Security Auditor Career and Salary Outlook

Security auditors hold specialized roles within information security (infosec) and cybersecurity teams. They perform tests of computer and information systems. These audits ensure systems conform to internal security policies as well as applicable external regulations or standards.

Fortinet's 2022 Cybersecurity Skills Gap report found 67% of polled organizations believe the ongoing cybersecurity skills shortage has increased the level of risk they face. Employers in the public and private sectors are working hard to address this skills gap, which has created a strong market for emerging cybersecurity professionals.

This guide focuses specifically on the security auditor career path. It explores how degrees, certifications, locations, and industries affect job growth and salary prospects.

What Does a Security Auditor Do?

The security auditor career focuses on detailed evaluations of organizations' information processing standards. Audits examine computer tools, including hardware, software, and middleware. Auditors also check security policies and investigate how personnel interact with computer systems.

Security auditors perform both preemptive and reactive analysis tasks. Preemptive auditing refers to the preventative analysis of controls and policies. Reactive auditing occurs when a security auditor carries out system and network checks in response to a security alert or possible breach.

The U.S. Bureau of Labor Statistics (BLS) includes security auditors in its broad career category for information security analysts. According to BLS data from 2021, 27% of infosec analysts work in computer systems design and related services. Many of these professionals also work for companies that operate in industries with particularly high cybersecurity needs.

Most security auditors work full time. Some employers require auditors to be on call at irregular hours in case of a cyberattack or breach.

How Much Does a Security Auditor Make?

According to Glassdoor, the average security auditor salary in the United States is $81,750 per year as of December 2021. This figure accounts only for base pay. Glassdoor places average total annual compensation for U.S. security auditors at just under $89,000. This figure factors in bonuses and other forms of compensation.

Glassdoor also offers breakdowns analyzing the average salary of a security auditor in more detail. The site's reported total compensation of $88,980 per year represents the median (50th percentile). Security analysts at the 25th percentile made approximately $70,000 in total compensation, while those at the 75th percentile earned about $114,000.

Security Auditors' Average Salary by Experience

Infosec professionals tend to earn more as their careers progress and they take on more responsibility. As security auditors accrue more experience and strengthen their skills, they are often compensated with higher salaries. Note the particularly large jump in average salaries between the early and late career stages.

Payscale data specific to security auditors is based on a relatively limited number of salary profiles. The table below instead uses the far more robust Payscale data set for information security analysts.

Security Auditors' Average Salary by Education

In the cybersecurity field, some employers place more value on a candidate's proven skills than on their formal credentials. However, education and certifications can significantly impact an information security auditor's salary.

A diploma, bootcamp credential, or associate degree may suffice for entry-level infosec jobs. However, many employers prefer candidates with at least a bachelor's degree when filling technical positions and more advanced roles.

The following table examines the average salaries associated with degrees and common security auditor certifications. Note that the data is not specific to security auditors, but instead covers all professionals who hold the credential in question.

Note the value of earning a certification such as ISACA's CISA credential or the (ISC)2CISSP credential. According to Payscale data, infosec professionals with these endorsements earn higher-than-average salaries.

Discover Which Education Path Is Right for You

• Cybersecurity Bootcamps
• Associate in Cybersecurity Programs
• Bachelor's in Cybersecurity Programs
• Bachelor's in Information Technology Programs
• Master's in Cybersecurity Programs
• Master's in Information Assurance Programs
• Computer Science Degree Programs
• Information Systems Security Degrees

Security Auditors' Average Salary by Location

Location-based factors usually impact a security auditor's earning potential. Because major metropolitan centers usually have higher costs of living, employers in these regions tend to offer higher wages than those in smaller cities and rural areas. However, because of these increased costs, higher salaries in more expensive areas may have lower buying power.

Supply and demand also play an important role in determining salary. If demand for security auditors is especially high in a particular area, employers must compete to hire from a limited talent pool. This also tends to elevate salaries.

Because Payscale's data for security auditors is relatively limited, the first table below draws on the site's much larger data set for information security analysts. Similarly, because the BLS includes security auditors within their broader information security analyst career category, the data in the second and third tables below reflect salary data for all information security analysts, not just security auditors.

With respect to the top-paying cities and metro areas, note the links between high salaries and areas with a strong tech industry presence. Many cities that pay information security analysts particularly well are located in Silicon Valley and the Dulles Tech Corridor.

Security Auditors' Job Outlook and Career Prospects

Like many other cybersecurity careers, security auditors are projected to experience job growth in the coming years. One main driver of growth is the increase in cybercrime: In 2020, Cybersecurity Ventures projected the global cost of cybercrime could reach $10.5 trillion per year by 2025.

As cybersecurity risks rise rapidly, employers are scrambling to fill gaps in their own infosec workforce. According to Cyberseek's heat map, more than 714,000 cybersecurity job openings were unfilled in the United States as of September 2022.

These dynamics suggest that infosec specialists such as security auditors stand to benefit from ongoing labor market demand. BLS projections for information security analyst careers confirms this: The BLS classifies this profession's projected growth rate — 35% from 2021 to 2031 — as "much faster than average."

Best Locations for Security Auditors

Security auditors and other cybersecurity and infosec professionals benefit from strong overall demand for their expertise. Often, that demand is particularly concentrated in densely populated areas that host diverse economies.

Some roles allow professionals to fulfill most or all of their duties from home. As such, hybrid and remote working arrangements may be available. These setups afford cybersecurity personnel increased flexibility with regard to employment options, as open positions may not require security auditors to relocate or limit their job search to one area.

The following subsections explore top states and cities for security auditors. They consider not only overall job numbers, but also area-specific growth rate projections. All quoted BLS data is drawn from their broad information security analyst career category.

Top States for Security Auditors

Notably, two of the top five states for infosec and security auditor careers are adjacent to the Washington, D.C. metro area. This speaks to the high need for cybersecurity skills in the federal government and among its private sector contractors.

Top Metropolitan Areas for Security Auditors

According to the BLS, the Washington, D.C. metro area employs the most infosec analysts of any major U.S. city. Given the sensitive nature of government databases and information systems, the nation's capital has a particularly strong need for advanced cybersecurity measures. This demand also extends into the private sector, as many government contractors also deal with proprietary and confidential information.

Infosec professionals also work in enterprise management, especially in industries that generate large quantities of private data. Examples of these industries include healthcare and banking. As such, areas with large financial and corporate centers are also well-represented.

Best Industries for Security Auditors

According to BLS data, there were approximately 163,000 information security analysts employed in the United States as of 2021. Within those positions, the industry-specific employment percentages break down as follows:

• Computer systems design and related services: 27%
• Finance and insurance: 15%
• Information: 14%
• Management of companies and enterprises: 8%
• Administrative and support services: 5%

The BLS also analyzes industries according to their pay rates and overall employment. These tables summarize general trends for information security analysts, as the BLS does not publish information specific to the security auditor career. Note that multiple top-paying industries only employ infosec professionals in small numbers.

Upward Mobility for Security Auditors

Security auditors usually function as part of larger cybersecurity or information security teams. In many organizations, these teams feature hierarchical structures that attach varying levels of responsibility to different roles.

The security auditor career path can lead to various management positions, such as the information security officer role. Chief information security officer (CISO) sits atop the industry's field of executive ranks.

Advanced certifications such as CISA and CISSP may boost upward mobility for security auditors aspiring to management or executive positions. CISOs generally rise through the ranks by combining education with ongoing professional development, leadership training, and job performance.

These upper-level roles include significant bumps in salary. As of September 2022, Payscale reports $95,530 per year is the average information security officer base salary. Payscale also cited an average base salary of $172,150 per year for CISOs as of September 2022.

Learn More About Information Security Auditors

FAQ About a Security Auditor's Salary and Career

Is a junior information security auditor's salary good?

Payscale data from September 2022 puts the average entry-level information security analyst's salary at about $61,420 per year. Those in the early career stage (1-4 years of experience) earn average salaries of approximately $69,770. Both of these salaries are higher than the 2021 median annual salary of $58,260.

Where is the best state to work as a security auditor?

According to the BLS, the top-paying states for information security analysts include California, New York, and Maryland. Virginia, Texas, and Florida are among the states that employ the highest numbers of information security analysts.

What is the best industry to work in as a security auditor?

According to the BLS, the largest percentage of information security analysts work in the computer systems design industry. Many also work in fields that process large volumes of sensitive data, such as financial services, insurance, and healthcare.

What is the highest salary a security auditor can make?

According to Payscale data from September 2022, infosec analysts at the 90th percentile earn average base salaries of about $114,000 per year. This figure does not include bonuses or other forms of additional compensation.