecurity Director: $185,031 to $283,916 (NMSU Global, 2025)
• CISO (Chief Information Security Officer): $193,250 to $375,798 median range, with top earners at public companies reaching $500,000 to $700,000 or more including bonus and equity (Training Camp / NMSU Global, 2025)

Big Tech Cybersecurity Compensation

• Google security roles: $150,000 to $253,000 per year (Glassdoor / Training Camp, 2025)
• Microsoft security roles: $148,000 to $240,000 per year (Glassdoor / Training Camp, 2025)

For additional context, the ISC2 US median salary for cybersecurity professionals is $150,000, based on responses from 16,029 survey participants in their 2025 study. Glassdoor reports total compensation for cybersecurity engineers at $158,961 including bonuses, based on 3,188 submissions. The KORE1 Cybersecurity Engineer Salary Guide (March 2026) puts the ZipRecruiter average at $122,890.

The honest summary is that this is a field where even mid-level professionals are routinely earning six figures, and where specialization in high-demand areas like cloud security, AI security, or incident response moves compensation well above the median.

The BLS and private sector analysts are pointing in the same direction: cybersecurity job growth is not slowing down. Here is what the most credible sources are reporting.

• There are currently 457,398 cybersecurity job openings in the US alone, according to CyberSeek data as of 2025
• The BLS reports 182,800 people employed in information security analyst roles (SOC 15-1212) as of May 2024
• BLS projects information security analyst jobs to grow 33% from 2023 to 2033, which is classified as much faster than average
• Cybersecurity Ventures forecasts 3.5 million unfilled cybersecurity positions globally in 2025, a figure they have been tracking since 2013 when the number was 1 million
• Among CyberSN-tracked roles, Response category positions grew 100.89% in a single year (Destcert, 2025)
• Only 8% of Fortune 100 cybersecurity roles offer remote work, a factor contributing significantly to the staffing gap (LinkedIn data, 2025)
• Just 74% of posted cybersecurity roles are currently being filled, leaving more than a quarter of positions vacant (LinkedIn / Destcert, 2025)

The BLS classification of 33% projected growth is worth emphasizing. For context, the average job in the US is projected to grow around 3-4% over the same period. Cybersecurity is growing at roughly 8 to 10 times the national average rate.

The most in-demand specializations, according to the ISC2 2024 study, are AI security (34% of organizations report this skills gap), cloud computing security (30%), zero trust implementation (27%), and digital forensics and incident response (25%). If you are building skills in any of those four areas right now, you are positioning yourself at the intersection of maximum demand and minimum competition.

To understand why cybersecurity budgets keep growing and why hiring demand shows no signs of slowing, you have to look at the cost side of the equation. Cyberattacks are genuinely expensive, and the numbers are increasing every year.

• The global average cost of a data breach crossed $4.88 million in 2024 (IBM Cost of a Data Breach Report, 2024)
• Global cybercrime costs are projected to reach $10.5 trillion annually by 2025, a 10% year-over-year increase (CompTIA, via Fortinet)
• The US Deputy National Security Advisor for cyber and emerging technologies estimates the annual average cost of cybercrime will cross $23 trillion by 2027
• 85% of organizations planned to increase their cybersecurity budgets in 2024, with 19% expecting growth of 15% or more (PwC 2024 Global Digital Trust Insights)
• 72% of respondents to the World Economic Forum Global Cybersecurity Outlook survey reported an increase in cyber risks in 2024, particularly social engineering and ransomware enabled by generative AI
• The global cybersecurity market was valued at $233.4 billion in 2024 and is projected to reach $723.8 billion by 2033 at a CAGR of 13.4% (Astute Analytica, January 2026)
• A separate estimate from Fortune Business Insights puts the 2025 global cybersecurity market at $218.98 billion, growing to $699.39 billion by 2034 at a CAGR of 13.8%
• Cybersecurity Ventures predicts global cybersecurity spending will hit $454 billion annually in 2025 and $1 trillion annually by 2031
• IDC projects global security spending to grow 12.2% in 2025 and cross $377 billion by 2028
• Gartner forecasts a 15% rise in global cybersecurity spending in 2025, led by security services, software, and network security
• The US cloud security market alone was valued at $10.0 billion in 2024, projected to reach $31.2 billion by 2033 (Astute Analytica)
• North America accounts for 43% of global cybersecurity market share (Fortune Business Insights, 2025)

The math here is straightforward. When a single breach costs a company nearly five million dollars on average, spending several hundred thousand dollars per year on a skilled security team is not a cost. It is a hedge. Organizations are not hiring security engineers out of goodwill or regulatory box-checking. They are doing it because the alternative is ruinous.

Certifications play a larger role in cybersecurity compensation than in almost any other area of software development. The data on this is consistent across multiple survey sources.

Certification Salary Data

• CISSP (Certified Information Systems Security Professional): North American average of $147,757 (ISC2 salary tool); Skillsoft puts average certified salary at $110,907
• CISM (Certified Information Security Manager): Approximately $150,000 plus bonuses (Infosec Institute); Skillsoft reports $111,346; Certstud reports $134,025
• CISA (Certified Information Systems Auditor): $99,705 (Skillsoft); $129,525 in some markets (Certstud)
• CCSP (Certified Cloud Security Professional): Average $128,000 for cloud architects (Deepstrike, 2025)
• PenTest+: Roles averaging $116,000 to $126,663 (CompTIA data)
• CEH (Certified Ethical Hacker): Associated roles averaging $126,000 (various sources); Skillsoft $72,590 base
• Security+: Entry roles starting $80,000 to $100,000, growing into $100,000 as experience accumulates (CompTIA); Skillsoft $82,890
• AWS Certified Security Specialty: Associated salaries averaging approximately $159,000 to $203,000 (various sources)

General Certification Impact on Salary

• Certified IT professionals earn an average of $11,000 more per year than their non-certified peers (Certstud, 2026)
• 92% of IT professionals hold at least one certification (Certstud, 2026)
• Professionals who earned a new certification in the past year saw salary increases of 10 to 20% (Certstud, 2026)
• Certified senior engineers earn up to $20,000 more than uncertified peers at the same level (Certstud, 2026)
• Certification holders are promoted 30% faster than non-certified peers (Certstud, 2026)

Job Market Demand for Certifications

• There are just over 90,000 active CISSPs in the US, but more than 106,000 job openings require the CISSP certification (CyberSeek, via Cybersecurity Ventures)
• Only around 17,000 people hold the CISM certification, but nearly 40,000 advertised jobs request it (CyberSeek, via Cybersecurity Ventures)

The CISSP and CISM supply/demand gaps are not accidents. They are a direct result of the certification requirements being rigorous. CISSP requires five years of work experience. CISM requires four. Both have challenging exams. But the result is that if you hold either credential, you are competing in a pool where demand is 1.5 to 2.5 times larger than supply.

One of the most useful pieces of data for anyone considering a career transition into security is the demographic shift happening right now in the field. This is not an industry that belongs exclusively to 22-year-olds coming out of computer science programs.

• The share of new entrants to cybersecurity aged 39 to 49 rose from 18% in 2022 to 35% in 2024 (ISC2, 2024). That is a near-doubling in two years.
• The ISC2 study explicitly notes that previous professional experience is a valuable asset when transitioning into cybersecurity, not a liability
• In 2024, 38% of cybersecurity teams faced hiring freezes, and 25% experienced layoffs, with the most affected industries being hosted/cloud services (48% layoff rate) and telecommunications (44%) (ISC2, 2024)
• The least affected industries by layoffs were legal (19%), nonprofit (24%), and military (26%)
• The military, nonprofit, and government sectors were also the least impacted by hiring freezes (ISC2, 2024)

The career transition numbers are genuinely encouraging. The skills that transfer most directly from software development into cybersecurity are application security knowledge, scripting and automation skills, understanding of networking protocols, and familiarity with cloud infrastructure. A developer who has spent five years building web applications has a foundation that a pure security trainee simply does not have.

The path most commonly recommended for developers transitioning into security starts with the CompTIA Security+ for foundational knowledge, then moves into more specialized certifications based on whether your target is offensive security (penetration testing, bug bounty), defensive security (incident response, threat detection), or engineering roles (application security, cloud security). The BLS data showing entry-level salaries around $80,000 to $100,000 for Security+-certified roles means the floor on this transition is quite respectable.

Not all cybersecurity roles are growing at the same rate. If you are going to invest time building skills, it makes sense to focus on the areas where demand is accelerating fastest.

Cloud Security Engineer

Cloud security is the fastest-growing specialization in the field. Organizations are migrating infrastructure to AWS, Azure, and GCP at scale, and the security requirements that come with that migration are significant. The US cloud security market alone is projected to grow from $10 billion in 2024 to $31.2 billion by 2033. Cloud Security Engineers earn $120,000 to $200,000, with AWS Security Specialty certified professionals averaging toward the top of that range. The ISC2 study identifies cloud computing security as the second largest skills gap in security teams globally, with 30% of organizations reporting deficiencies here.

AI Security Specialist

AI security is the single largest skills gap identified by ISC2, with 34% of organizations reporting this deficiency. This is a genuinely new role that barely existed at scale three years ago. The responsibilities include securing AI/ML pipelines, evaluating model risks, detecting adversarial inputs, and defending against AI-enabled attacks. Because this role is so new, most people in it are transitioning from either security engineering or ML engineering backgrounds. Compensation data is still forming, but current market data suggests it tracks with senior security engineering ranges at $145,000 to $200,000 or more.

Application Security Engineer

AppSec engineers are in high demand as organizations take a shift-left approach to security, meaning security reviews and testing happen during development rather than after deployment. This is the role where being a developer first is the biggest advantage. AppSec engineers earn $146,000 to $190,000 depending on experience level, and the demand is fueled by the growth in software development velocity, which creates more surface area to secure.

Incident Response / Threat Intelligence

Response roles grew 100.89% according to CyberSN tracking, making them the fastest growing by raw growth rate in the recent period. Incident response leads at mid-level earn $125,000 to $155,000, with senior practitioners reaching $165,000 to $210,000. The demand here is driven by the frequency and complexity of attacks, which has increased alongside both AI-powered attack tools and expanding attack surfaces from hybrid work environments.

Penetration Tester / Ethical Hacker

Penetration testing remains one of the most in-demand and in some ways one of the most interesting roles in security. The range is $90,000 to $180,000 depending on experience and certifications, with OSCP holders and senior testers at the top end. Bug bounty programs have also created a parallel income stream for skilled pentesters that does not show up in salary data but adds significantly to total compensation for practitioners willing to put in the time.

Not all industries are investing equally in cybersecurity, and knowing where the money is flowing tells you something important about where the hiring will be.

By Industry

• The financial services sector is the largest spender on cloud security, allocating $6.8 billion in 2024 (Astute Analytica, 2026)
• The IT and Telecom sector invested $5.7 billion in cloud security in 2024 (Astute Analytica, 2026)
• Healthcare, finance, technology, and government are consistently cited as the most active sectors seeking experienced security professionals (ISC2, 2024; multiple hiring reports)
• The military and aerospace sectors see among the lowest layoff rates in cybersecurity, suggesting more stable employment (ISC2, 2024)

By Geography

• North America accounts for 43% of global cybersecurity market share and contributed approximately $94.21 billion to the global market in 2025 (Fortune Business Insights)
• The US and Western Europe together account for more than 70% of global security spending (IDC)
• Asia-Pacific captured 20.7% of the global market in 2025 at $45.28 billion and is expected to grow at the highest CAGR during the forecast period (Fortune Business Insights)
• Latin America, Central and Eastern Europe, and the Middle East and Africa are expected to see the highest percentage increases in security spending in 2025 (IDC)

For US-based professionals, the concentration of spending in North America means the domestic market is robust. The challenge is geographic, because as the LinkedIn data notes, only 8% of Fortune 100 cybersecurity roles offer remote work. That means location still matters more in this field than in general software development, where remote work has become standard. This is shifting, but slowly.

The relationship between AI and cybersecurity cuts in two directions simultaneously, and both directions are important for anyone planning a career in this field.

On the attack side, AI is enabling more sophisticated, faster, and more scalable attacks. The World Economic Forum found that 72% of organizations reported increased cyber risks specifically linked to generative AI-enhanced attack strategies in 2024. Phishing attacks are more convincing. Social engineering is harder to detect. Malware can be customized faster. This is making the work of security professionals harder, but it is also making them more necessary.

On the defense side, AI is becoming a tool that security teams are actively integrating. The ISC2 study frames AI as a catalyst for career growth, not a displacement threat. Organizations are looking for security professionals who understand how to use AI security tools, which means the certification and skills picture is evolving rapidly. The ability to work alongside AI tools is being treated as a multiplier for individual productivity, not a replacement for human judgment.

The net effect: AI is increasing the severity and complexity of the threat landscape, which is increasing demand for security professionals, while also creating a new skills gap in AI security specifically. McKinsey estimates that AI is expanding the total addressable market for cybersecurity providers to $2 trillion (McKinsey, 2024/2025 study, cited in Cybersecurity Ventures Market Report). That is a staggering figure that reflects just how much AI changes the scope of what needs to be secured.

Here is the synthesis of everything these statistics are telling us.

The gap is real and it is not closing. The 4.8 million workforce gap grew 19% in a single year while the workforce grew 0.1%. There is no scenario where this resolves itself quickly. The organizations that need security professionals cannot magically produce them. That means the demand is durable.

The pay is genuinely strong at every level. The BLS median for information security analysts is $124,910. That is not the ceiling. That is the statistical middle of the distribution. With certifications and specialization, mid-career professionals routinely hit $150,000 to $200,000. Senior roles and executive positions go well above that.

Certifications matter more here than in most of software development. The CISSP has more job postings requiring it than there are people who hold it. The CISM gap is even more pronounced. If you are going to invest in a certification, the ROI in cybersecurity is better than almost anywhere else in tech.

The career transition window is open and the data says it is getting easier, not harder. The share of people in their 40s entering cybersecurity for the first time nearly doubled from 2022 to 2024. Developer experience is a direct advantage, not something you have to overcome.

Cloud and AI security are the highest-leverage specializations to build right now. They are the two largest skills gaps in the field according to ISC2, and they are supported by the largest macro tailwinds. Cloud security is growing from a $10 billion market in 2024 to a projected $31 billion by 2033. AI is expanding the total addressable market for security to $2 trillion according to McKinsey.

The data does not guarantee you a career. But it does tell you that if you put in the work to develop real skills in cybersecurity, you are entering a market where the odds are heavily in your favor.

All statistics in this article come from primary or credible secondary sources. No numbers were extrapolated or fabricated. Where ranges exist across multiple sources, we have cited the source alongside the specific figure.

• ISC2 2024 Cybersecurity Workforce Study (15,852 respondents; isc2.org)
• Bureau of Labor Statistics (BLS) Occupational Employment Statistics, May 2024; BLS Occupational Outlook Handbook (bls.gov)
• Cybersecurity Ventures 2026 Cybersecurity Market Report (cybersecurityventures.com)
• IBM Cost of a Data Breach Report 2024 (ibm.com)
• Astute Analytica Global Cybersecurity Market Report, January 2026 (Globe Newswire)
• Fortune Business Insights Cybersecurity Market Report (fortunebusinessinsights.com)
• IDC Worldwide Security Spending Guide
• Gartner cybersecurity spending forecasts
• PwC 2024 Global Digital Trust Insights
• World Economic Forum Global Cybersecurity Outlook 2024
• McKinsey AI and Cybersecurity TAM Study, 2024/2025
• Training Camp Average Cybersecurity Salaries 2025 (trainingcamp.com)
• KORE1 Cybersecurity Engineer Salary Guide 2026 (kore1.com)
• Refonte Learning Cybersecurity Salary Guide 2025 (refontelearning.com)
• Skillsoft Top-Paying IT Certifications 2025 (skillsoft.com)
• Certstud IT Certifications Salary Data 2026 (certstud.com)
• CyberSeek cybersecurity job data (cyberseek.org)
• Destcert Cybersecurity Workforce Gap Analysis 2025 (destcert.com)
• NMSU Global Campus Cybersecurity Salary Insights 2025 (global.nmsu.edu)
• CompTIA certification and market data