The number of information security analysts in the United States grew by 8 percent in the first three months of 2016, reaching a record 78,300, according to Information Security Media Group's analysis of U.S. government employment data.
See Also: 2015 Data Center Security Study - The Results
At the same time, the size of the information technology workforce - including occupations with IT security responsibilities such as network and computer administrators and computer systems analysts - inched ahead by 1.7 percent in the first quarter to nearly 5 million, also a record.
U.S. Information Security Analysts Workforce
ISMG analysis of Bureau of Labor Statistics dataOver the past four quarters, the size of the information security analyst workforce increased by nearly 14 percent. During the same period, the IT workforce rose by 2.2 percent.
IT Workforce
Here is the size of the IT workforce during the first quarter of 2016 for each of the computer-related occupations the BLS tracks:
Source: ISMG analysis of Bureau of Labor Statistics dataCatastrophic Conditions
Despite the increase in the IT security workforce, organizations continue to struggle to identify qualified personnel to hire. "We're coming up on catastrophic conditions, if we're not already there, in the labor market in terms of the gap between companies unable to find or breed (internally) or have sufficient talent available to them to do what they want to do," says David Foote, co-founder of the IT employment research firm Foote Partners.
By some estimates, a shortfall of more than 200,000 IT security specialists exists in the United States.
Finding qualified cybersecurity personnel is especially acute in the federal government. The government has authorized the Department of Homeland Security to hire 1,000 cybersecurity specialists (see 4 Barriers to Hiring DHS InfoSec Experts). But that will be a challenge. At a Senate hearing last month, Homeland Security Secretary Jeh Johnson said the government cannot match the salaries offered by private companies for employees with IT security skills. "We need more cyber talent without a doubt in DHS, in the federal government, and we are not where we should be right now," Johnson told the Senate Homeland Security and Governmental Affairs Committee.
Who's to blame for the chasm? "The skills gap at most companies is a self-inflicted wound," Foote contends. He argues that employers should have had the forethought years ago to convert existing personnel to cybersecurity specialists. "In many companies, [there] are a number of systems and network people that are doing a lot of the heavy lifting in security. Why not cross-train those people to assume a higher level job in security rather than just bury them in firewalls and all of that stuff? They just didn't do it."
Foote sees other ways to close the skills gap: automate security processes, work with academia to provide real-world experience to students studying IT security and participate in vendor partnerships that provide IT security solutions.
Defining InfoSec Occupations
As IT security becomes more important to the enterprise, a growing number of occupations incorporate IT security skills.
BLS defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. They may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure and respond to computer security breaches and viruses. Job titles could include computer security specialists, network security specialists and internet security specialist.
Foote questions the methodology BLS uses to identify occupations, contending the government agency misses many jobs in the IT workplace. "They have a taxonomy that completely ignores a lot of the jobs in IT," he says. "They have different titles, and they can't track that information."
But defining what occupations require IT security skills isn't simple. "People working in the field don't agree on titles or skills sets required for a position," Purdue University Computer Science Professor Eugene Spafford says. "Imposing an occupation classification may or may not be useful. Many employers don't know what it is that they want."
Why Report BLS Numbers?
Historically, the BLS numbers have reflected IT and information security employment trends, especially after they're annualized, which we've done for this report.
That's attained by adding four quarters worth of survey data and dividing the result by four. For example, to arrive at the 78,300 figure for the information security analyst workforce, we took the reported numbers for the last three quarters of 2015 and the first quarter of 2015 then divided by four.
If deficiencies exists in the way BLS tracks IT and information security employment, why do we report it? They're the only official numbers available. We'll explain how BLS determines its classifications and the employment numbers it collects and allow you to decide what they mean.
BLS recognizes that shortcomings exist in the way it defines IT and IT security occupations. The bureau says it's revising its Standard Occupation Classification and might add new information security occupation descriptions. Later this spring, BLS is expected to publish new SOCs that would take effect in 2018. The last update of the SOC occurred in 2010, with the first employment surveys based on it occurring in 2011.
Culling Employment Data
For this report, the workforce numbers come from the government's Current Population Survey of American households, the same survey BLS uses to determine the monthly unemployment rate. Survey takers interviewing households ask respondents characteristics about their jobs and then determine their appropriate occupation category.
BLS each quarter furnishes, upon request, a breakdown of 535 job categories, including the ones labeled information security analysts, database administrators and network and computer systems administrators. Because the survey size for some individual occupation categories, such as information security analysts, is too small to be statistically reliable, BLS neither officially publishes this data, nor claims it's reliable. BLS Economist Karen Kosanovich explains that occupations, such as information security analysts, with a base of less than 75,000 for quarterly averages, don't meet the bureau's publication standards.