Information Security Analyst: Complete Career Guide
Last month we placed an information security analyst at a healthcare company in Irvine. Took three weeks from intake call to signed offer. The one before that took four months. Same title. Same salary range. Completely different outcome, and the difference had nothing to do with the candidate market. The first company knew exactly what they needed: someone to own their SIEM, run vulnerability scans, and keep their HIPAA compliance documentation from falling apart. The second company posted a job description that asked for CISSP, five years of cloud security experience, Python scripting, penetration testing skills, and compliance expertise across three frameworks. At $95,000. They got zero qualified applicants and blamed the talent shortage.
We staff these roles through our cybersecurity staffing practice. Have for years. The BLS puts the median salary at $124,910 with 29% projected growth through 2034, which is roughly six times the national average. Those are real numbers. The gap between companies that hire well for this role and companies that spin for months posting and reposting the same req is enormous, and it almost always comes down to whether they understood the job before they wrote the posting.
Fair warning: this guide is long. We’re covering the actual day-to-day work, the career path from entry analyst through CISO, which certifications matter versus which ones are expensive resume padding, and salary data from three sources that disagree with each other in ways that are actually informative. We also have a bias to disclose. We make money when companies can’t find security talent on their own. Factor that in as you read.
What Does an Information Security Analyst Actually Do?
Two analysts walk into a conference. One spends her day writing Splunk queries and triaging alerts in a SOC. The other spends his day reviewing vendor security questionnaires and updating compliance documentation. Both carry the title “Information Security Analyst.” Both are doing legitimate security work. They have almost nothing in common professionally, which is the first thing that confuses people about this career.
The scope shifts based on company size, industry, and how mature the security program is. A 200-person SaaS company and a hospital system regulated by HIPAA need fundamentally different things from the same job title. But there are patterns. Here’s what shows up in most versions of the role.
The monitoring grind. Most analysts spend a significant chunk of their day inside a SIEM platform, whether that’s Splunk, Microsoft Sentinel, or something like Elastic Security. They’re watching logs, triaging alerts, and deciding which anomalies are false positives and which ones need escalation. A mid-size company might generate 10,000 security events per day. Maybe five of those require human investigation. The analyst’s job is finding those five without alert fatigue turning their brain to mush by lunch.
Alert fatigue is real and it’s measurable. The 2025 ISC2 Cybersecurity Workforce Study found that 48% of cybersecurity professionals feel exhausted trying to stay current on threats and emerging technologies. Almost half. The mental load is real and it’s the reason burnout drives more attrition in this field than compensation does.
Then there’s the patching fight. Every security team has one. You run the vulnerability scan, it spits out 200 findings, and now you have to convince the application team to restart their production database to apply a critical update that they swear will break something. They’re usually right that it’ll break something. You’re also right that not patching will eventually break everything. The analyst lives in that tension permanently, triaging which vulnerabilities actually pose risk in this specific environment versus which ones the scanner flags because the scanner flags literally everything.
Compliance work doesn’t photograph well for a career brochure but it takes up a huge portion of the week. SOC 2 audits if you’re in SaaS. HIPAA assessments in healthcare. PCI-DSS if you touch payment data. FedRAMP if you want government contracts and also want to lose six months of your life. Somebody has to sit between the auditor who speaks in framework acronyms and the engineer who speaks in pull requests. That somebody is the analyst. And the translation is genuinely hard because the compliance doc says “implement least-privilege access” and the real environment has 14 years of Active Directory role sprawl that nobody fully understands. The gap between what the framework requires and what the infrastructure actually supports is where the analyst earns their salary.
Senior analysts also serve as the security gut-check on architectural decisions. Engineering wants to adopt a new tool? The analyst reads the SOC 2 report, checks data residency, figures out SSO integration. Not designing the systems. Just making sure nobody accidentally opens a door that shouldn’t be open. That question, “can we use this tool,” shows up constantly. Three times a week, conservatively. And the answer is never clean.
And then there’s the part nobody lists on their LinkedIn profile: running phishing simulations and security awareness training. Sending fake phishing emails to your own coworkers and then tracking who clicks. Scheduling the mandatory training that everyone hates. It feels like babysitting. But social engineering is still the number one attack vector, and the analyst who drops the internal phish click rate from 25% to 8% has done more for the company than any firewall rule change ever will. Nobody will thank them for it.
Information Security Analyst Salary: What the Numbers Actually Look Like
Salary data for this role is a mess. Three major sources. Three different numbers. All technically correct. The disagreement is actually useful if you know why it exists.
| Source | Median / Average | 25th Percentile | 75th Percentile | 90th Percentile |
|---|---|---|---|---|
| Bureau of Labor Statistics (May 2024) | $124,910 median | $81,230 | $163,300 | $186,420 |
| Glassdoor (Feb 2026) | $136,842 avg | $107,552 | $175,786 | $218,959 |
| ZipRecruiter (Mar 2026) | $97,702 avg | $76,000 | $118,500 | $136,500 |
Glassdoor says one thing, ZipRecruiter says something $40,000 lower. Why the gap? Glassdoor relies on people voluntarily sharing their salary, and the people who do that tend to earn more. Selection bias. ZipRecruiter scrapes job postings, which includes a lot of smaller companies in cheaper markets that drag the average down. BLS pulls from actual employer payroll records, which makes it the most defensible number if you’re building a business case for headcount. Pick whichever source supports your argument. Your CFO will pick a different one.
For more precise benchmarking tailored to your specific market and experience level, try our salary benchmark tool. We also publish a detailed cybersecurity salary guide that breaks down compensation by specialization and geography.
Salary by Experience Level
Certifications help. Degrees open some doors. But experience is what moves the needle on compensation more than anything else in this field. We watch it happen in real time: a CISSP holder with two years of SOC work applies for the same role as a Security+ holder with eight years of incident response. The eight-year person gets the call back. The two-year person doesn’t, regardless of the letters after their name.
| Experience Level | Typical Salary Range | Common Titles |
|---|---|---|
| Entry Level (0-2 years) | $60,000 – $85,000 | Junior Security Analyst, SOC Analyst Tier 1 |
| Mid-Level (3-6 years) | $90,000 – $135,000 | Information Security Analyst, Security Engineer |
| Senior (7-10 years) | $130,000 – $175,000 | Senior Security Analyst, Lead Security Engineer |
| Principal / Manager (10+ years) | $160,000 – $220,000+ | Security Architect, Security Manager, Director |
Major metros like SF and New York bump the number 15-25% above national median. Mid-tier markets like Austin or Raleigh-Durham land closer to what BLS reports. Remote work compressed the geography premium but didn’t kill it. Some of that is practical. Classified systems and air-gapped networks need a warm body in the building, full stop. Some of it is just corporate comp policy being slow to catch up. Companies anchor pay to their headquarters zip code even when the analyst lives three states away. Nobody likes it. Nobody’s fixed it either.
The Career Path: Entry Level to CISO
The path from junior analyst to chief information security officer isn’t a straight line. More like a tree with multiple branches, and which branch you take at years three through five determines a lot about where you end up at year fifteen.
Years 0-3: Getting In
Most people enter through one of three doors. A help desk or systems administration role where they gradually picked up security responsibilities. A dedicated SOC analyst position monitoring alerts and triaging incidents. Or, increasingly, a cybersecurity bootcamp or degree program followed by an entry-level analyst role.
The bootcamp-to-analyst pipeline works. Not always smoothly. We’ve placed candidates from bootcamp backgrounds who were excellent and candidates with computer science degrees who couldn’t troubleshoot a firewall rule to save their careers. What actually matters? Can they think through risk? Can they show you what they built in their home lab? Can they walk through their last incident response without it sounding rehearsed? We’ve watched candidates with two certifications and a home lab outperform people with four-year degrees and a clean GPA who froze the first time a real alert came in. CompTIA Security+ is the standard entry-level certification and it does carry weight with hiring managers, particularly for government-adjacent roles where DoD 8570 compliance requires it.
At this stage, you’re learning. Watching alerts. Running vulnerability scans. Sitting in on incident response calls and taking notes. Building your mental model of what normal network traffic looks like so you can spot what abnormal looks like. The salary floor is real, sitting around $60,000 to $75,000 in most markets, but the trajectory is steep if you’re paying attention and documenting what you learn.
Years 3-7: Specialization Fork
Somewhere around year three, analysts hit a fork. Not everyone recognizes it when it happens, but the direction they choose here shapes the next decade.
Technical depth track. Penetration testing. Threat hunting. Detection engineering. Malware analysis. These are the roles where you go deeper into the technology, spend more time writing code and building tools, and develop expertise that’s genuinely rare. A detection engineer who can write custom Sigma rules and build correlation logic in Splunk is solving a different class of problem than a GRC analyst reviewing vendor questionnaires. The pay ceiling is higher on this track, but the roles are fewer and the competition is intense.
GRC and risk management track. Governance, risk, and compliance. Policy writing. Audit coordination. Risk framework implementation (NIST CSF, ISO 27001, CIS Controls). This path leads toward security management and eventually CISO roles, because CISOs spend far more time talking to the board about risk than they spend looking at packet captures. The work is less technically exciting. The career ceiling is arguably higher. Not what you’d expect if you think the most technical person should run the security program, but look at where Fortune 500 CISOs actually came from. Governance. Risk management. Regulatory compliance. The board doesn’t want a packet capture walkthrough. They want someone who can quantify risk in dollars and explain why the budget needs to go up.
Engineering and architecture track. Building security infrastructure. Deploying and tuning SIEM platforms. Designing zero trust architectures. Implementing identity and access management systems. These roles bridge the gap between IT engineering and security, and they pay extremely well because the person who can both design a system and secure it is saving the company from needing two separate hires.
The right choice depends on what you’re good at and what you find tolerable at 11pm on a Friday when something breaks. If you’d rather be elbow-deep in a packet capture than explaining NIST controls to an auditor, you know which track is yours.
Years 7-12: Management or Principal IC
The industry has gotten better at offering individual contributor paths that don’t dead-end at senior analyst. Principal security engineer, staff security architect, distinguished threat researcher. These exist now at larger organizations and they pay comparably to management roles, sometimes better. You don’t have to manage people to keep growing your compensation. Ask anyone doing security work in 2015 whether that option existed at their company. It’s still uneven across industries, but the IC ladder is real now in a way it wasn’t before.
Going into management messes with people in this field more than you’d expect. You spent years getting good at finding threats and now your actual job is trusting your team to find them while you sit in budget meetings explaining risk appetite to a CFO whose eyes glaze over when you say “lateral movement.” Budget planning, hiring, performance reviews, stakeholder communication. Different muscles entirely.
Years 12+: CISO and Executive Security Roles
The CISO role has evolved significantly in the last five years. It’s less “top technical person” and more “security-fluent business executive.” CISOs present to the board. They manage multi-million-dollar budgets. They make risk decisions that balance business velocity against security posture. You need the technical foundation because the engineering team will test you within your first month, and if you make a risk call that shows you don’t understand the infrastructure, you’ve lost the room. But the actual day-to-day is meetings, strategy docs, and explaining to the board why the security budget needs to go up again when nothing bad happened last year.
CISO compensation ranges from $200,000 at smaller companies to $500,000+ at large enterprises, often with equity. The path from SOC analyst to CISO typically takes 10 to 15 years. Not everyone wants to make that climb, and the industry needs far more people in the middle tiers than it needs at the top.
Certifications That Actually Matter
The cybersecurity certification landscape is cluttered. Dozens of certs, overlapping domains, aggressive marketing from training providers. Here’s what hiring managers we work with actually look for, sorted by career stage.
| Certification | Issuing Body | Best For | Exam Cost | Experience Required |
|---|---|---|---|---|
| CompTIA Security+ | CompTIA | Entry-level, DoD 8570 baseline | ~$404 | None (2 years recommended) |
| CISSP | ISC2 | Mid-to-senior generalist, management | ~$749 | 5 years in 2+ domains |
| CISM | ISACA | Security management, GRC | ~$760 | 5 years in info sec management |
| CEH | EC-Council | Penetration testing, offensive security | ~$1,199 | 2 years or official training |
| CompTIA CySA+ | CompTIA | SOC analysts, threat detection | ~$404 | 3-4 years hands-on |
| OSCP | OffSec | Penetration testing (hands-on exam) | ~$1,749 (with training) | Strong technical background |
A few honest observations from placing hundreds of security professionals.
Security+ opens doors at the entry level. Period. Anyone trying to break into security without it is making the search harder than it needs to be. The $404 exam fee pays for itself within the first week of your first security role compared to what help desk pays.
Once you have a few years under your belt, CISSP is the move. ISC2 reports a 25% salary premium for certified professionals, and the cert shows up in hiring manager wish lists more than any other. Five years of experience across two security domains to qualify, verified through endorsement. No shortcuts, and ISC2 has gotten more rigorous about the endorsement verification process in recent years after some embarrassment about people faking their experience to qualify. If you’re early-career but ambitious, pass the exam now and hold the Associate designation until you hit the experience threshold.
The offensive security cert landscape is where things get contentious. CEH is multiple choice and tests knowledge. OSCP is a 24-hour practical exam where you break into live systems. Ask any penetration tester which one they respect more and watch them try not to roll their eyes at CEH. But here’s the annoying reality: HR departments wrote the job requirements, not practitioners, which is why CEH appears in twice as many job postings as OSCP despite being the less rigorous exam. Get whichever one unblocks the roles you want. Or both. Practitioners will know the difference regardless.
The one almost nobody talks about: CISM. If you’re headed toward management or eventually CISO, this is the cert that separates you from brilliant technicians who have zero interest in boardroom conversations about risk appetite and annual loss expectancy. The business side of security is unglamorous and it’s where the biggest career ceilings live.
Skills Employers Are Hiring For Right Now
The ISC2 2025 workforce study paints a clear picture of where the skills gaps are widest. Fifty-nine percent of organizations report critical or significant skills shortages on their security teams, up from 44% the prior year. And 88% experienced at least one significant cybersecurity event directly attributed to those gaps. Not theoretical risk. Actual incidents.
The most in-demand skills, ranked by how frequently they appear in the job requisitions that land on our recruiters’ desks:
AI security is the one that surprises people. 41% of ISC2 respondents cited it as a critical skills gap. Prompt injection, model poisoning, adversarial inputs on one side. Automated threat detection and behavioral analytics on the other. The attack surface is so new that almost nobody has deep production experience defending against it, and the companies that are hiring for it are essentially building the playbook as they go. We placed an analyst last quarter whose entire job is evaluating whether the company’s internal LLM tools can be manipulated into leaking training data. That role didn’t exist two years ago.
Cloud security is right behind it. Thirty-six percent of respondents called it critical, and honestly that number feels low given how many companies rushed to AWS or Azure without rethinking their security model. An analyst who spent ten years locking down on-prem networks doesn’t automatically know why a particular S3 bucket configuration is a breach waiting to happen, or how IAM policies in GCP differ from Active Directory groups in ways that matter for compliance. The analysts who figured this out early are getting hired first. The rest of the market is scrambling.
Then there’s the tooling layer. Splunk, Microsoft Sentinel, CrowdStrike Falcon, Palo Alto XSOAR. Which platform matters less than whether you can write detection rules that actually catch things without generating so much noise that the SOC team ignores everything, which happens more often than vendors want to admit. The analysts who can measurably reduce mean time to detect and mean time to respond through better configuration rather than more headcount? Those are the ones justifying their salaries in every budget cycle.
Zero trust keeps showing up in job descriptions. Honestly? I wonder how many hiring managers who list this on their job posting could explain what it actually means if you asked them in the interview. You cannot buy it off a shelf despite what every security vendor’s sales team will tell you at RSA Conference. You can’t buy zero trust from a vendor, despite what the vendor’s sales team will tell you. It’s a design philosophy: verify identity at every access point, microsegment the network, enforce least-privilege continuously. Most organizations are somewhere in the messy middle of implementing it, which means they need analysts who can evaluate the current state and build a realistic roadmap that doesn’t require ripping everything out and starting over.
And scripting. Python, PowerShell, Bash. Nobody expects you to ship production applications. But the analyst who can write a 50-line Python script to correlate authentication logs with VPN access patterns and flag the anomalies is doing work in twenty minutes that takes a non-scripting analyst two full days of manual spreadsheet comparisons. That efficiency gap is getting harder for hiring managers to ignore.
What a Typical Workday Looks Like (Honestly)
Career sites either make this job sound like watching paint dry or like a scene from Mr. Robot. We talked to analysts we’ve placed and asked them to walk us through a random Tuesday. Here’s the composite version, based on a mid-size company with a three-person security team.
Morning starts with the SIEM. There are 47 overnight alerts waiting, which sounds like a lot until you realize most of them are noise. Three tagged critical. Eight tagged high. The rest are medium and low severity, and a veteran analyst can scan those headers and dismiss 80% of them in the time it takes to finish a first cup of coffee. The criticals get attention first, obviously, and the lows will sit in the queue until someone has a slow afternoon or until a pattern emerges that bumps a cluster of lows into something worth investigating, which happens more often than the severity labels would suggest.
One of the three critical alerts is a brute force attempt from an IP address in Eastern Europe. No employees there, no customers there, no reason for any traffic from that range. Cross-reference the threat intel feed, confirm the IP is already flagged as malicious, verify no logins actually succeeded, block it at the firewall, close the ticket. Start to finish, that investigation takes maybe twelve minutes. Seasoned analysts can almost do it in their sleep, which is both a feature and a bug of the job.
The second critical is more interesting. Unusual data transfer volume overnight from a developer workstation. The brain immediately goes to exfiltration. Pull the network flows. Where is the data going? Turns out it’s GitHub. The developer started a late-night coding session and pushed a massive branch around midnight. A quick Slack message to their manager confirms it. Legitimate. But now you have to tune the alert threshold for that person’s normal GitHub activity so the same false positive doesn’t wake you up next Tuesday. That kind of ongoing calibration is invisible work that nobody outside the SOC ever sees or appreciates, and it takes up more of the analyst’s week than most outsiders would guess.
The rest of the morning is less dramatic. A five-minute team standup where someone mentions a new critical CVE affecting the VPN appliance. Then a vulnerability scan review with 142 findings, of which roughly 80 are informational and 30 are duplicates from last week that the infrastructure team still hasn’t patched because they’re mid-migration. Filter down to the 11 new criticals and highs, prioritize by whether each one is actually exploitable given the company’s specific setup, write remediation tickets for the top five, and send them off to the system owners who will respond sometime between tomorrow and never.
Late morning usually brings project work. Maybe it’s a vendor security review because marketing signed a trial agreement with a new email analytics platform before asking anyone in security to look at it. Read the SOC 2 Type II report. It’s clean, mostly, but the data retention policy reads like it was written by a lawyer who wanted to say as little as possible. Send a follow-up questionnaire with seven specific questions about their data handling practices and then wait two weeks for answers that will probably dodge at least three of those questions, at which point you send a second follow-up and the cycle continues. This is the part of the job that people who imagine cybersecurity as constant hacking don’t see coming. Significant chunks of an analyst’s week are vendor management and compliance paperwork.
After lunch, pull the results from Monday’s phishing simulation. Click rate dropped from 18% last quarter to 12%. Getting better. Three people in accounting still entered their credentials on the fake login page, though, so schedule them for targeted retraining. Then the quarterly access review: pull every active account from Active Directory, cross-reference with HR’s current employee list, and find the accounts for people who left the company months ago but somehow still have active credentials. There are always some. Last quarter it was seven. This time it’s four. Disable them, document the finding, send the notification to HR, wonder briefly how that keeps happening, and move on.
The afternoon finishes with a ransomware tabletop exercise you’re prepping for the IT leadership team. The scenario: CFO’s laptop is encrypted, backups were last tested three months ago, attacker wants 50 BTC. It needs to feel real enough that the executives take it seriously. Then documentation. The new analyst starts Monday and needs a runbook for overnight alert triage, written the way you wish somebody had written one for you when you started, honest about which alerts are almost always garbage and clear about when to page the on-call engineer versus when to just log it and go to bed.
Some days end at five. Some days a zero-day drops at four-thirty and you’re still in the office at midnight. Incident response weeks feel like controlled chaos. Audit weeks feel like a paperwork endurance test. The quiet stretches, when they happen, are for catching up on training, reading threat research, and doing the project work that slips during incident-heavy periods. That constant shifting between reactive and proactive work is what makes the career interesting to some people and absolutely maddening to others.
Industries Hiring Information Security Analysts
Every industry needs security analysts. Some need them more urgently and pay more to get them.
| Industry | Why Demand Is High | Salary Premium |
|---|---|---|
| Financial Services | SEC/OCC regulations, PCI-DSS, constant target for fraud | +15-25% above median |
| Healthcare | HIPAA, ransomware targeting, connected medical devices | +5-15% |
| Government / Defense | FedRAMP, CMMC, clearance requirements | +10-20% (with clearance) |
| Technology / SaaS | Customer data protection, SOC 2, rapid deployment cycles | +10-20% |
| Energy / Utilities | NERC CIP, OT/ICS security, nation-state threats | +10-15% |
| Retail / E-commerce | PCI-DSS, payment fraud, high transaction volumes | At or slightly above median |
Financial services consistently pays the most for security talent because the regulatory exposure is enormous and the consequences of a breach are measured in billions, not millions. Healthcare has become the second-highest demand sector largely because ransomware operators have figured out that hospitals will pay because patient care depends on system availability. Ransomware crews figured out something ugly: hospitals pay. They pay because a patient on a ventilator connected to a network that just got encrypted isn’t a PR problem, it’s a life-safety problem. Retail companies can eat the downtime. Hospitals can’t. That calculation is driving healthcare security hiring faster than any compliance mandate ever did.
How to Break Into Information Security Without a Traditional Background
The “you need a computer science degree” barrier is largely gone. It still helps, no question. But we’ve placed successful analysts who came from IT support, military intelligence, network administration, and even non-technical fields like accounting (compliance knowledge transfers surprisingly well to GRC roles).
What actually gets you hired:
Build a home lab. Spin up VirtualBox or VMware on whatever hardware you have. Install Elastic Security’s free tier as your SIEM. Run Kali Linux in another VM and point it at your own test network. Nmap for recon, Burp Suite for web app testing, Metasploit if you want to get serious about exploit chains. Document what you did and what you found. This matters more to hiring managers than any certification because it shows initiative and genuine curiosity.
Get Security+ certified. Entry-level cert, absolutely. And yeah, some senior practitioners roll their eyes at it. But it’s a hiring filter, especially in government and defense. Plenty of qualified candidates never make it past the recruiter screening because they don’t have it. Spend $404 and remove that obstacle.
Contribute to open source security projects. Sigma rules, YARA signatures, detection content for open SIEM platforms. Contributions show up on your GitHub and give interviewers something concrete to discuss beyond “tell me about a time you solved a problem.”
Start from an adjacent role. Help desk, systems administration, network engineering. These give you something bootcamps can’t replicate. When you’ve spent two years fixing broken things under pressure in IT support, you develop instincts about how systems fail that carry directly into security work. You understand normal because you lived inside normal before you started looking for abnormal. Many of the best analysts we’ve worked with spent their first two or three years in IT operations before transitioning into security, and that operational knowledge gives them an edge over people who learned security in isolation.
Use CTF competitions and TryHackMe/HackTheBox. Capture-the-flag competitions are free, genuinely fun if you’re the kind of person who enjoys puzzle-solving under time pressure, and directly relevant to both offensive and defensive security skills in a way that reading textbooks about those same skills simply cannot replicate. They’re also conversation starters in interviews. “I completed the Active Directory attack chain on HackTheBox and here’s what I learned about pass-the-hash attacks” is a better interview answer than any behavioral question response you’ll ever prepare.
Information Security Analyst vs. Related Roles
Job titles in cybersecurity overlap constantly. This causes confusion for both candidates and hiring managers. Here’s how the most commonly confused roles actually differ.
| Role | Primary Focus | Key Difference from Info Sec Analyst |
|---|---|---|
| SOC Analyst | Real-time monitoring and alert triage | Narrower scope, shift-based, more reactive |
| Security Engineer | Building and maintaining security infrastructure | More hands-on with tools, less analysis |
| Penetration Tester | Offensive security testing | Breaks things intentionally to find weaknesses |
| GRC Analyst | Governance, risk, and compliance | Policy and audit focused, less technical |
| Security Architect | Designing security systems and frameworks | Strategic design, not day-to-day operations |
| DevSecOps Engineer | Integrating security into CI/CD pipelines | Developer-adjacent, automation-heavy |
The information security analyst role is the generalist position. It touches monitoring, vulnerability management, compliance, incident response, and user education. Specialization happens when you pick one of those areas and go deep. Those role comparisons map to where generalist analysts end up after a few years. Pay attention to what energizes you during the generalist phase. If you live for the technical investigation, go deep. If the compliance and policy work doesn’t bore you to tears, you might be a GRC person. If you keep redesigning the infrastructure in your head while you’re supposed to be monitoring it, architecture is your track.
For a deeper look at the SOC analyst side specifically, we’ve published a companion guide through our cybersecurity staffing practice. If you’re evaluating DevSecOps as a career direction, our DevOps staffing page covers the engineering side of that intersection.
The Cybersecurity Talent Shortage: What the Numbers Mean for Your Career
ISC2 made a quiet but significant decision in their 2025 study. They stopped publishing the traditional “workforce gap” number, the one that previously landed at 4.8 million unfilled positions globally with roughly 700,000 of those in the US. Instead, they shifted the entire conversation toward skills shortages rather than headcount shortages. The implication is hard to miss. Warm bodies are available. People with the right mix of cloud security knowledge, AI threat awareness, and hands-on incident response chops are not.
One in three organizations told ISC2 they lack the resources to properly staff their security teams. Nearly three in ten said they simply cannot afford to hire at the skill level their environment demands, which is a polite way of saying the budget doesn’t match the threat landscape. Those aren’t abstract survey responses. We hear the same thing in intake calls every week from hiring managers who’ve been running security req postings for four months with nothing to show for it.
For candidates, the shortage means leverage. Not unlimited leverage. You still need relevant skills, not just a certification and enthusiasm. But qualified analysts with three or more years of experience and demonstrable hands-on skills are in a position most professionals would envy. Multiple offers. Counteroffers. Signing bonuses. Remote flexibility. These are normal for mid-career security professionals right now. If you’re a hiring manager and your last three offers got rejected, this is why. The candidates you want are fielding calls from five other recruiters this week. We know because we’re usually one of those five recruiters calling.
For hiring managers, the shortage means competition and compromise. Not compromise on quality. Compromise on wish lists. The job posting that requires CISSP, five years of experience, cloud security expertise, scripting ability, and industry-specific compliance knowledge at $95,000 is going to sit unfilled. Either the budget goes up or the requirements flex. Usually both. Working with a specialized cybersecurity staffing partner helps because they can reality-check your requirements against what the market will actually deliver at your price point.
Things People Ask About Information Security Analyst Careers
So what exactly does an information security analyst do all day?
Rough split: 40% monitoring and triage, 20% vulnerability management, 15% compliance, 15% security projects, 10% training and reporting. But those numbers are meaningless during a breach, when it’s 100% incident response until the threat is contained, or during audit season, when compliance eats the whole calendar. I’m oversimplifying. The honest answer is that the job resists easy percentages because no two weeks look alike. One week you’re cruising through dashboards. The next week someone clicks the wrong link and you’re pulling 14-hour days reconstructing what happened.
Does the degree requirement still hold up in 2026?
Depends who’s hiring. Some enterprises and government contractors still filter for a bachelor’s in their ATS before a human ever looks at the application, and if you don’t have one, your resume goes into a black hole regardless of what you can actually do. That’s real and pretending otherwise doesn’t help anyone. But the broader market has shifted. CompTIA reports growing numbers of employers dropping degree requirements entirely. We’ve placed analysts with associate degrees and military backgrounds who ran circles around candidates with master’s degrees. The SIEM doesn’t care what school you went to when it lights up at 4 PM on a Friday.
Which certification should I get first?
CompTIA Security+. Not close. It’s the most widely recognized entry-level security certification, it satisfies DoD 8570/8140 requirements for government roles, and it costs $404 to attempt. CISSP is the eventual goal for most analysts, but the five-year experience requirement means it’s not your first move. Security+ first. Cheapest cert that opens the most doors. Then CySA+ or a cloud security cert like AWS Security Specialty, whichever matches the direction you’re heading. Those signal depth, not just a collection of entry-level badges. CISSP comes later, once you have the five qualifying years. Trying to rush that timeline doesn’t work and ISC2 will catch it during endorsement.
Realistically, how fast can someone break into cybersecurity from scratch?
Six months to a year for someone committed to self-study and willing to start at a SOC analyst or IT support role. We’ve seen people go from zero security experience to employed as a Tier 1 SOC analyst in as little as four months, but those were people studying four to six hours a day, building home labs on weekends, and treating the career switch like a second job. The median path takes closer to 12 months. Faster if you have existing IT experience. Coming from a non-technical background adds time, sometimes a lot of time, because you’re building the IT foundation and the security knowledge simultaneously.
Is the field going to be automated away by AI?
The Tier 1 SOC analyst job as it exists today? SOAR platforms already handle the easy playbooks, and the pattern recognition piece that junior analysts spend most of their day doing is exactly what machine learning does best. SOAR platforms already automate the easy incident response playbooks. The pattern recognition piece, which is what junior analysts spend most of their day doing, is exactly what AI handles well. But here’s the thing nobody talks about enough: AI is simultaneously creating attack surfaces that didn’t exist before. Prompt injection. Model poisoning. Adversarial inputs that trick automated defenses. Somebody has to defend against those threats, and that somebody needs judgment, not just pattern matching. The job will look different. The career isn’t disappearing. I’m more worried about the analysts who refuse to learn the new tools than about the tools replacing analysts entirely.
Remote work: is it realistic for security roles?
More realistic than most people assume but less universal than job boards suggest. Many security operations roles can be done fully remote, monitoring, analysis, policy work, vendor reviews, compliance documentation. Roles that require physical access to classified systems, on-premises hardware, or air-gapped networks cannot. Government and defense positions often require on-site presence. Private sector has largely embraced hybrid and remote for security analysts. Expect roughly 60-70% of non-government security analyst roles to offer remote or hybrid options, based on the job requisitions our team processes.
Building a Security Team: What Hiring Managers Need to Know
If you’re on the other side of this equation, building or expanding a security team, the talent market dynamics above have direct implications for your hiring strategy.
Don’t copy-paste job descriptions from other companies. The requirements list that a Fortune 500 bank uses for their security analyst role is not the requirements list you need for your 500-person SaaS company. Tailor the role to what you actually need done in the first 90 days. Write a shorter posting. Describe the first 90 days. What will this person actually spend their time doing? Experienced analysts can smell an unfocused role from the job description alone. They’ll skip yours and apply to the company down the street that clearly knows what it needs. We watch this happen weekly.
Be honest about the role’s scope. If the analyst is going to be the only security person at the company, say so. Some analysts thrive in that environment. Others need the structure of an established team. Misrepresenting the role wastes everyone’s time and leads to turnover within the first year.
Budget realistically. If you’re hiring a mid-level information security analyst with cloud security experience and SIEM expertise, $90,000 to $130,000 is the range in most markets. Below $90,000 and you’re getting entry-level candidates applying for a mid-level role because they can’t find anything else. Above $130,000 and you’re attracting senior talent who’ll be bored within six months. Match the comp to the actual scope.
Consider contract-to-hire arrangements for security roles. The fit between an analyst and an organization’s security culture matters more than in most technical roles. A 90-day contract-to-hire lets both sides evaluate the fit before committing. We’ve seen this model reduce first-year security turnover significantly. The analyst gets to see if the company actually takes security seriously (many don’t, despite what they said in the interview). The company gets to see if the analyst can operate at the level they claimed.
If the search is taking too long, the requirements are probably too narrow. Our cybersecurity staffing team can help you recalibrate. You’re looking for the right person, not the mythical perfect candidate who checks every box on a list that was probably too long to begin with. Perfect people in this field have six competing offers and they’re choosing between them, not waiting for yours. Reach out to our cybersecurity recruiters if you’ve been running an open req for more than 60 days and want a second opinion on what needs to change.