Breaches Propelling IT Security Workforce GrowthAnalysis: Negligible Unemployment Among Security Practitioners
The increase in breaches is having a positive impact on IT security employment in the United States, as headlines about one cybersecurity incident after another serve as recruiting tools for skilled workers to help defend against these assaults.
Since last summer, the number of people who consider themselves information security analysts - a catchall category the government uses for a number of IT security jobs - increased by 9 percent to a record 80,500, according to an Information Security Media Group analysis of U.S. Bureau of Labor Statistics data. At the same time, the overall IT workforce - which includes many positions with IT security responsibilities - topped 5 million for the first time during the second quarter of 2016, up 2.6 percent from a year earlier.
Behind the surge in employment are "the actual negative stories about what is happening," says Karen Evans, national director of the U.S. Cyber Challenge, which sponsors programs to get high school and college students interested in IT security careers. An example Evans cites: the healthcare industry. "They need to hire people to help them because they're becoming big victims of ransomware."
BLS researchers concur. "As the healthcare industry expands its use of electronic medical records, ensuring patients' privacy and protecting personal data are becoming more important," BLS says in its occupational outlook handbook. "More information security analysts are likely to be needed to create the safeguards that will satisfy patients' concerns."
Dearth of Qualified Practitioners
Still, organizations struggle to find the right IT security skills to bolster their cyber defenses. "Employers are becoming much more aware that they don't have the right people in their security departments," says David Foote, chief analyst and co-founder of IT employment research firm Foote Partners. "They may have good technical people who can fix firewalls and implement basic perimeter solutions. But what's missing are enough of the sort of people who can make the case for cybersecurity being linked to business challenges and business developments. That's going to be the significant weakness."
According to the BLS, employment in the information security analysts occupation is expected to grow by 18 percent from 2014 to 2024. In some IT fields, the growth for IT security specialists will be even greater; BLS projects a 36 percent increase for information security analysts working in computer systems design and related services.
The IT workforce consists of employed and unemployed individuals seeking IT work. According to the ISMG analysis, the unemployment rate for all IT jobs stood at 2.7 percent in the second quarter; for IT security analysts, 0.9 percent. Economists consider both percentages as full employment, and the joblessness in both categories mostly reflects normal employment churn.
Here is the size of the IT workforce during the second quarter of 2016 for each of the computer-related occupations the BLS tracks:
- Computer and information systems managers: 636,000
Computer and information research scientists: 22,000
Computer systems analysts: 526,500
Information security analysts: 80,500
Computer programmers: 487,800
Software developers: 1,483,300
Web developers: 206,500
Computer support specialists: 536,000
Database administrators: 97,000
Network and computer systems administrators: 219,300
Computer network architects : 119,800
Computer occupations, all other: 601,000
Defining InfoSec Occupations
BLS defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. They may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure and respond to computer security breaches and viruses. Job titles could include computer security specialist, network security specialist and internet security specialist.
But other occupations have significant IT security responsibilities. Network and computer systems administrators, for instance, maintain network and computer system security as well as add users to a network and assign and update security permissions on the network. Database administrators plan security measures, ensuring that data are secure from unauthorized access. Software developers, computer and information research scientists and computer network architects must assure security in the products and services they help create.
BLS recognizes that shortcomings exist in the way it defines IT and IT security occupations. The bureau says it's revising its Standard Occupation Classification and might add new information security occupation descriptions. BLS is expected shortly to publish new SOCs that would take effect in 2018. The last update of the SOC occurred in 2010, with the first employment surveys based on it occurring in 2011.
Annualizing the Numbers
Historically, the BLS numbers have reflected IT and information security employment trends, especially after they're annualized, which we've done for this report.
That's attained by adding four quarters worth of survey data and dividing the result by four. For example, to arrive at the 80,500 figure for the information security analyst workforce, we took the reported numbers for the last two quarters of 2015 and the first two quarters of 2016 then divided by four.
For this report, the workforce numbers come from the government's Current Population Survey of American Households, the same survey BLS uses to determine the monthly unemployment rate. Survey takers interviewing households ask respondents characteristics about their jobs and then determine their appropriate occupation category.
BLS each quarter furnishes, upon request, a breakdown of 535 job categories, including the ones labeled information security analysts, database administrators and network and computer systems administrators. Because the survey size for some individual occupation categories, such as information security analysts, is too small to be statistically reliable, BLS neither officially publishes this data, nor claims it's reliable. BLS Economist Karen Kosanovich explains that occupations, such as information security analysts, with a base of less than 75,000 for quarterly averages, don't meet the bureau's publication standards.
If BLS statistics aren't statistically reliable, in some cases, why do we report them? They're the only official numbers available on IT and IT security employment. We explain how BLS determines its classifications and employment numbers, which allows you to decide what they mean.