Ignorance isn't bliss when mulling IT security employment numbers.
See Also: DevOps - Security's Big Opportunity
Reliable data specifying the number of people employed in the United States in the cybersecurity field is hard to find. Knowing more about what IT security occupations exists and how many people fill those jobs could help employers and job seekers get a better handle on what security skills are truly in demand.
The best number available comes from the U.S. Bureau of Labor Statistics, culled from the same survey that produces the monthly unemployment rate. Among BLS's 840 Standard Occupation Classifications, or SOCs, only one exists for IT security: information security analysts. And, according to an Information Security Media Group analysis of BLS data, the number of individuals designated as information security analysts increased by 5 percent this past year, growing to 73,000 in 2015 from 69,000 in 2014.
But a 5 percent increase doesn't meet the needs of private enterprises and government agencies in filling their IT security gap. "It's difficult to keep up with the demand because the demand is so great; it's certainly outpacing the supply," says George Washington University Professor Diana Burley, who conducts research on the IT security profession.
BLS defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. They may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure and respond to computer security breaches and viruses. Job titles could include computer security specialists, network security specialists and Internet security specialist.
Sounds like a catch-all category, although one that doesn't capture all the needed IT security skills most enterprises require. Many other IT-related jobs require varying degrees of information security know-how; indeed, most info tech jobs include aspects of security, notably software developers, database administrators and network and systems administrators. Here's the latest workforce data from the BLS on those fields:
U.S. Computer-Related Workforce in 2015
- Computer and information systems managers: 665,500
Computer and information research scientists: 25,300
Computer systems analysts: 564,800
Information security analysts: 72,500
Computer programmers: 497,300
Software developers: 1,380,000
Web developers: 211,800
Computer support specialists: 492,800
Database administrators: 93,800
Network and computer systems administrators: 225,500
Computer network architects : 114,300
Computer occupations, all other: 562,000
Job descriptions the government develops don't correspond with those employers write. That's evident when exploring tech job sites such as Dice, where IT security specialists are among the three hottest computer-related skills. "With security breaches and information hacks appearing almost daily in the news, it's clear that companies need to shore up their security practices with the right talent," Dice President Bob Melk writes in a just-published blog. "Dice job postings for security professionals are growing year-over-year, with engineer positions up 22 percent and network security jobs up 19 percent."
And not every job requiring IT security know-how is a technical one. As Burley points out, IT security knowledge is key for a number of non-computer related occupations that conduct security work, such as public policy analysts and lawyers.
BLS Revising Standard Occupation Classification
Developing new categories of IT security occupations would paint a clearer picture of the profession. BLS is revising its Standard Occupation Classification, and might add new information security occupation descriptions. We'll know later this spring, when BLS publishes the new SOC that takes effect in 2018. The last update of the SOC occurred in 2010, with the first employment surveys based on it occurring in 2011.
But defining what occupations require IT security skills isn't simple. "People working in the field don't agree on titles or skills sets required for a position," Purdue University Computer Science Professor Eugene Spafford says. "Imposing an occupation classification may or may not be useful. Many employers don't know what it is that they want."
Still, the more knowledge we have about the information security field, the better we can plan for the staffing needs to assure the digital assets of businesses and government agencies can be secured.