June 28, 2026 · CISSP Career

CISSP Salary by Experience & Location: The 2026 City-by-City Matrix

Most salary guides give you a national median or a city snapshot — never the intersection. This one does. Here’s exactly what each experience band earns in every major US metro, and when moving (or going remote) actually pays off.

📖 11 min read

When you look up “CISSP salary by experience,” you get a national median. When you look up “CISSP salary Washington D.C.,” you get a city number without experience context. Neither answer is what you actually need: What should someone with my specific years of experience earn in my specific city?

That two-dimensional question is what this guide answers. We’ve built the full experience × location matrix for the eight largest CISSP markets in the US — so you can benchmark yourself accurately, understand what a job change or relocation is actually worth in dollars, and make that decision with real numbers behind it.

For the baseline experience-level progression that underlies all the numbers here, see our CISSP salary by experience guide. This article adds the geographic dimension on top of it.

Why Location Is the Second-Biggest Pay Driver After Experience

Among the variables that determine a CISSP holder’s salary — experience, title, industry, specialization, clearance — geography is consistently the second-largest after years of experience. The spread between the highest- and lowest-paying US markets for an identical role at the same experience level can exceed $60K in base salary alone.

$60K+
Spread between top and mid-tier markets at 10 yrs exp.
3
Market tiers with meaningfully different pay structures
NoVA
Highest-demand market due to DoD 8140 mandates
Remote
Now a legitimate fourth tier with distinct comp dynamics

Geography affects CISSP comp through three distinct mechanisms. First, demand density: markets with high concentrations of financial services, defense contractors, or tech companies simply post more CISSP-required roles, which drives up clearing prices. Second, structural mandates: the D.C. metro market has DoD Directive 8140, which legally requires CISSP (or equivalent) for certain government IT roles — creating demand that doesn’t depend on market conditions. Third, cost-of-labor competition: in tight labor markets like San Francisco, companies pay up because candidates have more alternatives.

🔑 The Market Tier Framework

For benchmarking purposes, US CISSP markets fall into three tiers. Tier 1 (Premium): San Francisco Bay Area, New York City, Washington D.C./Northern Virginia, Seattle. Tier 2 (Mid-Market): Austin, Chicago, Denver, Boston, Atlanta. Tier 3 (Value Markets): Phoenix, Nashville, Tampa, Kansas City, and most non-coastal metros. Remote positions now form a de facto Tier 1.5 that we address separately below.

The Full Experience × Location Salary Matrix

The table below shows US median base salary for CISSP holders in dedicated security roles, segmented by experience band and city tier. These figures represent the realistic market for active job seekers in 2026 — neither the floor nor the ceiling. Total compensation runs 10–30% higher depending on bonus and equity structure.

Experience Band SF Bay Area NYC D.C./NoVA Seattle Austin/Chicago Denver/Atlanta Other US
5–7 yrs $138K–$155K $125K–$145K $118K–$138K $122K–$142K $108K–$128K $100K–$118K $92K–$112K
7–10 yrs $162K–$185K $148K–$172K $142K–$168K $148K–$170K $128K–$152K $118K–$142K $108K–$132K
10–14 yrs ↑ $198K–$228K $182K–$215K $178K–$210K $182K–$212K $155K–$182K $142K–$168K $128K–$155K
14–18 yrs $232K–$275K $215K–$258K $205K–$248K $210K–$252K $178K–$215K $162K–$198K $148K–$182K
18+ yrs / Exec $285K–$420K+ $262K–$385K+ $252K–$350K+ $258K–$370K+ $215K–$295K $195K–$268K $172K–$238K

The highlighted row (10–14 years) is the inflection point where geographic spread is also at its widest in absolute terms. A Security Architect with 12 years of experience earns roughly $198K–$228K in San Francisco versus $128K–$155K in a Tier 3 market — a gap that can exceed $70K before bonus and equity.

⚠️ These Figures Assume Active-Role Placement

All figures assume you’re actively placed in a dedicated security role in that market. CISSP holders who work in general IT, software engineering, or non-security roles in high-cost cities often find that the geographic premium they’re paying in rent does not translate to their compensation — because their role doesn’t require the credential.

City Profiles: What Makes Each Market Unique

Numbers alone don’t tell the full story. Each major market has structural characteristics that affect not just the salary level but the career trajectory of a CISSP holder who works there.

Washington D.C. / Northern Virginia Highest demand density

NoVA is the single most CISSP-dense market on earth. DoD Directive 8140 mandates CISSP (or equivalent) for specific IAM and IASAE role categories across federal agencies and their contractors — creating structural demand that commercial markets don’t have. When federal agencies and contractors must hire CISSP-certified staff to maintain contract compliance, they pay to do it.

At the 10–14 year experience band, D.C./NoVA is often competitive with San Francisco in total compensation when clearance premiums are included (see the clearance section below). The cost of living advantage is significant: a $195K salary in Northern Virginia goes further than a $210K salary in San Francisco in most lifestyle scenarios.

  • Dominant employers: federal agencies, Booz Allen Hamilton, Leidos, SAIC, Accenture Federal, Deloitte Federal
  • Clearance premium: $20K–$45K above equivalent non-cleared roles at the same experience level
  • Career path: strong pipeline from analyst → architect → director, but federal pay scales can cap ceiling earlier than commercial
  • Best for: years 8–16, particularly if you hold or are willing to obtain a clearance
San Francisco Bay Area Highest absolute comp

San Francisco commands the highest absolute base salary for CISSP holders at almost every experience level. The premium is driven by competition from tech companies that have large security teams and significant equity budgets. At the 10-year mark, a Security Architect in the Bay Area will typically earn $25K–$40K more in base than the D.C. equivalent — and the total comp gap widens further when RSUs are included.

The practical catch: cost of living in the Bay Area is substantially higher than any other major CISSP market. A $210K salary in San Francisco and a $178K salary in Northern Virginia can represent near-identical real purchasing power depending on housing situation. The question is where you want to build the rest of your career — because Bay Area networks are genuinely valuable for executive-track professionals.

  • Dominant employers: Google, Meta, Salesforce, Cloudflare, Stripe, fintech startups, Big 4 advisory
  • Equity premium: RSU grants of $40K–$120K/yr are common at the 10–18 year band in tech companies
  • Career path: strongest pipeline to CISO roles at high-growth tech companies; highest equity upside
  • Best for: years 12–20+, especially those targeting a tech-sector CISO or VP of Security role
New York City Financial services premium

New York is the premier market for CISSP holders with financial services experience. Banks, hedge funds, insurance companies, and fintech firms all run large security teams and have the budgets to pay at the top of the range. The financial services premium is most pronounced at the 10–18 year experience band, where CISO-adjacent roles in regulated institutions pay competitively with tech-sector CISO roles and frequently offer significant cash bonuses.

Unlike the Bay Area, New York compensation leans more toward base salary plus annual cash bonus (20–40% of base) rather than equity. For CISSP holders who prefer predictable cash comp over equity-heavy structures, New York often wins on effective total comp calculations.

  • Dominant employers: JPMorgan Chase, Goldman Sachs, Citigroup, BlackRock, AIG, fintech unicorns
  • Bonus structure: cash bonuses of 20–40% of base are common; more reliable than equity at comparable levels
  • Career path: strong pipeline to financial-sector CISO roles; board-level security exposure earlier than most other markets
  • Best for: years 8–20+, particularly those with GRC or risk management experience alongside CISSP
Seattle AWS / cloud infrastructure hub

Seattle’s CISSP market is disproportionately influenced by Amazon Web Services, Microsoft, and the cloud infrastructure ecosystem around them. Security roles in the cloud provider space pay at the high end of the national range and often require both CISSP and cloud-specific credentials (AWS Security Specialty, CCSP). The CISSP-plus-CCSP combination is particularly well-compensated in this market.

  • Dominant employers: Amazon/AWS, Microsoft, Tableau, Expedia, Boeing security divisions
  • Cloud premium: CISSP + CCSP adds $15K–$25K to base in cloud-provider roles
  • Career path: strong technical IC track to Staff/Principal Architect level; AWS-specific career networks
  • Best for: years 7–18, especially those with cloud architecture or cloud security backgrounds
Austin, Chicago, Denver, Atlanta Tier 2 markets

Mid-tier markets offer solid CISSP comp at a meaningful cost-of-living discount versus coastal Tier 1 cities. The tradeoff is fewer CISSP-required roles at the senior end of the experience spectrum — meaning the Director → VP → CISO pipeline is shallower. CISSP holders in these markets often find their ceiling is lower in absolute dollars but their quality-of-life-adjusted compensation is competitive or superior to Tier 1 when housing costs are factored in.

  • Austin: growing tech presence (Dell, Apple, Tesla), more equity-heavy comp structures than the rest of Tier 2
  • Chicago: strong financial services sector (trading firms, insurance), reliable demand for GRC and risk management CISSP roles
  • Denver: federal contractor presence (NORAD area, defense tech), growing remote-first tech employer base
  • Atlanta: major health system HQs (CDC proximity), financial services (NCR, Cox Enterprises), Delta Airlines security

Find Out Where You Stand Before Your Next Negotiation

Passing the CISSP is step one. CISSP.app’s adaptive practice engine pinpoints your weak domains so you walk into the exam — and into your next salary conversation — fully prepared. Try it free for 7 days.

Start Practicing Free →

Free 7-day trial · No credit card required · CISSP, CCSP, and CISM included

The Remote Work Arbitrage: Earning SF Comp from Denver

Remote work has fundamentally changed the geographic equation for CISSP holders, but not uniformly. Understanding how remote comp actually works — and which scenarios genuinely allow you to capture Tier 1 pay while living in a Tier 2 or 3 city — is critical to optimizing your comp strategy.

When True Location-Agnostic Pay Exists

Some companies post CISSP roles as fully remote with a single national pay band. These are typically tech-sector companies headquartered in high-cost cities that have explicitly adopted location-agnostic compensation policies. In these cases, a Security Architect in Denver earns the same $195K–$228K that someone in San Francisco earns in the same role. These positions represent the highest effective comp for CISSP holders in Tier 2 and 3 cities.

When Geographic Banding Applies

Many larger companies — particularly those that have been hiring remotely since 2020 — have implemented geographic compensation bands that reduce pay for candidates outside major metros. A role posted at $195K for a San Francisco candidate might pay $155K for the same person in Denver under a geographic band policy. The net-of-cost-of-living comparison still often favors the Tier 2 location, but the absolute number is lower.

Best Remote Scenario

Fully remote role at a San Francisco or New York company with location-agnostic pay. Full Tier 1 salary with Tier 2 or 3 cost of living. Net effective compensation advantage of $30K–$60K vs. living and working in the headquarters city.

Common Remote Scenario

Remote role with geographic salary banding. Pay is 80–90% of the hub city rate for a Tier 2 city. Still $15K–$30K above what a local Tier 2 employer would pay for the same role, with cost-of-living advantage on top.

Watch Out For

Companies that list roles as “remote” but apply cost-of-labor adjustments at offer time. Always ask the recruiter about compensation banding by location before investing time in an interview process.

Remote Risk

Remote-only CISSP roles are less common at the CISO and VP level than at architect and manager levels. Senior leadership positions frequently require in-person board and stakeholder presence, which may limit fully remote options after year 14.

When Relocation Actually Pays Off (and When It Doesn’t)

The decision to relocate for a CISSP role is not just a salary comparison — it’s a career-stage calculation. The ROI of physical relocation varies significantly depending on where you are in the experience curve.

Experience Band From Tier 2/3 to Tier 1 Estimated Annual Gain Break-Even on Moving Costs Verdict
5–7 years Modest salary lift, modest career acceleration $18K–$30K base 6–12 months Situational
8–12 years Highest-ROI window; hits inflection stage in top market $35K–$65K base 3–6 months Strong Yes
12–15 years Strong gain but network disruption cost rises $40K–$75K base 4–8 months Consider Remote First
15+ years Executive roles are network-driven; location matters less Varies widely Highly variable Network-dependent

The clearest relocation case is the 8–12 year window. At that career stage, you’re approaching the inflection point where the move to Security Architect or Security Manager title drives the largest single comp jump in a CISSP career. Capturing that title transition in a Tier 1 market compounds the benefit: you get the title-change premium and the geographic premium simultaneously. A Security Architect title move in Northern Virginia or San Francisco at year 10 can be worth $50K–$80K more than the same title move in a Tier 3 market.

✓ The Sequence That Maximizes Lifetime Earnings

For CISSP holders in Tier 2 or 3 markets who are approaching year 8: Get the cert, get the title, then move (or go remote to a Tier 1 employer). Arriving in a top market already holding CISSP and an Architect or Manager title puts you in the top offer tier immediately. Arriving as a Senior Analyst looking for an entry-level role in the new market costs 1–2 years of salary growth. See the full experience progression guide for details on timing the cert and title together.

The Clearance Multiplier in the D.C. Metro

Northern Virginia deserves its own section on clearance premiums because no other market has this dynamic at scale. Security clearances — Secret, Top Secret, and TS/SCI — add a structural salary premium to CISSP roles in the D.C. market that doesn’t exist in any other geography in the same way.

Experience + Clearance Level Typical Base Salary Range Premium vs. Non-Cleared Commercial
10–14 yrs, CISSP, Secret $168K–$195K +$12K–$20K
10–14 yrs, CISSP, TS/SCI $188K–$225K +$30K–$50K
14–18 yrs, CISSP, TS/SCI $220K–$268K +$35K–$55K
18+ yrs, CISSP, TS/SCI + CI Poly $268K–$320K +$40K–$65K

The TS/SCI premium at the 10–14 year inflection band makes the D.C. market the most competitive with San Francisco in real total compensation terms for cleared professionals. The clearance effectively compresses the gap between coastal commercial tech salaries and federal/contractor roles by $30K–$50K — at a cost-of-living that still favors Northern Virginia significantly.

Our CISSP salary federal vs. commercial guide covers this comparison in detail, including which roles qualify under DoD 8140 and how the contractor pay structure differs from direct federal employment.

Your Personal Benchmark: Are You Location-Adjusted Underpaid?

Use the matrix above to benchmark your current salary against your specific experience band and city. Here is a structured approach for diagnosing your position:

Step 1: Find your experience band in the matrix and your closest city tier.

Step 2: Compare your current base salary to the range for that cell. If you’re below the lower bound, you have a compensation gap. If you’re in range, check whether a title change or role shift could move you up within the band.

Step 3: Check the remote-role market. If Tier 1 remote roles are available in your specialization, the effective floor for your experience band rises to at least the Tier 1.5 level — even if you live in a Tier 3 city.

Step 4: If you’re below the Tier 3 range for your experience band, the issue is unlikely to be geographic — it’s either title (you’re in the wrong role for your experience) or credential timing (you don’t yet hold CISSP). See the CISSP ROI analysis if you’re still pre-cert.

🔑 The Most Common Underpayment Pattern

The most common source of location-adjusted underpayment for CISSP holders is not being in the wrong city — it’s holding the wrong title in the right city. A Senior Security Analyst in San Francisco with 10 years of experience and a CISSP is earning $145K–$160K, when the Security Architect title in the same market would earn $198K–$228K. The credential and the experience support the title change; the title change doesn’t happen automatically. Target the right role in your current market before concluding you need to move.

If you’re approaching the CISSP exam and want to make sure you’re ready to leverage this credential at the next career level, our 90-day CISSP study plan is built specifically for working security professionals who need to pass without leaving their current role to study full-time.

FAQ: CISSP Salary by Experience and Location

Where do CISSP holders earn the most by experience level?

The highest-paying markets vary by experience stage. At 5–7 years, San Francisco and New York lead in absolute dollars. At 10–14 years, Washington D.C./Northern Virginia is often competitive with or exceeds San Francisco in total comp once clearance premiums are included. At 15+ years, San Francisco recaptures the lead through equity-heavy tech-sector CISO and VP packages.

How much more does a CISSP holder earn in Washington D.C. vs. a mid-tier city?

At the 10–12 year experience band, a CISSP-certified architect or manager in D.C./Northern Virginia typically earns $178K–$210K versus $142K–$168K in a Tier 2 city like Denver or Atlanta — a gap of $25K–$45K. If the D.C. role comes with a TS/SCI clearance, the gap widens to $50K or more.

Can a CISSP holder earn a high-market salary while working remotely from a lower-cost city?

Yes, with caveats. Companies with location-agnostic compensation policies pay the same rate regardless of where the candidate lives. Companies with geographic banding pay 80–90% of the hub-city rate. In both cases, the effective compensation advantage over working for a local Tier 2 or 3 employer is significant — typically $15K–$40K above comparable local roles.

At what experience level does relocation provide the highest ROI for CISSP holders?

Years 8–12 is the highest-ROI relocation window. This is the stage just before or at the career inflection point where the move to Architect or Manager title drives the largest single comp jump. Capturing that title transition in a Tier 1 market compounds both the title premium and the geographic premium simultaneously, often adding $50K–$80K in base salary versus making the same move in a Tier 3 market.

Does Northern Virginia or San Francisco pay more for experienced CISSP holders?

It depends on experience level and sector. At 10–14 years in federal contracting with a TS/SCI clearance, Northern Virginia often pays as well as or better than San Francisco in base salary, with a significantly lower cost of living. In pure commercial tech roles, San Francisco commands the highest absolute comp at the Director, VP, and CISO levels, primarily through equity-heavy total comp packages that government and contractor roles cannot match.

Maximize Your CISSP ROI — Start with the Right Prep

CISSP.app delivers 3,000+ adaptive practice questions across all 8 domains, a full CAT exam simulator, and personalized weak-area analysis. One subscription covers CISSP, CCSP, and CISM — the credential stack that commands the highest salary at every location.

Start Free 7-Day Trial →

No credit card required · Includes CCSP and CISM access · Updated June 2026