How IT Security Workforce is ExpandingJobs, Semantics Explain Increase in Cybersecurity Employment
The head of the National Security Agency described former contractor Edward Snowden's job at the NSA as a systems administrator [see NSA Outlines Steps to Reduce Leaks]. But the occupation classification of information security analyst could be more a more fitting depiction of the whistleblower's profession when examining his skill set.
That scenario could explain why just-issued data from the U.S. Labor Department's Bureau of Labor Statistics suggests a sharp rise in the number of professionals who identify themselves as an information security analyst, a catch-all job classification that includes a number of security-related skills.
As cybersecurity is increasingly seen as a growth field, we may be seeing more individuals self-identifying as cybersecurity types in the interest of job security.
An Information Security Media Group analysis of the BLS data shows that in just under two years, the number of people who consider themselves information security analysts in the United States increased by 26 percent. The numbers presented here should not be taken as gospel (see explanation below). Although not deemed statistically reliable, BLS employment data have proven to be indicative of workplace trends in the more than 10 years I've been analyzing them.
According to our analysis, about 56,000 individuals described themselves as information security analysts during the 12 months ended June 30, up from 45,000 for the fourth quarter of 2011. The numbers and percentages might not be precise, but there's little doubt that an increase in IT security employment is occurring.
Jobs, Jobs, Jobs
"What is driving the trend is jobs," says former Federal Chief Information Officer Karen Evans, who now heads the U.S. Cyber Challenge, a not-for-profit organization that promotes cybersecurity careers to students.
With awareness of cyberthreats entering the mainstream - think the news surrounding Snowden - and the quest for job security, it's reasonable to imagine that more people would be attracted to careers in information security, or at least calling themselves information security professionals as businesses seek to secure their systems.
"A major part of the increase results from businesses realizing more and more that adequate security is no longer nice to have, but is now an absolute must in today's world," says Hord Tipton, executive director of the IT security certification organization (ISC)2. "Breaches are becoming more expensive daily, more disruptive and therefore more damaging. Loss of our secrets and intellectual property through espionage continues to push us backwards on the technology front, and it is also very embarrassing."
The increase in the IT security workforce also is being driven by semantics. BLS, in its survey, asks respondents to define elements of their jobs. As more professionals describe their work as including more IT security responsibilities, they could be shifted over to the information security analyst category.
"It's people moving away from the category of systems administrator to the category of IT security," says Matthew Kazmierczak, vice president for research and reports for the IT trade group Tech America. "It's not an actual real drop; it's just a definitional shift."
Glimpse of the Future
Franklin Reeder, co-founder of the Center for Internet Security, sees cybersecurity more as an organizational function than a well-defined set of disciplines. "Cybersecurity duties are embedded in a wide variety of jobs, including software development and systems administration," says Reeder, who has researched the IT security profession. "As cybersecurity is increasingly seen as a growth field, we may be seeing more individuals self-identifying as cybersecurity types in the interest of job security."
Toward the end of the decade, BLS will revise its occupation classifications and create several classifications of IT security professionals. To get an idea what those new classifications might look like, check out occupation categories on job boards. Dice.com, for instance, has categories that include network security, security architect and security engineer, as well as broader ones, such as cybersecurity and information security.
The security architect category - an offshoot of what BLS labels computer network architects - has seen a 21 percent year-to-year increase in job postings on Dice.
"A small company will have somebody as a system administrator or network administrator who is doing security functions," Dice Holdings CEO Scot Melland says. "As they grow, they add somebody with specialized skills. A financial services company or bank doing electronic transactions probably has a network security specialist because you're doing millions of dollars of online transactions and the networks you're running are incredibly important to secure."
Examining the Numbers
BLS each quarter furnishes, upon request, a breakdown of 535 job categories, including the one labeled information security analysts. Because the survey size for any individual occupation category is too small to be statistically reliable, BLS neither officially publishes this data, nor claims it's reliable. Yet, they do suggest IT and information security employment trends.
To get a truer picture of the employment environment, we annualize the quarterly BLS data. We take the past four quarters of statistics and divide by four, making them more consistent. With this proviso, here's what the latest BLS data shows:
- Some 55,000 individuals were employed as information security analysts, with another 1,800 reporting that they were unemployed. Add those two figures together to get an information security analysts workforce number of 56,800.
- The IT security unemployment rate in the second quarter, based on these figures, would be 3.1 percent, up from 2 percent and 1 percent in the two previous quarters. Four earlier quarters showed no unemployment. Remember, because of the sample size, these percentages are not reliable. Also, many economists believe that an unemployment rate of 3 percent or less is considered full employment because of the normal churn of jobs.
The numbers in this report come from the government's Current Population Survey of American households that produce the monthly unemployment rate, but the sample size is too small to be deemed statistically reliable because very few households have someone living in them who work in IT security. BLS Economist Karen Kosanovich explains that occupations such as information security analysts with a base of fewer than 50,000 individuals for annual averages and 75,000 for quarterly averages don't meet the bureau's publication standards.