IT Security Workforce Reaches New High
But Makeup of Employed InfoSec Pros Hasn't Changed MuchAs IT security employment reaches a record high in the United States, what does that workforce look like? It remains overwhelmingly white and male. And that hasn't changed in years.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
Here's a look at the latest employment numbers from the federal government.
Regular readers of this blog know that I use quarterly, unpublished numbers from the Department of Labor's Bureau of Labor Statistics to analyze the current state of information security and IT employment.
"Information security analyst" is the only IT security occupation classification BLS tracks. An annualized 61,000 individuals considered themselves information security analysts during the third quarter of 2014. That includes 59,800 employed and 1,300 unemployed, resulting in an annualized unemployment rate of 2 percent. Economists generally consider an unemployment rate below 3 percent as full employment, meaning that a low unemployment rate denotes churn in the marketplaces, not people desperate for a job.
During the same quarter in 2013, an annualized 53,500 individuals called themselves information security analysts, with 51,100 employed and 2,000 jobless, and an annualized unemployment rate of 3.7 percent.
Those statistics translate into a 14 percent gain in the information security analysts' workforce in just a year, reflecting the growing demand for IT security skills by businesses and governments.
The number of men in the IT security workforce has hovered between 82 percent and 88 percent since the government began tracking information security analysts' jobs in 2011, according to our analysis of BLS data. And those numbers aren't likely to change anytime soon.
Eugene Spafford
"There are a smaller number of women going into the field as compared to their presence in the population as a whole," laments Eugene Spafford, a computer science professor at Purdue University who as executive director of Purdue's Center for Education and Research in Information Assurance and Security has advocated for more women in cybersecurity (see How Can Women Advance? Let Them Fail). "Twelve to 15 percent of students who are choosing this as a profession are female."
Information Security Analysts' Workforce
Source: ISMG analysis of Bureau of Labor Statistics data
Whites make up 78 percent of the U.S. population of the United States, according to the Census Bureau; African Americans, 13 percent and Asians, 5 percent. The analysis of BLS data shows that African Americans represent 11 percent of IT security analysts and Asians 5.4 percent.
Former U.S.-CERT Director Mischel Kwon provides historic perspective on imbalance of IT security workforce.
A year ago, African Americans comprised 7.3 percent and Asians 12 percent of the IT security workforce. In 2011, those numbers were 8.4 percent and 17.4 percent, respectively. Was there really a 12 percentage point drop in the Asian IT security personnel? Doubtful.
Questioning the Data
Here's why the validity of these numbers are in doubt. First, let's look at how we arrive at these statistics
The workforce and employment numbers in this report come from the government's Current Population Survey of American households that produces the monthly unemployment rate. Survey takers interviewing households ask respondents characteristics about their jobs, and then determine their appropriate occupation category.
BLS each quarter furnishes, only upon request, a breakdown of 535 job categories, including the one labeled information security analysts as well other computer-related fields, including computer and network system administrators. Because the survey size for some individual occupation categories, such as information security analysts, is too small to be statistically reliable, BLS neither officially publishes this data, nor claims it's reliable. BLS Economist Karen Kosanovich explains that occupations such as information security analysts with a base of fewer than 50,000 individuals for annual averages and 75,000 for quarterly averages don't meet the bureau's publication standards.
Kosanovich and other economists advise annualizing the data by adding four quarters of results and dividing by 4. Doing so makes the statistics more reliable. But the smaller the size of the group, the less likely the results will be reliable. The subsets, based on gender and ethnicity, are so small that no amount of jiggering will increase the confidence in the results.
Why do I present the data? To help you reach conclusions on matters of importance. These numbers remind me that the IT security field, especially when considering gender, does not look like America. Having a more diverse workforce will strengthen IT security. That's my take, even with these imperfect numbers. What's your take?