One frustration in covering the information security profession - and some say calling it a profession is inappropriate (see Professionalizing Cybersecurity Occupations) - is the lack of reliable statistics to track trends in cybersecurity employment.
See Also: 2016 State of Threat Intelligence Study
The best numbers come from the U.S. Bureau of Labor Statistics, even its economists won't swear by them. BLS doesn't even publicly publish employment stats on the category it calls information security analysts, a sort of catch-all category for many working in cybersecurity, but makes those numbers available upon request.
One thing seems all but certain: The IT workforce in the United States is on the rise, and many of those workers require security know-how.
The numbers are statistically unreliable because the sample size for information security analysts is extremely small. Yet, BLS economists suggest aggregating four quarters worth of data to create an annualized figure - still technically unreliable - is more dependable than just a single quarter's result. For well over a decade, I've analyzed BLS IT and IT security employment data and found that to be a good indicator of the labor market. They're far from precise, but they do provide a reasonable portrait of employment condition.
Stats Suggest Dip in Workforce Size
Here's what the numbers show on an annualized basis:
- In the third quarter of 2013, BLS categorized 53,500 workers in the United States, including 51,500 employed and 2,000 out of work, as IT security analysts, resulting in an IT security unemployment rate of 3.7 percent, the same rate for the entire IT occupation.
- The IT security workforce last quarter fell from 56,800 in the second quarter, when 55,000 workers were employed and 1,800 were jobless, for a 3.1 percent unemployment rate.
Even with our sluggish economy, you'd expect to see a rise in IT security employment because of the high demand for security expertise in government and business. Don't take a single quarter, even annualized, as a well-tuned gauge, but look at the longer trend it represents. There isn't much data to look at; BLS has only been providing IT security employment data since 2011.
Still, in 2011, the IT security workforce in the United States totaled 45,000. That means, in nearly two years, the number of people working as information security analysts has risen substantially. Again, don't take these statistics as gospel, but they likely reflect the trend that more people are moving into IT security jobs.
The apparent low unemployment rate in this sector, even if accurate, is considered full employment, and small jobless rates often reflect churn in the job market.
The numbers in this report come from the government's Current Population Survey of American households that produces the monthly unemployment rate, but the sample size is too small to be deemed statistically reliable because very few households have someone living in them who work in IT security. BLS Economist Karen Kosanovich explains that occupations, such as information security analysts, with a base of fewer than 50,000 individuals for annual averages and 75,000 for quarterly averages, don't meet the bureau's publication standards.
Defining the IT Security Specialist
BLS defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. They may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure as well as respond to computer security breaches and viruses.
Survey takers interviewing households ask respondents characteristics about their jobs, and then determine their appropriate occupation category. That could mean someone performing network and computer systems administration - one of the IT occupation categories - could be deemed an information security analyst if a significant part of their responsibilities include responding to breaches and viruses and monitor systems for vulnerabilities.
Perhaps the recent decline in the number of network and computer systems administrators, based on an analysis of BLS stats, to an annualized 217,000 this past quarter from 243,800 in 2011 can be partly attributed to the growth in IT security employment.
One thing seems all but certain: The IT workforce in the United States is on the rise, reaching an annualized 4.47 million, and many of those workers require varying degrees of IT security know-how.