Hiring cybersecurity engineers in 2026 means competing for a shrinking talent pool while threats grow more complex and budgets stay tight. The global cybersecurity workforce gap hit 4.8 million unfilled positions in 2024 according to ISC2, and the active workforce barely grew at all. Salaries are climbing 7 to 10 percent annually. CISOs at large enterprises regularly clear $400,000 in total comp. And 88% of organizations have already experienced security incidents tied directly to skills shortages. This guide covers real salary data by role, the skills worth screening for, hiring strategies for a talent-starved market, and when bringing in a cybersecurity staffing partner makes sense.
Before we get into it, a quick note. We’re a staffing firm. We fill cybersecurity roles for a living. So you should weigh that when you read the sections about working with a recruiting partner. I’m going to be upfront about when we add value and when we probably don’t. But the salary benchmarks, the skills breakdowns, the hiring mistakes? That’s just what we’ve learned doing this work every day for the last decade plus.
Something I keep noticing. The companies that call us aren’t calling because they haven’t tried. They’ve tried. They had a req open for three months. Two good candidates took other offers while the fourth interview round was being scheduled. Their CISO is burning out covering gaps. HR keeps asking what the role should pay and nobody has a confident answer because the numbers changed again since the last time they looked.
If any of that sounds like your situation, keep reading.
The Talent Market Is Worse Than Most People Realize
I’m going to throw some numbers at you. They’re from the 2025 ISC2 Cybersecurity Workforce Study, which surveyed 16,029 security professionals globally and is the most comprehensive annual look at the state of this workforce.
The active global cybersecurity workforce sits at 5.5 million people. The unfilled gap is 4.8 million. That gap grew 19% in one year. The workforce grew 0.1%.
Let that sink in. The shortage is almost as large as the entire existing workforce. And it’s getting bigger roughly 190 times faster than the workforce is growing. BLS projects 33% employment growth for information security analysts through 2033, which is six times the national average for all occupations. So no, this isn’t going to self-correct.
What shifted this year is interesting. For the first time in the ISC2 study’s history, budget constraints passed talent availability as the top driver of staffing shortages. A third of organizations told ISC2 they don’t have the budget to staff security properly. Another 29% said they can’t afford people with the skills they actually need. Budget cuts hit 36% of orgs. Layoffs hit 24%. Hiring freezes affected 49% of large organizations. All while threats are escalating and compliance requirements keep expanding.
That’s the squeeze. More risk, less money, fewer people. And the people you do have might not have the right skills.
Here’s the stat that should alarm you most. 88% of organizations experienced at least one significant cybersecurity event because of skills gaps. Not staffing gaps. Skills gaps. ISC2 was deliberate about that distinction. Nearly 70% had more than one incident. Even fully staffed teams are getting hit because they lack specific expertise, especially in AI security and cloud. Hiring more bodies doesn’t solve the problem if those bodies don’t have the skills you need.
Oh, and hiring timelines? Over a third of organizations report three to six months to fill security roles regardless of seniority level. Half say they struggle to keep people once they manage to hire them.
What You Should Actually Be Paying
Your salary data might be wrong. Seriously. If it’s from 2023 or even early 2024, it’s probably 15 to 25% below where the market is today. Cybersecurity comp moves 7 to 10 percent per year depending on the role. The IANS and Artico Search CISO benchmark found that CISO compensation grew 6.7% in 2025 alone, outpacing security budget growth of just 4%. That gap between what leaders cost and what companies budget for them keeps widening.
We compiled data from BLS, Glassdoor, the IANS benchmark, and the Programs.com 2026 salary analysis. Here’s the picture.
| Role | Experience | Salary Range | What We’re Seeing |
|---|---|---|---|
| SOC Analyst | 0-2 yrs | $70K – $100K | Security+ bumps the low end 10-15% |
| Security Engineer | 3-5 yrs | $110K – $148K | 20-30% jump from junior roles. Pretty standard transition. |
| Cloud Security Engineer | 3-7 yrs | $128K – $175K | Hardest to fill. 36% of orgs say cloud is their biggest gap. |
| Security Architect | 7+ yrs | $152K – $220K | Glassdoor 90th percentile hits $259K. Zero-trust skills push toward that ceiling. |
| Pen Tester | 3-7 yrs | $110K – $160K | Reverse engineering takes it past $190K. |
| Cybersecurity Manager | 7+ yrs | $135K – $170K | Compliance overlay adds $10-20K |
| CISO | 15+ yrs | $220K – $420K+ base | Total comp $250K-$700K. Top 1% clears $3.2M. Equity = half the package in tech. |
Geography still matters more than people expect. San Jose metro area leads at about $175,500 average for security roles according to BLS. Washington state sits around $150,600. D.C. and New York right behind.
Remote work is compressing some of that gap but honestly not as much as the headlines suggest. We still see employers adjusting down 10 to 20% for remote workers in lower cost areas. It varies a lot by company. Some pay headquarters rates regardless of location. Others don’t.
On industry. Finance and banking median cybersecurity salary runs about $135,000. Big tech, think Google, Microsoft, Apple, pays $150,000 to $250,000 or more depending on level and location. Government is its own animal. Lower base pay on paper, but security clearances create a separate market where cleared candidates command $20K to $40K more than non-cleared peers with similar skills. Defense contracting is especially aggressive on this.
And certifications. This one keeps surprising people. CISSP holders earn 22 to 35% more than non-certified professionals. I’ll do the math for you on a $130K base. That’s $29K to $46K more per year. We’ve watched candidates get passed over not because they couldn’t do the job, but because a competitor offered someone with CISSP and the hiring manager felt safer going with the credential. Whether that’s fair is a different conversation. It’s how the market works right now.
Skills to Screen For
Both ISC2 and ISACA independently found the same thing. 90% of cybersecurity teams report skills gaps. Not headcount gaps. Skills gaps. Nine out of ten teams are missing critical expertise even when they’re fully staffed. ISC2 was very deliberate about reframing this. The problem isn’t just “we need more people.” It’s “the people we have, and the people we can find, don’t have the specific skills we need.” Especially in AI and cloud, where threats are evolving faster than most training programs can keep pace.
The stuff you can’t skip
Network security and monitoring is bedrock. SIEM tools, intrusion detection, traffic analysis. If someone can’t do this work, nothing else they bring to the table matters that much. Every other skill builds on this foundation.
Incident response is the other non-negotiable. And it’s harder to evaluate than people think because what you’re really screening for is composure under pressure. Can this person think clearly at 2 AM during an active breach, with executives calling and incomplete information everywhere? That’s the actual job when it matters most. A lot of people who interview well fall apart in those moments. We’ve seen it happen more times than I want to admit.
Then vulnerability assessment. Identifying and prioritizing security vulnerabilities is the technical piece, and most qualified candidates can do it competently. The harder part, and this might be the most undervalued skill in the whole field, is communicating findings to business leaders who don’t speak security. Can your vulnerability analyst walk into a room with a CFO and explain what they found without drowning them in jargon? Because that’s what gets remediation budgets approved. The technical finding without the communication to back it up just sits in a report nobody reads.
Where the real money is
Cloud security. This is the one. Multi-cloud environments are the norm now. Infrastructure-as-code is the norm now. And 36% of organizations tell ISC2 that cloud security is their most critical skills gap. People with AWS or Azure security certifications are pulling $128K to $175K and they have options. So many options that a LinkedIn InMail from your internal recruiter is probably getting buried in a sea of identical messages. These candidates get recruited through relationships, not job posts.
AI and ML security. OK, this one is moving fast and getting expensive. Professionals who understand both sides of the AI coin, how AI creates new attack vectors AND how AI tools can strengthen defense, are commanding 30 to 40% salary premiums over traditional security roles. That’s not a typo. If you need someone who sits at the intersection of AI/ML engineering and cybersecurity? Be prepared to pay and move quickly. That particular Venn diagram has maybe a few thousand people in the entire country.
Zero-trust architecture. Perimeter-based security had a good run but it’s done. The architects who can design and implement zero-trust models are getting $152K to $220K because when they make a mistake, the impact is measured in millions of dollars and sometimes millions of affected people. There aren’t enough of them and there won’t be enough of them anytime soon.
Compliance and governance. NIST. ISO 27001. GDPR. HIPAA. PCI-DSS. SOC 2. The list keeps growing and I keep adding acronyms to our job descriptions. What companies actually need, and what they rarely say clearly in job postings, are people who translate regulatory frameworks into technical controls that actually work. Not checkbox auditors. People who can look at a compliance requirement and figure out how to implement it in your real infrastructure, and then explain the residual risk to your board without putting them to sleep. If you find that person, don’t haggle on salary.
Certs that change what people earn
Quick rundown because this comes up in literally every comp conversation we have with clients.
- CISSP. Gold standard. 22 to 35% salary premium over non-certified peers. If you’re hiring for any senior security role and you don’t see CISSP on the resume, you’ll probably pay less, but you’ll also lose out on a lot of strong candidates who filter for roles that require it.
- CISM. Management and governance. Consistently one of the highest-paying security certs. If you’re hiring a security manager or director, this is the one you want to see.
- CEH. First cert most employers look for in pen testing hires. Solid foundational credibility for offensive security.
- AWS and Azure security specialties. Becoming table stakes for cloud roles. Push compensation past $160K.
- Security clearances. Technically not a cert. But clearances create an entirely separate hiring market with its own salary bands. If you need cleared security professionals for government or defense-adjacent work, it’s a whole different search.
One thing I’d add. Don’t let certs become your only hiring filter. We’ve placed some excellent security engineers who earned their certifications after being hired, not before. The cert proves someone studied the material. It doesn’t always prove they can do the job under real conditions.
These Are Not the Same Job
We get calls from companies that say they need to hire “a cybersecurity person.” Every time, my first question is the same. What kind? Because cybersecurity isn’t one job. It’s a dozen different jobs under one umbrella, and hiring the wrong type is like calling a dermatologist when you need an orthopedic surgeon.
Security Analyst. Frontline SOC work. Monitoring networks, triaging alerts, investigating weird stuff. Many work shifts because attacks don’t wait for business hours. This is where a lot of security careers start, and there’s nothing wrong with that. But experienced Tier 3 analysts who actually do threat hunting are genuinely hard to find and worth more than most companies want to pay them.
Security Engineer. Builds and maintains the infrastructure itself. Firewalls, authentication, encryption, endpoint protection. If the analyst watches the cameras, the engineer installed them and wired the whole building.
Security Architect. Top of the technical pay scale and it’s justified. These are the people designing systems that prevent catastrophic breaches. A bad architectural decision can expose millions of people and cost tens of millions of dollars. You want this hire to be the best person you can afford. This is not where you cut corners.
Penetration Tester. Ethical hackers trying to break your systems before someone else does. Requires deep technical skill and genuine creativity. The best pen testers think like actual attackers, which honestly makes them a little unusual in traditional interview settings. That weirdness is the point. If they think like everyone else, they won’t find what everyone else misses.
Incident Responder. When things go sideways, these people contain the damage and lead recovery. Calm under pressure is not just a nice-to-have for this role. It IS the role. Fast decisions, incomplete data, high stakes, everyone around them stressed. Not everyone has the temperament for this. I’d estimate maybe 20% of the security professionals I’ve worked with would thrive in a pure incident response position.
CISO. Leads the whole program. Teams, policies, compliance, board reporting, vendor oversight, incident management. The skill that makes or breaks a CISO isn’t technical depth. It’s the ability to frame cyber risk in financial and legal terms that a board of directors can act on. We had a search last year where the client passed on a technically stronger candidate and hired someone with half the certifications but twice the communication ability. Best hire they made all year, by their own admission six months later.
What to Do When There Aren’t Enough Candidates
You already know the default process doesn’t work. Post a job. Get flooded with unqualified applications. Cherry-pick the five that look decent. Lose three of them while scheduling the next interview round. Offer the fourth. They counter with another company’s number. You go back to square one.
When there are 4.8 million more openings than people, you have to change the approach. Here’s what we’ve seen actually move the needle.
Stop filtering so aggressively on background. This one gets me every time. Ninety percent of hiring managers only consider candidates with previous IT experience. But people coming from networking, system administration, and software development transition into security roles all the time. And women and minorities are seriously underrepresented in cybersecurity, which means there’s a huge talent pool that most companies aren’t even reaching. If your sourcing strategy only produces candidates who look like the last person in the role, you’re making the problem worse than it needs to be.
Develop the people you already have. ISC2’s whole theme this year was that the cybersecurity workforce challenge isn’t solved just by adding headcount. It’s about developing skills within existing teams. Someone who already knows your environment, your tools, your business, they can learn cloud security or incident response faster than an outside hire can learn all of that context about your company. And it helps retention because people stay where they’re growing. Two birds.
Use contract talent where it makes sense. Not every security need requires a permanent hire. Compliance audits, pen testing engagements, covering a gap during a transition, handling a specific project with a defined endpoint. Contract cybersecurity professionals give you flexibility when budgets are tight and needs are specific. An IT staffing partner can source qualified people much faster than an internal job posting.
Build pipeline through schools. Longer play. Worth it. Internship programs and university partnerships give you access to talent before the market competes for them. Cybersecurity bootcamps are producing competent entry-level candidates now too. A couple of our clients started doing this two years ago and they’ve hired four people out of their own intern programs since then. Not massive numbers, but four roles they didn’t have to search for at all.
Move your process faster. I cannot stress this enough. The industry average to fill a cybersecurity role is three to six months. That timeline guarantees you lose top candidates. The companies that actually close these hires do it in three to four weeks. And that doesn’t mean rushing or cutting corners. It means having your comp range approved before the search starts. Having your interview panel locked. Eliminating the two-week gaps between rounds where nothing happens and the candidate gets antsy. You’d be amazed how many great candidates we’ve seen walk away not because the offer was bad but because the process was so slow they assumed the company wasn’t serious.
Mistakes We Keep Seeing
Four things. All avoidable. All expensive.
Unicorn job descriptions. We still see postings that want 10 years of experience with a technology that’s existed for five. Or CISSP plus CISM plus CEH plus cloud certs plus management experience, and the role pays $130K. Come on. The people who actually have all of that are making $200K minimum and they know it. You’re not going to trick them into accepting less. What you WILL do is scare away qualified candidates who have 80% of what you need and could do the job well but self-select out because they see a requirement list that reads like a wish list. Split must-haves from nice-to-haves. Be honest about which is which.
Soft skills as an afterthought. True story from last year. Client hired a technically brilliant security engineer. Perfect on paper. Great in the technical assessment. Could not present findings to a leadership team to save his life. He would bury executives in technical jargon, lose the room in under a minute, and then get frustrated that nobody understood the severity. He lasted eight months. Cybersecurity professionals have to explain risk in business terms. They have to work with departments that don’t always appreciate being told they can’t do something. They have to keep their composure during an active incident when everyone else in the room is panicking. You have to screen for this stuff. Ask situational questions. Do a mock presentation. Something. Technical skills get them in the door but communication keeps them in the role.
Stale compensation data. Short and sweet. This market moves 7 to 10% per year. If you’re offering based on last year’s salary survey, you’re already behind. We watch companies lose candidates they want over $10K to $15K gaps that would’ve been a rounding error compared to the cost of leaving the position open another three months.
Forgetting retention exists. Half of organizations say they struggle to keep cybersecurity talent after hiring them. ISC2 found 75% are likely to stay for one year but only 66% for two. That 9-point drop between year one and year two should be a flashing warning sign. It means people are giving it a shot but something goes wrong in the first 18 months. Usually it’s no visible career path, unchecked burnout, or comp that falls behind market. Every one of those is fixable. But you have to fix them proactively, not react after the resignation letter shows up.
When Outside Help Is Worth It (and When It Isn’t)
I’m going to be straightforward about this since we’re a firm that does this for a living.
If you need one generalist SOC analyst and your internal recruiting team has experience hiring security people, do it yourself. You probably don’t need us and the fee isn’t worth it for a straightforward search.
But. There are situations where a specialized cybersecurity staffing partner genuinely changes the outcome. Here’s when.
Somebody just left and it’s urgent. Your lead security engineer gave notice. Or you found a vulnerability that requires skills nobody on the current team has. You can’t sit with a three-to-six-month hiring process. A staffing partner can have qualified people in front of you in days. That speed has real value when you’ve got open exposure.
You need a niche skill that doesn’t appear on job boards. Cloud pen testers. AI/ML security engineers. Compliance specialists who know your specific regulatory environment inside and out. These professionals do not apply to LinkedIn postings. They get recruited through networks that specialized engineering staffing firms build over years.
Your CFO wants budget flexibility. Contract and contract-to-hire models let you add security capability without permanent headcount. Your CFO gets the flexibility they want. Your CISO gets the coverage they need. Both are right.
You need comp data and market intelligence. What’s the going rate for a senior cloud security engineer in Orange County versus Dallas? Are candidates expecting equity? What are the deal-breakers in your interview process? We have this data because we run dozens of security searches simultaneously. It makes your offers land better and your process waste less time.
Quick Section on Retention
Because honestly, keeping people might be harder than finding them.
Good news first. 68% of cybersecurity professionals report being satisfied with their current jobs, up from 2024. And the strongest satisfaction drivers are teams (78%) and direct managers (73%). Not compensation. Not company brand. The people they work with and the person they report to. Think about what that means for how you structure your security org.
Career pathing. Nearly a third of ISC2 respondents said advancement opportunities are critical to their engagement. Security has a bunch of directions people can go. Technical depth, management, architecture, consulting, risk advisory. If someone can see where they’re headed at your company, they stick around. If they can’t, they start taking recruiter calls. Not complicated and not expensive to fix. But you do have to actually build the paths, not just talk about them during onboarding and never mention them again.
Burnout. 48% feel exhausted trying to keep up with threats and new tech. 47% feel overwhelmed by workload. These are people defending your organization 24/7 against adversaries who literally never stop. You cannot just keep piling work on a short-staffed team and expect them to absorb it indefinitely. At some point they leave. And then you’re even more short-staffed. We see this cycle repeat constantly. Distribute the load. Set realistic expectations. Fund training during working hours, not as weekend homework. The companies that handle this well keep their people. The companies that don’t keep calling us to backfill the same positions at higher and higher salaries.
Frequently Asked Questions
How much does it cost to hire a cybersecurity professional in 2026?
Wide range. Entry-level SOC analyst, $70K to $100K. Mid-level security engineer, $110K to $148K. If you need cloud security or architecture expertise, $128K to $220K depending on certs and experience level. CISOs are their own planet entirely. Total comp runs $250K to $700K at most organizations and the top 1% clear $3.2 million. If your numbers are from 2023, they’re wrong.
What certifications should I look for?
CISSP is the big one for senior roles. 22 to 35% salary premium. CISM if you’re hiring for management. CEH for pen testing. AWS or Azure security specialties for cloud. But here’s my actual advice. Don’t make certs your only filter. We’ve placed really strong security engineers who didn’t have their CISSP yet when they started. The cert shows someone studied. It doesn’t guarantee they can perform under real conditions. Use certs as one signal alongside experience, situational judgment, and references.
Why does it take so long to hire security people?
Three to six months is the industry average. It takes that long because the talent pool is tiny, the skills are specialized, and frankly most companies’ hiring processes have too many steps and too much dead time between them. The organizations that hire fastest get it done in three to four weeks. Not by cutting corners. By having their act together before the search starts.
Should I use contractors or full-time hires?
Both, probably. Full-time for core operations where you need deep institutional knowledge. Contractors for project-based work like pen tests, compliance audits, or covering a gap while you search. Contract-to-hire is the middle ground a lot of our clients end up choosing because you get to evaluate somebody in your actual environment before making a commitment. Honestly it’s one of the smartest hiring models in security right now.
Why is the cybersecurity talent shortage so bad?
4.8 million more openings than qualified people globally. Demand growing at 33% while the workforce barely grew at all last year. Budget constraints making it hard to pay competitive salaries. The specializations growing fastest, AI security and cloud security, are the ones with the fewest qualified professionals. And burnout is driving experienced people out of the field. It’s structural. More job boards won’t fix it.
What actually keeps cybersecurity people from leaving?
Team quality and manager quality, according to ISC2. That surprised me too when I first read it. Not comp, not title, not brand prestige. The people they work with every day and the person they report to. After that, career growth and learning investment. Keep their salary moving with the market at 7 to 10% annually. Watch for burnout symptoms. Give them a reason to see a future at your company. Do those things and you’ll outperform most organizations on retention. Which right now is a low bar, since half the industry can’t keep people.
Build Your Security Team
The talent shortage is structural. It affects your risk profile directly. Every month a critical role sits open is another month of exposure you don’t need to accept.
At KORE1, we fill cybersecurity roles for companies across the U.S. SOC analysts to CISOs. Contract, contract-to-hire, permanent. We know the market because we work in it every day.
Talk to a KORE1 recruiter about your security hiring needs.