Infosec Job Growth Appears to Be FlatDemand for Security Know-How Not Reflected in Government Data
What the new United States Bureau of Labor Statistics data on IT security employment fail to show is the demand for those with information security know-how.
See Also: A Toolkit for CISOs
Information Security Media Group's analysis of BLS statistics reveals virtually no growth in the occupation classification labeled information security analysts since the government began tracking 18 months ago the category that includes professionals with a variety of specific IT security skills.
Information security isn't just the domain of those branded information security professionals but also of nearly every other IT occupation and those in many non-technical jobs, too
No doubt businesses, not for profits and government have a need for more information security expertise, but that fact isn't reflected in the government's employment numbers.
"The job creation in IT-related disciplines we're seeing in the monthly Labor Department numbers would be higher if employers could find more of these types of people to hire," IT employment consultant David Foote says in his analysis of last month's jobs' report. "The demand and willingness to pay premiums for these people are certainly there but the supply is not. And this will continue for the foreseeable future."
In many instances, information security knowledge resides in the heads of other IT professionals, which would not be reflected in the information security occupation classification numbers. When Marc Noble served as the chief information security officer at the Federal Communications Commission, he would rely on network staffers - covered by another BLS occupation classification - to perform information security chores.
"Some of them were extremely knowledgeable about information security and doing forensics and so on, but they're not counted as information security professionals," says Noble, now director of government affairs at (ISC)Â², an information security certification and education organization. "Could they be? Of course they could.
"There's a group that are strong information security professionals, which I would say is the donut hole, and then you have the whole donut, which are people who skirt into the information security profession, sometimes becoming information security professionals, but often adding support to information security"
In California state government, each agency under a 2-year-old state law is required to have an information security officer, but in about one third of those agencies, that job is filled by someone with a different title, a chief information officer or network administrator, for instance, says Keith Tresh, director of the state Office of Information Security, which is working with other state agencies to provide information security training for agency ISOs. Some other states and local governments as well as many businesses designate their chief information officers, with varying degrees of security experience, as being in charge of their information security efforts. In those instances, those individuals wouldn't be classified as information security pros by the BLS.
Examining the Numbers
BLS each quarter furnishes upon request a breakdown of 535 job categories, including the one labeled information security analysts. Because the survey size for any individual occupation category is too small to be statistically reliable, BLS neither officially publishes this data nor claims they're reliable. Yet, my experience of more than a decade of analyzing technology employment trends based on BLS numbers shows that they are indicative of the IT and information security employment trends.
To get a truer picture of the employment environment, ISMG annualizes the quarterly BLS data; simply, we take the past four quarters of statistics and divide by four, making them more consistent. With this proviso, here's what the latest BLS data show:
- Some 44,000 Americans consider themselves information security analyst in the second quarter of 2012, down from 46,000 in the first quarter and 45,000 in the fourth quarter 2011. None of those in this occupation category said they didn't have a job since the beginning of the survey in the first quarter of 2011.
- Overall IT unemployment ticked up 3.9 percent, a 0.1-point gain from the first quarter and fourth quarter 2011.
- IT employment in the fourth quarter fell to an annualized 4,016,000, down from 4,039,000 in the first quarter, but up from 3,983,000 in the fourth quarter 2011.
- The IT workforce - those employed and those unemployed who sought jobs in the IT field - fell to 4,180,000 in the second quarter from 4,197,000 in the first quarter. In the fourth quarter 2011, the IT workforce stood at 4,139,000.
Don't take any of these stats as gospel, but do accept them as a snapshot of what the IT and information security employment environment appears. And, that milieu is one in which information security isn't just the domain of those branded information security professionals but also of nearly every other IT occupation and those in many non-technical jobs, too.