In the first few weeks of 2026, several companies, including stalwarts such as Amazon, Citi, Workday, UPS and T-Mobile, announced layoffs and restructuring plans hitting white-collar jobs, including IT, developer and cybersecurity positions, especially hard.
The reasons many enterprises are making cuts and slowing hiring include concerns about U.S. financial policies, such as tariffs; employees of all stripes staying in their jobs longer and no longer seeking other career opportunities; and artificial intelligence (AI) eliminating some entry-level positions, according to a recent analysis in The Wall Street Journal.
For cybersecurity professionals seeking a new position following a layoff or trying to leave a current job for better prospects, these factors can be daunting. There are, however, career paths that remain open for security professionals, such as cybersecurity consultant roles.
A cybersecurity consultant – also referred to as an information security consultant or cybersecurity analyst – is a career that can offer flexibility and advancement opportunities to professionals, whether they are relatively new to the industry or have many years of experience. Cybersecurity consultants can work for one firm as a full-time employee or contractor, or they can have multiple clients with varying needs.
And while some companies are laying off or reducing cybersecurity staff, attacks continue and corporate data remains vulnerable to external and internal threats, which increases the value of hiring cybersecurity consultants to address these security issues and improve defenses.
“Cybersecurity consulting is all about being the frontline detective and fixer for organizations facing evolving threats,” John Anthony Smith, co-founder and chief security officer at Fenix24, told Dice. “It involves assessing vulnerabilities through audits, penetration testing, and risk evaluations; implementing defenses like firewalls, encryption protocols, and incident response plans; and responding to breaches when they hit. But it’s not just tech—consultants often train teams, draft policies, and advise on compliance with regulations such as the EU’s General Data Protection Regulation rules.”
Cybersecurity Consultants: By the Numbers
To better understand the cybersecurity consultant role, it’s helpful to review statistics from the cybersecurity job board CyberSeek, which lists a total of 5,150 open positions mentioning “cybersecurity consultant” within its jobs heat map.
CyberSeek also notes that 36 percent of these open positions require at least a bachelor’s degree, but a majority—about 61 percent—do not specifically require a bachelor’s degree. This provides additional opportunities for those with cybersecurity or IT experience but lack a formal college or university degree.
Cybersecurity consultants' salaries vary, but Glassdoor lists the median compensation for these cyber professionals as $155,000, which includes a combination of base pay and bonuses.
CyberSeek lists the nine most sought-after skills that appear in online job postings for cybersecurity consultants:
- Cybersecurity
- Computer science
- Identity and access management
- Vulnerability
- Project management
- Microsoft Azure
- Amazon Web Services
- Risk management
- Auditing
Cybersecurity consultants need these IT fundamentals for their work. In addition, consultants should also be versed in tech issues such as networking, operating systems, and basic programming – specifically Python for scripting automation – to help prepare security plans and confront threats for their clients or organizations, Smith noted.
“Understanding common threats—phishing, malware, social engineering—is key, along with tools like Wireshark for packet analysis or Metasploit for ethical hacking. There’s no need for a doctorate. Hands-on experience from IT support roles or personal projects counts heavily,” Smith said.
Cybersecurity Consultants: What Certifications Matter
Beyond experience and cybersecurity and IT know-how, certifications can also help cybersecurity consultants land a job or expand their client list. CyberSeek lists five certifications that appear most frequently in online job postings:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- GIAC certifications
- Certified Information Systems Auditor (CISA)
- Certified Ethical Hacker (CEH)
Trey Ford, chief strategy and trust officer at Bugcrowd, noted that a good cybersecurity consultant has a strong technical foundation and that certifications as well as hands-on experience are often more important than additional degrees or diplomas.
Cybersecurity consultants also need network and desktop support experience, as well as a detailed understanding of various operating systems, Ford added. These cyber professionals must also possess a commanding understanding of security program foundations and the relevant compliance and control structures.
“Cybersecurity consultants must have the ability to interpret both the desired outcome of the compliance body and align the security program and operating patterns of the company to validate control objectives, find and understand gaps, and recommend useful changes to durably meet them,” Ford told Dice. “They also need a well-organized, strong work ethic, with the ability to create a safe space for findings. Findings are not failures; they’re opportunities for improvement, and sustainable security—with compliance as a byproduct of that investment.”
Cybersecurity Consultants: What Can They Do?
The tasks and duties of cybersecurity consultants can range from improving an organization’s defenses following a threat or attack to penetration and vulnerability testing, conducting audits to ensure compliance and regulatory obligations are met, and assisting with training staff and employees on good cybersecurity hygiene.
“Cybersecurity consultants work with organizations to analyze their overall attack surface and make recommendations to improve security and reduce risk. Cybersecurity consultants provide a valuable third-party perspective on the security of an organization and can bring the most current ideas and strategies to improve security,” Bud Broomhead, CEO of security firm Viakoo, told Dice. “Virtually every organization continues to be under-resourced when it comes to cybersecurity, while the cost and impact of cyber incidents continue to rise. That makes for a great market for cybersecurity consultants that is likely to grow over the next few years.”
While technical skills rank high for most cybersecurity consultants, Smith noted that those who succeed in this field also need soft skills like good writing and communication abilities to help if they meet with C-suite and board executives or prepare reports for the wider organization.
“Beyond tech chops, it’s about problem-solving under fire: clear communication, explaining complex threats to non-tech executives, and adaptability. Threats evolve daily, so lifelong learning is non-negotiable,” Smith said. “Soft skills like collaboration are huge; you’ll work with IT teams, legal, and the C-suite. Reliability and ethics are table stakes—clients trust you with sensitive data. For freelancers, business acumen helps: marketing yourself, scoping projects, and managing contracts. At the end of the day, bring a proactive mindset—don’t just fix issues, anticipate them to add real value.”
Cybersecurity Consultants: Is It Better to be a Specialist or a Generalist?
One aspect of the job that consultants should consider is whether it is better for their development to be a specialist in a particular area of cybersecurity or a generalist who can handle multiple tasks.
In Smith’s view, generalists are good for small firms or startups that require help with their broad cybersecurity needs, but niches like AWS or Azure cloud security, IoT vulnerabilities, or ransomware readiness allow a cybersecurity consultant to command higher rates and stand out.
“For new consultants, start general to gain exposure, then niche down based on what excites you and where demand is hot. In today’s landscape, with AI-driven threats rising, specializing in AI security or zero-trust architectures could be a game-changer,” Smith added.
For Bugcrowd’s Ford, the notion of a specialist versus a generalist is a false dichotomy since organizations always need both types to improve their security.
“We need both, and we need a blend, and above all, we need genuine curiosity and hunger. Those fully specialized professionals often come with massive blind spots that require partnership and safety to say, ‘I don’t know about this—my expertise is on this given topic,’” Ford said. “I find the specialized generalists to be the most productive; they bring hidden talents and passions. Folks who can see the whole picture, with the passion and depth to really dig into different aspects of the program and company, bring so much more value.”
