Cybersecurity roles are rarely one-dimensional. In fact, a majority of professionals juggle responsibilities across multiple domains. According to the “2025 Cybersecurity Staff Compensation Benchmark Summary Report” by IANS and Artico Search, 61% of security pros routinely perform multiple functions — regardless of their job title. The findings are based on a survey of 528 cyber professionals in the US and Canada conducted between June and December 2024.
Take professionals in security operations (SecOps) as an example: 22% also perform duties in application security, 27% in architecture and engineering, 33% in identity and access management, 41% in governance, risk, and compliance (GRC), and 49% in product security. This blending of responsibilities is typical across the field, suggesting job titles don’t often reflect the full scope of a cyber pro’s contributions.
Still, job titles are often strong indicators of compensation expectations. According to IANS and Artico Search, the following roles top the chart for the highest paid in cybersecurity today.
Security architect
Security architects lead across every compensation category: They earn the highest average base salary ($179,000), receive the highest average annual cash compensation ($206,000), and have the highest rate of annual equity grants (34%).
More than half of security architects report their IT background was critical in reaching their current role. Common foundational roles include system administrator and network administrator, while more security-focused feeder positions include security analyst, security consultant, and security administrator.
Due to the nature of the role, professionals in cybersecurity architecture and engineering — including security architects — take on diverse responsibilities. About 23% have responsibilities that include identity and access management, 26% contribute to application security efforts, and 48% are involved in product security. These areas are part of their wider mandate, which centers on designing and maintaining secure enterprise architectures across networks, systems, and applications.
One of the most respected certifications for aspiring security architects is the Certified Information Systems Security Professional (CISSP) by ISC2. It covers eight key domains, including security architecture and engineering, security and risk management, communication and network security, identity and access management, and software development security. CISSP specifically lists security architects as part of its target audience and can help position professionals for advancement into roles such as security manager, director of security, or even CISO.
For those specializing in cloud environments, certifications such as the AWS Certified Security — Specialty or the vendor-neutral Certified Cloud Security Professional (CCSP) by ISC2 are highly recommended.
Relevant certs
- See “Top 12 cloud security certifications”
- See “CISSP certification: Requirements, training, exam, and cost”
- See “CCSP certification: Exam, cost, requirements, training, salary”
Security engineer
After security architects, security engineers receive the second-highest annual cash compensation ($191,000), with a base salary of $168,000. Nearly a third (31%) of security engineers surveyed also received annual equity grants.
Like their architect counterparts, security engineers strongly value their IT foundations — 70% cite prior experience in systems administration, network or infrastructure engineering, or general IT as critical to their current roles. Others come from security-specific paths, often beginning as security analysts or in SecOps.
Security engineers are responsible for building, implementing, and maintaining the technical defenses that protect an organization’s IT systems. Their work includes identifying vulnerabilities, testing and deploying security tools, responding to incidents, and managing protections such as firewalls and intrusion prevention systems. They play a central role in both day-to-day defense and long-term cybersecurity strategy.
Because security engineering is a broad field, certifications vary depending on focus. CompTIA Security+ is ideal for entry-level professionals. Engineers with a networking focus may pursue the Cisco Certified Network Professional (CCNP) Security, while those working in offensive security often pursue the Certified Ethical Hacker (C|EH) to develop penetration testing expertise.
Career progression for security engineers may involve deeper specialization — such as in application or network security — or stepping into leadership roles such as a security engineering manager or director of security engineering.
Relevant certs
- See “Security engineer job requirements, certifications, and salary“
- See “CompTIA Security+: Prerequisites, objectives, and cost“
- See “Certified Ethical Hacker (C|EH): Certification cost, training, and value“
Risk / GRC specialist
Risk/GRC specialists command a strong compensation package, with an average base salary of $146,000 and total annual cash compensation reaching $173,000. Additionally, 26% receive annual equity distributions.
This specialization offers a clearly defined path for career growth, often beginning with entry-level roles such as risk analyst. According to a 2024 ISC2 survey of IT security managers, 27% of hiring managers identify risk assessment, analysis, and management as among the most in-demand skills in the field.
One of the most valuable certifications for aspiring risk analysts is the Certified in Risk and Information Systems Control (CRISC) from ISACA. CRISC provides training across four key domains of risk management: corporate IT governance, IT risk assessment, risk response and reporting, and IT security. More than 30,000 professionals hold the CRISC certification, with an average annual salary of $151,000 — consistent with average base salary data from IANS and Artico Search.
After gaining foundational experience as a risk analyst, professionals can advance to broader GRC roles. These positions are highly valued: 24% of hiring managers report that GRC skills are in demand due to the wide-ranging responsibilities these professionals take on. GRC specialists frequently lead the development of enterprise IT policies — such as incident response protocols — while managing risk, adapting to emerging technologies such as AI, and ensuring compliance with region- or industry-specific regulatory frameworks.
A highly regarded certification for GRC professionals is the Certified in Governance, Risk and Compliance (CGRC) from ISC2. The CGRC is designed for GRC analysts, managers, architects, and directors, and covers essential areas such as security and privacy governance, risk management, compliance programs, implementation and assessment of controls, and ongoing compliance maintenance.
GRC specialists often extend their responsibilities beyond the core GRC mandate. According to the report, 16% are involved in application security, 18% contribute to security architecture and engineering, 34% manage identity and access management, and 40% play a role in product security.
Relevant certs
Security analyst
Security analysts earn an average annual base salary of $124,000, with total annual cash compensation averaging $133,000. Only 20% receive annual equity grants.
While there is some functional overlap with security engineers, the security analyst role is generally more tactical than strategic, with a strong focus on threat detection and analysis. A common subset of this role is the SOC analyst — a cybersecurity professional who works as part of a team in a security operations center to monitor threats, assess systems for weaknesses, and recommend improvements.
This tactical focus contributes to the nearly 35% difference in average base salary between security analysts and security engineers, who earn $168,000 on average.
One of the best certifications for aspiring security analysts is the CompTIA CySA+, which covers core skills such as security operations, vulnerability management, incident response, and reporting. The certification aligns directly with roles such as cybersecurity analyst, vulnerability analyst, application security analyst, and threat intelligence analyst.
With experience, security analysts can advance into security engineer and eventually security architect roles, offering a clear and lucrative path for long-term career growth in cybersecurity.
Relevant certs