Growth in IT Security Workforce Picks Up

CISO , Cybersecurity , Governance

Cybersecurity Employment at Record Levels, But Still Doesn't Meet Demand Growth in IT Security Workforce Picks UpCompetitors at a U.S. Cyber Challenge competition. (Photo: Eric Chabrow)

Although an analysis of the latest government statistics confirms continued growth in the information security workforce, the supply of security expertise isn't meeting the demand.

See Also: Managing Identity, Security and Device Compliance in an IT World

Information Security Media Group's analysis of the latest quarterly employment numbers from the U.S. Bureau of Labor Statistics shows the size of the information security analysts workforce has soared by 68 percent since the BLS began producing these jobs reports in 2011.

In the third quarter, the number of workers in the United States who consider themselves information security analysts stood at an annualized 88,000, up from 80,500 in the second quarter and 72,800 a year earlier.

Information Security Analysts Workforce

imageISMG analysis of U.S. Bureau of Labor Statistics data

Numerous efforts are underway to help boost the security workforce. For example, in the past decade, scores of colleges and universities have introduced information security degree programs. Also, many companies have identified workers, often with programming and other computer expertise, and provided them the training to become information security professionals. Among the best known programs are competitions, such as those sponsored by the U.S. Cyber Challenge, which introduces students and young workers to cybersecurity and allows them to participate in contests that tests their security skills.

"The cyber challenges around the country - and world - are a positive influence on building the workforce," says Elise Yacobellis, manager of the Global Information Security Workforce Survey published by (ISC)2, an international, not-for-profit organization that provides IT security education and certification. "They're exposing IT security as a separate profession that could be sought out versus just the IT field. It helps them understand at a hands-on level what they'll possibly be doing if they were to move into this career. And, it also helps them understand if they like it, they have the aptitude for it and this is something they want to pursue."

None of these programs are flooding the job market with IT security specialists, although they're apparently beginning to help add personnel to the cybersecurity employment rolls.

Demand Outstrips Supply

But despite the pickup in the pace of the growth of information security analysts, the supply of IT security expertise isn't meeting the demand. A 2015 study by Frost & Sullivan for (ISC)2 projects a shortfall in worldwide IT security specialist of 1.5 million by 2019.

"Growth is very shallow and is at risk from the perspective that we clearly don't have a good number of deeply experienced professionals in this field," says Danny Miller, systems CISO at Texas A&M University. "I know of companies that have lots of openings, but no qualified personnel to fill them."

Still, IT security expertise can be found in other computer fields, especially database administrators, network and computer systems administrators, computer systems analysts and computer network architects.

And those occupations also are experiencing growth. Computer occupations have seen a steady climb, with more than 5 million people working or seeking work in a variety of information technology jobs, according to the ISMG analysis. That's a jump of 22 percent - or 4.6 percent annualized - since the BLS implemented its new way to calculate employment at the beginning of decade, according to the ISMG analysis.

Computer Occupations Workforce

Third quarter, 2016

Occupations Size
Computer and information systems managers 619,000
Computer and information research scientists 24,000
Computer systems analysts 528,000
Computer programmers 483,500
Software developers, applications and systems software 1,477,800
Web developers 222,800
Computer support specialists 556,800
Database administrators 98,000
Computer occupations, all other 604,500
Total 5,041,500
Source: ISMG analysis of U.S. Bureau of Labor Statistics

Defining InfoSec Occupations

BLS defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. They may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure and respond to computer security breaches and viruses. Job titles could include computer security specialists, network security specialists and internet security specialist.

Historically, the BLS numbers have reflected IT and information security employment trends. Because of the sample size of the survey, it's not statistically reliable for the information security analysts category. However, on recommendation of BLS economists, ISMG annualizes the survey results, which make them more reliable. That's attained by adding the latest four quarters worth of survey data and dividing the result by four. For example, to arrive at the 88,000 figure for the information security analyst workforce, ISMG took the reported numbers for the last quarter of 2015 and the first three quarters of 2016 then divided by four.

BLS recognizes that shortcomings exist in the way it defines IT and IT security occupations. The bureau says it's revising its Standard Occupation Classification and might add new information security occupation descriptions. BLS says it expects to publish shortly new SOCs that would take effect in 2018. The last update of the SOC occurred in 2010, with the first employment surveys based on it occurring in 2011.

Culling Employment Data

For this report, the workforce numbers come from the government's Current Population Survey of American households, the same survey BLS uses to determine the monthly unemployment rate. Survey takers interviewing households ask respondents characteristics about their jobs and then determine their appropriate occupation category.

BLS each quarter furnishes, upon request, a breakdown of 535 job categories, including the ones labeled information security analysts, database administrators and network and computer systems administrators. Because the survey size for some individual occupation categories, such as information security analysts, is too small to be statistically reliable, BLS neither officially publishes this data, nor claims it's reliable.