Cybersecurity Salary: What You Actually Take Home

Let's start with the number. What do you make?

$74,000 base. No bonus. Night shift differential is $2 per hour, which works out to about $4,160 per year pretax. So my gross is effectively $78,160. In Tampa, which is no longer cheap, I want to be clear about that. My rent is $1,550 for a one-bedroom in Seminole Heights. That's about half my take-home after federal and state taxes, health insurance, and my 401k contribution. Florida doesn't have state income tax, which is genuinely one of the reasons I stayed here. My buddy Reuben moved to a SOC role in Maryland and makes $82,000, but after Maryland state taxes he takes home less than I do.

How does $74,000 feel for the work you do?

I'll answer that with some context. Before this, I was bartending at a craft cocktail place in Ybor City. I was making about $52,000 a year in salary plus tips. I worked four nights a week. No benefits, no 401k, but I was home by 2 AM and I didn't think about work when I wasn't there. Now I make $74,000, I have health insurance, I have a 401k with a 3% match, and I think about work constantly. I study for certifications on my days off. I read threat intelligence reports in bed. My girlfriend, Janae, told me last month that I talk about Splunk queries in my sleep, which is both funny and deeply concerning.

The math that nobody does in cybersecurity is the true hourly rate. My shift is 12 hours, three nights a week, plus every other weekend. That's about 2,080 scheduled hours per year. But on top of that, I spend approximately 8 hours per week on unpaid professional development: studying for certs, doing TryHackMe labs, reading vendor blogs, watching webinars that my manager Elise "strongly recommends." Eight hours times 52 weeks is 416 hours of unpaid work. So my effective hours worked are closer to 2,500 per year. $78,160 divided by 2,500 is $31.26 per hour. When I was bartending on a good night, I was making $40 an hour after tips. So I took a pay cut to work harder in a darker room with more responsibility and no tips. The trade-off is the career trajectory. Bartending tops out. This doesn't. At least, that's what the LinkedIn posts say. I'm three years in and still waiting for the trajectory to start.

What's the path from where you are to the next salary level?

Tier 2 SOC analyst or a security engineer role. The Tier 2 roles at my company pay $85,000 to $92,000. Security engineer roles in Tampa are posting at $95,000 to $115,000. Both require experience I'm building and certifications I'm chasing. I'm planning to take the Certified Cloud Security Professional exam, which is $599 for the exam fee and another $500 or so in study materials. The company reimburses certification exam fees if you pass on the first attempt. If you fail, it's out of pocket. No pressure. Just $599 worth of incentive to pass a six-hour exam on your first try after studying during the hours you're supposed to be sleeping because you work nights.

The jump from $74K to $115K feels enormous. That $40,000 difference would change my life. I could move to a two-bedroom. I could start saving more than $200 a month. I could stop doing the thing where I calculate whether I can afford the guacamole at Chipotle. My colleague Adrian, he made Tier 2 last year after four years at Tier 1. His salary went from $71,000 to $88,000. He said it was the first time he felt like the career investment was paying off. He's 30. He started studying for cybersecurity at 24. Six years of investment for a $17,000 raise. That's the timeline nobody puts in the marketing materials.

Do you feel underpaid?

Compared to what? Compared to other SOC analysts in Tampa, I'm about average. Compared to what the MSSP bills for my time, absolutely. My company charges clients about $180 per hour for SOC monitoring. I make $35.58 per hour gross. That means for every hour I work, the company keeps about $144. I understand how businesses work. There's overhead, management, tools, insurance. But when you see the billing rate next to your pay rate, you feel something. It's not exactly anger. It's more like, oh. That's the margin. I am the margin.

What's yours?

The hidden costs of staying current. Last year, I spent $1,280 out of pocket on cybersecurity-related expenses that weren't reimbursed. That includes the $349 for my Security+ renewal (continuing education credits), $200 for an online SIEM course, $180 for a TryHackMe annual subscription, $300 for a SANS webcast package that my manager recommended, and about $250 in books and study guides. That's $1,280 on a $74,000 salary. It's not going to bankrupt me. But it's a tax on the profession that most career advice ignores. Nobody tells you that staying employable in cybersecurity costs money every year, on top of the time. Janae asked me why I was buying another technical book and I said "because if I stop learning I get laid off." She thought I was being dramatic. I was being accurate.

What's the number?

$138,000 base. 10% annual bonus target, which paid out at 8.5% last year, so $11,730. Total comp was $149,730. Health insurance costs me $4,800 per year for the employee-plus-spouse plan, covering me and my wife, Ana. 401k: I contribute 8%, the company matches 4%. So $11,040 goes to the 401k from me, $5,520 from the company. After federal and Illinois state taxes, health insurance, and retirement, my biweekly take-home is about $3,640. That's $94,640 per year in cash hitting my account. In Chicago. Where our mortgage on a two-bedroom condo in Logan Square is $2,350 per month.

You track certification ROI in a spreadsheet. What does it show?

It shows that certifications are expensive and their value is uneven. Here's the breakdown. I currently hold three active certifications. The CISSP costs me $125 per year in annual maintenance fees, plus I need to earn 40 continuing professional education credits every year. I earn most of those through webinars and conferences, but the conferences cost money and the webinars cost time. I estimate I spend $800 per year and about 35 hours maintaining my CISSP. The CySA+ costs $50 every three years for renewal, plus continuing education credits. The AWS Security Specialty costs $300 every three years for recertification. Total annual certification maintenance cost: approximately $1,150 in hard dollars and about 50 hours of continuing education time.

When I earned the CISSP in 2021, I was making $116,000. I negotiated a raise to $128,000 the following year, and the CISSP was explicitly cited as a factor. That's a clear, attributable $12,000 increase. Over the five years I'll hold it before the next big career move, that's $60,000 in additional earnings against a total investment of maybe $6,000 in exam prep, fees, and maintenance. The CISSP ROI is excellent. The CySA+ has never directly resulted in a raise or a job offer. I got it because it was recommended for my career path, but nobody has ever asked about it in an interview. The AWS Security Specialty helped me get my current role, but so did five years of cloud experience, so isolating the cert's contribution is impossible. My "Cert ROI" sheet is honest about this. Some cells just say "unclear."

How does your salary compare to software engineers at the same company?

This is a sore point. Our senior software engineers are banded at $135,000 to $160,000. I'm at $138,000, which puts me at the low end of an equivalent engineering band. But here's the thing. The software engineers don't have on-call rotations. They don't carry pagers. They don't get woken up at 2 AM because a WAF rule is blocking legitimate traffic and the production team needs someone to triage it. I do. And the on-call compensation is $200 per week of on-call time, regardless of how many times I get paged. Last rotation I got paged four times. One incident took three hours. The $200 for that week works out to about $8 per hour for the on-call time, which is less than minimum wage in Chicago. Ana has pointed this out. Repeatedly.

The counterargument, which my manager Fiona makes, is that security engineers are compensated for the on-call burden through higher base salaries than they'd receive at companies without on-call requirements. And she's not wrong in the abstract. But in the concrete, the software engineer sitting 30 feet from me makes $152,000, has no pager, and sleeps uninterrupted every night. I have trouble with the abstract when the concrete is that close.

What would it take for you to leave?

$160,000 or more, no on-call, and a certification reimbursement program that covers 100% instead of the 75% I have now. That combination exists in Chicago. I've seen the job postings. They're at companies like Allstate, Discover, or the bigger tech companies with offices here. The reason I haven't moved is that Fiona is a good manager, the team is functional, and I've seen what "security engineer at a company that doesn't understand security" looks like. My friend Magnus, he went to a logistics company for $155,000 and quit after seven months because the CTO didn't believe in patching production servers on a regular schedule. Magnus described it as "being the smoke alarm in a building where the landlord removed the batteries." He came back to cybersecurity consulting and makes $170,000 now, but the consulting hours are worse. There's always a trade-off. The spreadsheet can track the dollars. It can't track the feeling of being the only person in the room who thinks the risk matters.

What's yours?

The golden handcuffs are different in security than in engineering. In software engineering, golden handcuffs are RSUs and unvested stock. In security, the golden handcuffs are your clearance, your certifications, and your institutional knowledge. I know this company's infrastructure inside out. I know where the bodies are buried, technically speaking. I know which legacy system has the exception in the firewall rules that nobody wants to touch because the last person who tried brought down the VPN for 4,000 remote workers. That knowledge makes me valuable here and useless elsewhere. Starting over means learning a new environment from scratch while maintaining all the certifications and staying current on the threat landscape. It's exhausting to contemplate. Ana says I describe my job the way long-married people describe their marriages: "it's not perfect, but the cost of leaving is higher than the cost of staying." She's an accountant. She thinks in terms of sunk cost. She's probably right.

You left a CISO job to consult. What happened?

I was the CISO at a Series B healthcare SaaS company. 200 employees. $168,000 salary plus equity that was worth, optimistically, $40,000 if the company ever had a liquidity event. I reported to a CEO who thought SOC 2 was "a suggestion" and a board that asked about security once a quarter for exactly 12 minutes. I built the security program from nothing. I hired three people. I got us through our first SOC 2 audit. And then I realized that the company was never going to invest in security beyond the minimum required to not lose customers. The board approved $180,000 for my entire annual security budget. $180,000. To secure a company processing protected health information for 2,000 healthcare providers. That's less than my salary. I was worth more to them than the program I ran. That math told me everything.

So I left and started consulting. I help companies prepare for and pass SOC 2 and HIPAA audits. I review their security programs, identify gaps, write policies, and shepherd them through the audit process. I bill $185 per hour. Last year, my gross revenue was $296,000. That was 1,600 billable hours across nine clients. After self-employment tax (15.3%), health insurance ($9,600 for me and my daughter, Saoirse), liability insurance ($2,800), my home office, software subscriptions, certification maintenance, and an accountant, my net was about $192,000. That's more than my CISO salary by about $24,000, and I don't carry anyone's organizational risk anymore. I carry my own risk, which is different and, honestly, lighter.

$185 an hour. How did you arrive at that number?

Trial and error. I started at $150 because I was nervous. My first client, a SaaS company in Durham, didn't blink. My second client, a med-tech startup, negotiated me down to $135 and I took it because I was scared of having gaps in my calendar. After about six months, I raised to $175. After a year, $185. I've had two clients decline at $185. One said their budget was $120 per hour. I said good luck. The other said they wanted to think about it. They called back two weeks later and agreed. The demand for GRC consultants with CISO experience and healthcare compliance knowledge is extremely high. There aren't many of us because most CISOs don't leave to consult. They're too scared of losing the steady paycheck. I was too scared too. My brother Wendell, who's been self-employed as an electrician for 15 years, told me "the first year without a paycheck is the worst year. The second year is just normal." He was right.

What's the downside of the money being this good?

The downside is that every non-billable hour costs $185 in my head. Sick day? That's $1,480 I didn't earn. Vacation? A week off is $7,400 in lost revenue. I took Saoirse to Asheville for a long weekend in October and I caught myself doing mental math at the aquarium. Three days times 8 hours times $185 is $4,440. I was watching my daughter look at a sea turtle and calculating the cost of watching my daughter look at a sea turtle. Wendell warned me about this too. He said "you're not charging clients for your time, you're selling your life in one-hour increments, and eventually you start seeing your whole life in those increments." He was right about that too.

The other downside is benefits, or the lack of them. No employer 401k match. No paid parental leave, no disability insurance unless I buy it. My health insurance costs $800 per month and the deductible is $4,000. When I was at the SaaS company, the insurance cost me $220 per month with a $1,500 deductible. The delta, over a year, is about $10,440 in additional healthcare costs. Add the loss of 401k matching, which was $8,000 at my old job, and the true salary comparison between $168,000 employed and $192,000 self-employed narrows to maybe a $15,000 advantage for self-employment. Significant, but not the $24,000 headline number. I sleep better though. You can't put a dollar figure on not worrying about whether the CEO is going to ignore your recommendation and then blame you for the consequences.

What's yours?

How much of what CISOs are paid is hazard pay they don't realize is hazard pay until something goes wrong. My CISO salary of $168,000 was not just compensation for my skills and experience. It included an implicit premium for carrying the organizational risk of a security breach on my personal reputation, and now potentially on my legal liability. The market prices that risk into the salary without ever calling it what it is. When I left the CISO role and started consulting, my stress level dropped by what felt like 60 percent, and my income went up. That inversion tells you something about how the market misprices security leadership. The CISO salary looks like a lot until you factor in what you're actually selling, which is your name on the risk register, your face in the boardroom when something goes wrong, and your career on the line when a developer pushes unvalidated code to production at 4:55 PM on a Friday. I was undercharging myself at $168,000. The market just hadn't given me a better option until I created one.