Characterizing the state of employment among American information security practitioners, executive recruiter Joyce Brocaglia says, "We are experiencing negative unemployment in the field of information security."
Brocaglia, chief executive of the boutique executive recruiting firm Alta Associates, hit it on the nail. An Information Security Media Group analysis of Bureau of Labor Statistics employment data, published July 3, shows the annualized unemployment rate among information security analysts during the second quarter of 2014 fell to 1.8 percent, which for all practical purposes suggests no unemployment in the field. Such a small percentage usually signifies churn in the marketplace, with the joblessness representing IT security practitioners between jobs.
All of a sudden, they're paying a lot more attention on how important it is to have someone on that board that truly understands information risk and information security.
That rate is the lowest since the final quarter of 2012, when the annualized unemployment rate was just under 1 percent. The annualized jobless rate in the first quarter was 3.2 percent, still a good number considering it's half of what overall unemployment stood. The difference between the first and second quarter stats can be attributed to a statistical quirk caused by the small number of households BLS surveys. Though the specific quarter-to-quarter statistics can be questioned as statistically significant - we publish them because they're the only official data available and believe our readers can decide whether or not to trust them - they've proven over the years to reflect the reality in the marketplace.
The Impact of Breaches on Employment
With highly publicized breaches, more organizations look to bolster their IT security staffs and programs. "People are much more aware and companies are taking information security much more seriously and they're building an internal information security program with the best talent," says Andrea Vahosky, a senior executive recruiter at L.J. Kushner & Associates, an IT security recruiting firm.
Since the BLS adopted the current method to count employed and unemployed Americans, the information security analysts' workforce - the number of people employed in that occupation combined with the unemployed seeking jobs in information security - has reached its highest level at 56,800 last quarter, which it attained once before a year ago. Since the last quarter of 2011, which saw a workforce of 45,000, the annualized IT security workforce has climbed by nearly 25 percent.
Information Security Analysts' Workforce
Source: ISMG analysis of Bureau of Labor Statistics data
Still, the availability of talent can't keep up with demand. "There are more jobs than talented security professionals," Vahosky says.
The information security analyst occupation category reflects jobs with a number of skills. but not all IT security jobs neatly fit into that category. Among the skills Vahosky identifies employers seeking: incident response, forensics and application security.
The largest of BLS's computer occupation - application and systems developers - saw its workforce reach a record 1,184,300 last quarter, up from 1,150,500 in the previous quarter. Though not a security occupation per se, the application developers' skills have evolved to incorporate security know-how.
Hear Joyce Brocaglia discuss recruiting CISOs for boards of directors.
It's not just raw numbers that pose a problem for employers seeking IT security talent. The jobs themselves have become more complex. Chief information security officers and other top IT security leaders have a lot more on their plate than they did just a few years ago, and finding such talent isn't easy. The job requires a more sophisticated understanding of governance, regulation, law and clients, and not just IT security and operations. "It's just expanding so much," Brocaglia says.
And, Brocaglia says some companies have approached her firm about identifying CISOs or chief risk officers to serve on their boards of directors. With big breaches adversely affecting stock prices, she says, "All of a sudden, they're paying a lot more attention on how important it is to have someone on that board that truly understands information risk and information security."