How to Become a Information Security Analyst
Information Security Analysts earn a median salary of $129,180/year in the United States. Most positions require Bachelor's degree. Job growth is projected at 28.5% over the next decade. The highest-paying states include Washington, Maryland, California.
Where Information Security Analysts have the most money left over after rent
Median pay minus estimated federal + state + FICA taxes, minus 12 months of rent at HUD's 2-bedroom Fair Market Rent. Darker green means more money left over each year. Hover any state for the breakdown.
View map data as a table
| State | Median (nominal) | Rent/mo (2BR) | Left after rent |
|---|---|---|---|
| Washington | $155K | $1,830 | $95K |
| Texas | $130K | $1,415 | $83K |
| New Mexico | $130K | $1,119 | $81K |
| Delaware | $137K | $1,448 | $79K |
| North Carolina | $132K | $1,284 | $79K |
| Maryland | $140K | $1,795 | $78K |
| South Dakota | $117K | $1,017 | $78K |
| New Hampshire | $124K | $1,528 | $77K |
| Florida | $125K | $1,658 | $76K |
| Minnesota | $131K | $1,384 | $76K |
| Virginia | $135K | $1,646 | $76K |
| Arizona | $125K | $1,437 | $76K |
| Alabama | $123K | $1,085 | $76K |
| Georgia | $129K | $1,434 | $75K |
| Tennessee | $115K | $1,215 | $75K |
| Colorado | $135K | $1,832 | $75K |
| Illinois | $124K | $1,407 | $73K |
| Iowa | $120K | $1,064 | $73K |
| New York | $135K | $1,917 | $73K |
| Connecticut | $131K | $1,679 | $73K |
| New Jersey | $135K | $2,067 | $72K |
| Pennsylvania | $118K | $1,351 | $71K |
| North Dakota | $108K | $1,034 | $70K |
| Alaska | $115K | $1,643 | $70K |
| District of Columbia | $135K | $2,146 | $69K |
| Massachusetts | $137K | $2,347 | $69K |
| Ohio | $110K | $1,188 | $69K |
| California | $139K | $2,471 | $67K |
| Wyoming | $99K | $1,008 | $66K |
| Nevada | $106K | $1,501 | $65K |
| Arkansas | $103K | $1,021 | $65K |
| Kentucky | $104K | $1,110 | $64K |
| Missouri | $103K | $1,097 | $64K |
| Indiana | $101K | $1,144 | $63K |
| Michigan | $106K | $1,272 | $63K |
| Rhode Island | $109K | $1,544 | $63K |
| South Carolina | $106K | $1,263 | $63K |
| Vermont | $110K | $1,498 | $63K |
| Hawaii | $126K | $2,240 | $61K |
| Kansas | $101K | $1,066 | $61K |
| Wisconsin | $102K | $1,202 | $61K |
| Maine | $102K | $1,281 | $59K |
| Oklahoma | $94K | $1,081 | $58K |
| Utah | $100K | $1,350 | $58K |
| Louisiana | $93K | $1,191 | $56K |
| Nebraska | $93K | $1,113 | $56K |
| Mississippi | $88K | $1,077 | $53K |
| Montana | $82K | $1,129 | $49K |
Education and training
A bachelor's degree in cybersecurity, computer science, information technology, or a related field is the standard entry requirement. The field also welcomes career changers from IT support, system administration, and network engineering backgrounds, security is often a natural progression from infrastructure roles.
Security-specific knowledge includes network security, cryptography, operating system hardening, incident response, vulnerability assessment, penetration testing, and security governance/compliance frameworks (NIST, ISO 27001, SOC 2, HIPAA). Hands-on lab experience with security tools (SIEM systems, IDS/IPS, vulnerability scanners) is essential.
Licensing and certification
No state licensure required. Industry certifications are the currency of the field, they often matter more than degrees in hiring decisions. Key certifications by career stage:
Entry: CompTIA Security+, CySA+ (Cybersecurity Analyst) Mid-career: CEH (Certified Ethical Hacker), GCIH (GIAC Certified Incident Handler) Senior: CISSP (Certified Information Systems Security Professional), the gold standard, requiring 5 years of experience and passing a 100-150 question exam. CISSP holders earn $15,000-$25,000 more than non-certified peers.
Penetration testing/offensive security: OSCP (Offensive Security Certified Professional), a hands-on, 24-hour practical exam that's considered the most rigorous technical security certification.
What the day-to-day looks like
Security analysts monitor networks for threats, investigate security alerts, respond to incidents, conduct vulnerability assessments, review security logs, manage security tools (firewalls, SIEM, EDR), and enforce security policies. In a SOC (Security Operations Center) role, you're watching screens and investigating alerts during shift-based hours. In a security engineering role, you're building and configuring security infrastructure.
Penetration testers (offensive security) attempt to break into systems to find vulnerabilities before attackers do. This is the "hacking" side of cybersecurity and involves creative problem-solving, tool development, and detailed reporting of findings.
GRC (Governance, Risk, and Compliance) analysts focus on security policy, risk assessment, audit preparation, and regulatory compliance. This is less technical but equally in-demand, especially in finance, healthcare, and government.
Alert fatigue is the daily battle. A typical SOC receives thousands of security alerts per day, the vast majority of which are false positives or low-severity events. Triaging effectively, quickly distinguishing the 3 alerts that matter from the 3,000 that don't, is the core skill. Burnout from constant alert noise is a major driver of SOC analyst turnover. Organizations that invest in better alert tuning, automation, and analyst support retain security talent longer.
Career progression
SOC analyst → security engineer → senior security engineer → security architect → CISO. The CISO (Chief Information Security Officer) role is the summit: $200,000-$400,000+ at large companies, with board-level visibility and accountability.
The offensive security track: junior pentester → senior pentester → red team lead → offensive security director. Bug bounty hunting (finding vulnerabilities in companies' systems for cash rewards) can supplement income, top bug bounty hunters earn $100,000-$500,000/year, though this level is rare.
Salary progression
Highest paying states
| State | Median salary | Employment |
|---|---|---|
| Washington | $155K | 6,030 |
| Maryland | $140K | 8,650 |
| California | $139K | 15,570 |
| Delaware | $137K | 720 |
| Massachusetts | $137K | 6,100 |
| Colorado | $135K | 5,700 |
| District of Columbia | $135K | 1,510 |
| Virginia | $135K | 19,120 |
| New Jersey | $135K | 4,860 |
| New York | $135K | 10,060 |
Where the jobs are
The highest-paying state for information security analystss is Washington at $154,940/year, that's $25,760 above the national median. But higher pay often comes with higher costs. Before assuming the top-paying state is the best financial move, check the full affordability breakdown for Washington.
The pay gap between the highest and lowest-paying states is $72,990. That spread sounds dramatic, but cost-of-living differences offset much of it. A information security analysts making $81,950 in Montana may have more purchasing power than one making $154,940 in Washington if rent and local prices differ enough.
By employment volume, the states with the most information security analysts jobs are Virginia (19,120 workers), Texas (16,130 workers), California (15,570 workers). High employment numbers mean more job openings, more employer competition for talent, and usually more leverage when negotiating salary. States with fewer workers in the field may pay less but also have less competition for positions.
For the full state-by-state comparison with salary percentiles, cost-of-living adjustment, and rent affordability for information security analystss, see the complete salary data page.
Salary negotiation
CISSP is the single biggest salary lever in cybersecurity, certified professionals earn $15,000-$25,000/year more. Active security clearance (Secret or Top Secret) for government and defense contractor positions adds $10,000-$20,000 to market rates because clearances take 6-18 months to obtain and background investigation failures are common.
Cybersecurity professionals who can articulate business risk (not just technical risk) negotiate from a stronger position. "I reduced the organization's attack surface by 40%" is more compelling to a hiring manager than a list of tools you've used.
What the data doesn't tell you
Cybersecurity has near-zero unemployment. The global cybersecurity workforce gap is estimated at 3.5+ million unfilled positions. This demand-supply imbalance means that credentialed security professionals have exceptional job security, geographic flexibility, and negotiation power. Entry is the hard part, once you have 2-3 years of experience and a relevant certification, the career effectively becomes recession-proof.
See the full salary picture
Percentile breakdown, cost of living, rent burden, and purchasing power for information security analystss in every metro.
View Information Security Analysts salaries →Frequently asked questions
How much does a information security analysts make?▼
The median information security analysts salary in the United States is $129,180 per year ($62/hour). Entry-level positions start around $75,090, while experienced professionals earn up to $199,850.
What education do you need to become a information security analyst?▼
Most information security analysts positions require Bachelor's degree. Requirements vary by state and employer. Check with your state's licensing board for specific requirements.
What is the job outlook for information security analysts?▼
Employment of information security analysts is projected to grow 28.5% over the next decade, with approximately 5,210 annual openings. This is faster than the average for all occupations.
What are the highest paying states for information security analysts?▼
The highest paying states for information security analysts are Washington ($154,940), Maryland ($139,640), California ($138,570), Delaware ($137,030), Massachusetts ($136,550). Salaries vary significantly by location due to cost of living and local demand.