Employment Data Not to BelieveIT Security Job Numbers Don't Feel Right
Anecdotal evidence usually supports the data the Labor Department culls on IT security employment. Usually isn't always, and the 2013 stats reported by the Bureau of Labor Statistics seem at odds with what is likely true.
Followers of this blog know that each quarter I analyze the latest employment statistics provided by BLS to estimate the size of the information security workforce ... with a caveat: Because of the small sample size for most occupation classifications, BLS's data isn't statistically significant and should not be taken as gospel. Still, quarter after quarter, year after year, these numbers have shown that employment among information security analysts has, for the most part, been on the rise.
Some of these roles, per se, may not be 'security' in the traditional infosec sense but are key positions to prevent, detect and respond to cyber-risks.
The size of the IT security analyst workforce for 2013 stood at 49,900, down from 52,500 for 2012, according to the BLS data. Did fewer people work as IT security analysts last year, or is the figure an outlier, perhaps because of the small sample size? I suspect the latter, as does Malcolm Harkins, chief information security and privacy officer at chipmaker Intel.
"When I saw (the BLS stats) I was actually quite surprised at the data indicating a decline," Harkins says. "I am not sure that fully matches the overall trend.
"Having said that, it could also be just a title/occupation shift, and there could be a corresponding increase in privacy professionals, other types of technical risk and controls role for fraud or anti-counterfeiting, job roles such as threat analyst, security validation engineer or data scientists working on security business intelligence, or training/awareness professionals who are focused on security education for your employees."
Weakness in the Data
Harkins has a point, and therein lies the weakness of the BLS data. All those roles Harkins delineates cannot be found as defined occupation categories the Labor Department tracks. Those roles are incorporated into one or other occupation categories.
The data cited here comes from the same survey of American households that the government uses for its monthly unemployment number. Survey takers interviewing households ask respondents characteristics about their jobs, and then determine their appropriate occupation category. That could mean an individual who explains her job involves defining controls to prevent online fraud could be designated as computer systems analyst, whose role includes analyzing business problems - in this example fraud - to implement and improve computer systems, and not an information security analyst, which includes those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information..
"Some of these roles, per se, may not be 'security' in the traditional infosec sense, but are key positions to prevent, detect and respond to cyber-risks," Harkins says.
The occupational categories BLS uses, especially those in computer-related fields, often are outdated by the time they're adopted. "The [IT security] field is rapidly evolving ... either because the technology continues to evolve or the nature of the threat continues to evolve," says Diana Burley, an associate professor at George Washington University who's conducting research on cybersecurity professionalization (see Professionalizing Cybersecurity Occupations).
The information security analysts' occupation classification is relatively new. Until 2011, the bureau never published a job classification specifically designating information security.
Analyzing the Stats
BLS makes the information security employment numbers available upon request, but does not post them on its website because it can't vouch for their accuracy. But this blog continues to publish them, with the caveat, because they're the only figures available that reflect America's IT security employment.
Despite their uneven fluctuation, likely caused by the small sample size, the IT security stats have value and show strength within the field vis-Ã -vis the entire workforce. The 49,900 members of the IT security analysts' workforce in 2013 was nearly 12 percent higher than the 44,500 recorded in 2011. As a comparison, the nation's overall workforce inched ahead by just a hair over 1 percent during that same period.
And these numbers suggest that unemployment among IT security analysts last year averaged 3.5 percent - which most economists consider full employment caused by normal churn in the marketplace. As a comparison, unemployment for all occupations for in 2012 was nearly twice as high.
Look at it this way: When compared with the rest of the job marketplace, the IT security workforce looks strong. As a journalist, I see my job as being transparent and give you the numbers in the belief that the more information available, the better people can analyze a situation, in this case the IT security employment environment. It's your job to determine how to use the information.