Security definitely pays more than web dev, but there is still a ceiling.
In fact, one of the things about security is that the benefit is completely constrained by how much you could possibly lose. You can't really create unbounded through security the same way you can through development. And in most scenarios where you are tasked with doing preventative work, it is hard to prove that you're really delivering value when breaches don't happen, or even if they do. The recent industry shift towards detection & response resolves this a bit since you can show all the things you have found on your network. But it's hard to use these metrics correctly (is more malware found a good or a bad thing?).
I've been trying to figure out how to make myself scale as a security expert, and the answer I came to was that I needed to work on software/platforms that could kill classes of bugs at a time, but it turns out it can be very hard to turn experience into software.
You can certainly have a lot of impact on offense as an exceptional IC, as evidenced by the 6+ figure .gov market for exploits, but its less clear to me how to have a big impact on defence (I say this as someone who has never worked defence anywhere, so this might just be my inexperience)
In fact, one of the things about security is that the benefit is completely constrained by how much you could possibly lose. You can't really create unbounded through security the same way you can through development. And in most scenarios where you are tasked with doing preventative work, it is hard to prove that you're really delivering value when breaches don't happen, or even if they do. The recent industry shift towards detection & response resolves this a bit since you can show all the things you have found on your network. But it's hard to use these metrics correctly (is more malware found a good or a bad thing?).
I've been trying to figure out how to make myself scale as a security expert, and the answer I came to was that I needed to work on software/platforms that could kill classes of bugs at a time, but it turns out it can be very hard to turn experience into software.
You can certainly have a lot of impact on offense as an exceptional IC, as evidenced by the 6+ figure .gov market for exploits, but its less clear to me how to have a big impact on defence (I say this as someone who has never worked defence anywhere, so this might just be my inexperience)