13 Honest Information Security Analyst Salaries
If you’ve ever seen an “average salary” that felt wildly out of reach, you’re not alone. National averages can be skewed by high-paying outliers in places like San Francisco or New York, where a security analyst can clear six figures just to keep the lights on.
To give the rest of us something useful, we pulled fresh data (April 2025) for 13 mid-sized metros—no city over one million residents. The updated numbers below show what information-security analysts really earn when you’re not competing with FAANG pay scales on the coasts.
What Does an Information Security Analyst Do?
An information security analyst is the watchdog of an organization’s data, charged with spotting threats before attackers spot a way in. Day-to-day, that means monitoring logs and SIEM dashboards for anomalies, running vulnerability scans, and triaging alerts to decide whether they’re noise or the start of a breach.
Analysts also perform risk assessments, draft and enforce security policies, coordinate with network and DevOps teams to close gaps, and lead the first wave of incident response when something slips through.
In highly regulated industries—finance, health care, government—they map controls to frameworks like NIST CSF or ISO 27001 and prepare the evidence auditors expect to see. The job blends detective work, technical troubleshooting, and a healthy dose of documentation.
Core skills hiring managers look for:
Security Frameworks and Compliance: NIST, ISO 27001, PCI-DSS, CIS controls
Network and Protocol Fluency: TCP/IP, DNS, VPNs, firewalls, IDS/IPS tuning
Tools: SIEM platforms (Splunk, QRadar), vulnerability scanners (Nessus, Qualys), EDR/XDR suites, Wireshark.
Cloud and Container Security Basics: IAM best practices on AWS/Azure/GCP, image scanning, KMS/key rotation.
Scripting and Automation: Python or PowerShell for log parsing, alert enrichment, and quick-fix playbooks.
Soft Skills: Incident-response composure, clear report writing, and cross-team communication.
Mastering these fundamentals—plus staying current on threat intel—positions an analyst to climb quickly into senior, engineer, or architect roles (and the higher pay bands that come with them).
What is the Actual Salary of an Information Security Analyst?
We realize what's true salary-wise for one area of the country isn't necessarily true for other parts of the country, so here's what we did.
We scoured Dice, LinkedIn, Monster, Glassdoor, Payscale, and local job boards to compile as much data about security salaries in larger, but not large, metropolitan areas. We capped the population at 1 million.
First, though, let's look at the national average salary via ZipRecruiter.
Average salary: $96,000
Average low salary: $73,500
Average high: $114,000
Now, let's look at this breakdown by location in mid-size cities. Remember, you'll earn a lot more in tech hubs like San Francisco and NYC. But most of us don't live in those areas. Here's what you can legitimately expect to make:
City | Low | Average | High |
Portland, OR | $82,000 | $102,500 | $123,000 |
Fort Collins, CO | $76,537 | $95,672 | $114,806 |
Oklahoma City, OK | $71,394 | $89,243 | $107,091 |
Richmond, VA | $78,873 | $98,592 | $118,310 |
Cleveland, OH | $77,003 | $96,254 | $115,504 |
Las Vegas, NV | $75,948 | $94,936 | $113,923 |
Charlotte, NC | $77,668 | $97,086 | $116,503 |
Milwaukee, WI | $76,180 | $95,226 | $114,271 |
Detroit, MI | $78,721 | $98,402 | $118,082 |
Des Moines, IA | $77,605 | $97,007 | $116,408 |
Fort Worth, TX | $74,032 | $92,541 | $111,049 |
Nashville, TN | $73,328 | $91,660 | $109,992 |
Kansas City, MO | $77,503 | $96,879 | $116,254 |
It's not perfect, but here's our most honest look at IT security salaries across the United States.
Methodology: We captured publicly visible “average annual pay” for each metro (April 2025). Low and high figures are estimated at ±20% to approximate the 25th to 90th percentiles, close to what you’ll see in real offers.
How to Increase Your Salary as an Information Security Analyst
Even if you merely skim the available nationwide job sites for information security analysts (or any security-related) posts, you'll find they have a few things in common.
Get the Right Experience
Most hiring managers want at least a year or two working with firewalls, log analysis, or vulnerability scanning plus solid IT fundamentals (networking, operating systems, scripting). If you’re still in a help-desk or sysadmin role, volunteer for security-adjacent tasks: patch management, audit prep, or SIEM tuning. Those projects create résumé bullets and talking points for interviews.
Earn Role-Aligned Certs
Credentials prove you understand the theory and can apply it on the job. The most requested certs break down roughly by career stage:
CompTIA Security+: Baseline for DoD roles and many entry-level analyst jobs. This shows you grasp core threats, controls, and risk concepts.
CompTIA CySA+: Focuses on threat detection, SIEM analysis, and incident response—perfect for hands-on SOC positions.
ISC2 SSCP: A step up from Security+ with deeper coverage of access controls, cryptography, and network security.
Certified Ethical Hacker (CEH): Demonstrates you understand attacker tactics and can run basic pen-test tooling.
CISA (ISACA): Favored in finance and audit-heavy environments—this cert validates that you can assess controls and report compliance gaps.
CISSP ISC2: The gold standard for senior analyst or engineer roles; covers eight security domains from policies to software development.
CISM (ISACA): This management-oriented cert signals you can build and govern an enterprise security program.
ITIL Foundation or Project+: Not security-specific, but highly valued for senior roles where process, change management, and project coordination matter.
Stacking one or two of these certs on top of real-world security tasks gives you the credibility—and often the HR keyword match—to land interviews and negotiate higher pay.
Ready to Get Started?
Want to become an information security analyst or increase your salary? You can start today by gaining experience by taking on security tasks at your current job or following the advice in How to Become an IT Security Expert.
If you're already in the field, then work on learning project management and how to use collaborative tools to reach the next levels. What are those job titles?
Information security engineer
Security engineer
Information security officer
Security manager
Information security manager
In the highest tier of the security pecking order, you can expect to find job titles such as:
Security architect
Chief information security officer
In this final tier, you'll likely be earning the big bucks, making the big decisions, and shouldering all the responsibility if something goes wrong. But if you're just starting out, that's a way off. In the meantime, work on consolidating your experience, specializing in an area that interests you, and certifying your knowledge.
We can help. CBT Nuggets has everything you need to learn new IT skills, certify on in-demand technologies, and advance your career, with unlimited video training and practice exams, virtual labs, validated learning with in-video quizzes, personalized study plans, and access to our exclusive community of professionals.
Sign up today and start learning for free. Start your 7-day trial.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.