The Public Eye with Eric Chabrow

Governance & Risk Management

Analysis: InfoSec Workforce Growth Stalls

Following Big Jump in 2014, Workforce Remains Flat in 2015
Analysis: InfoSec Workforce Growth Stalls
Jane Holl Lute

After jumping by 33 percent in 2014, the number of Americans who consider themselves IT security professionals has remained flat for the first half of 2015, according to an examination of federal government employment data. That's bad news for employers seeking IT security pros to hire.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

An Information Security Media Group analysis of Bureau of Labor Statistics employment data - culled from the same household surveys the government uses to determine the monthly unemployment rate - shows that 73,800 people identified themselves as information security analysts during the second quarter of 2015. That's basically unchanged from the first quarter of the year. During 2014, the number of information security professionals rose by one-third to 74,000 from 55,300.


SOURCE: ISMG analysis of Bureau of Labor Statistics data

Since BLS began using the current method to determine employment data in 2012, the IT security workforce has grown in the United States by 62 percent over those 3½ years. Still, the growth - which would be deemed significant in other professions - comes nowhere near to meeting the demand of public- and private-sector employers for IT security personnel.

More than six in 10 IT security professionals surveyed earlier this year by the IT security certification not-for-profit (ISC)² say their organizations have too few information security professionals. It's not a lack of money but a dearth of qualified individuals. How big is the shortfall? The (ISC)² study, conducted by market researcher Frost & Sullivan with backing from business adviser Booz Allen Hamilton, projects a shortfall of some 1.5 million security professionals globally in just five years.

"We'll need to make a concerted effort over the next five years to change the rate at which new entrants are coming into the information security workforce to close this gap," Julie Peeler, (ISC)² Foundation director, and Angela Messer, executive vice president at survey cosponsor Booz Allen Hamilton, wrote in a blog.

That concerted effort must include out-of-the-box thinking on the part of enterprises to get the needed skills to address critical IT security challenges. One idea former Homeland Security Deputy Secretary Jane Holl Lute promotes is called "swarming." Simply, pull great minds together from a variety of organizations in a coordinated effort to tackle a security problem. CIOs, CISOs and others concerned about IT security must develop relationships with their counterparts elsewhere to jointly address IT security threats.


Center for Internet Security Chief Executive Jane Holl Lute explains swarming.

"If I'm running a medium-sized enterprise or a Fortune 500 company, where my CIO is coping with a problem, I would like the agility to have in place the kinds of relationships that we could draw talent on this problem to help solve it," Lute, now chief executive of the Center for Internet Security, told me in a recent conversation. "It's kind of a community aid, mutual aid model for cybersecurity problems."

How We Analyzed the Data

The workforce and employment numbers in this report come from the government's Current Population Survey of American households. Survey takers interviewing households ask respondents characteristics about their jobs, and then determine their appropriate occupation category.

BLS each quarter furnishes, upon request, a breakdown of 535 job categories, including the ones labeled information security analysts, database administrators and network and computer systems administrators. Because the survey size for some individual occupation categories, such as information security analysts, is too small to be statistically reliable, BLS neither officially publishes this data, nor claims it's reliable. BLS Economist Karen Kosanovich explains that occupations, such as information security analysts, with a base of less than 75,000 for quarterly averages, don't meet the bureau's publication standards.

Yet, the numbers historically have reflected IT and information security employment trends, especially after they're annualized, which we've done for this report. That's attained by adding four quarters worth of survey data and dividing the result by four. For example, to arrive at the 73,800 figure for the information security analyst workforce, we took the reported numbers for the last two quarters of 2014 and first two quarters of 2015 then divided by four.

Other Computer-Related Occupations

Using that same method, here are the workforce numbers for other computer-related occupations for the second quarter 2015:

    Computer and information systems managers: 643,500
    Computer and information research scientists: 30,500
    Computer and information research scientists: 576,800
    Computer programmers: 515,800
    Software developers: 1,323,500
    Web developers: 223,500
    Computer support specialists: 500,500
    Database administrators: 107,500
    Network and computer systems administrators: 215,500
    Computer network architects : 126,000
    Computer occupations, all other: 553,500
    TOTAL (including information security analysts): 4,890,300

The IT workforce has grown by 18 percent over the past 3½ years, according to our analysis.

Defining IT Security Analyst

The government defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. Information security analysts may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure and respond to computer security breaches and viruses.

Many of the other computer-related jobs, such as database and network and computer systems administrators, have security components as well, Programmers and software developers, too, must account for security when developing code, though many of them are often criticized for not doing so.

How is your enterprise addressing the IT security skills shortage? Share your solutions in the box below.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.