A Seller's Market for IT Security JobsCalculations Show Drop Among Systems Administrators
The workforce of a key information security occupation - computer and network systems administrator - has experienced a decline in numbers in recent years, according to an Information Security Media Group analysis of U.S. Labor Department data.
In 2011, 243,300 individuals in the United States labeled themselves as computer and network systems administrators. Based on Bureau of Labor Statistics data from the past four quarters, that number has dropped to 205,500, a nearly 16 percent decline in just over two years.
"We have had to make do with others who are not really qualified but whom we can at least train minimally," says Danny Miller, system chief information security officer at Texas A&M University. "There is clearly a lack of qualified candidates to fulfill our needs."
Miller says the field doesn't attract as many people as it once did. "This is a very technical and challenging field," says Miller, the former principal and national practice leaders for cybersecurity and privacy at the accounting and business consulting firm Grant Thornton. "Because of the very broad requirements to keep up with the technology related to this field, we are seeing fewer and relying on fewer personnel."
The law of supply and demand seems absent within the occupation category of computer and network systems administrators; BLS sees the demand for computer and systems analysts to grow by 12 percent by 2022, with growth the highest at firms that provide cloud computing technology, according to a 2012 bureau analysis.
Technology as Substitute for Personnel
Miller says the dearth of qualified personnel means the university and other organizations must seek technical solutions and develop new processes in lieu of hiring people. Texas A&M has embarked on a very aggressive campaign to consolidate and virtualize computing environments and centralize the management of systems. He says the university has focused on a center-of-excellence concept, where it shares resources with other organizations within the Texas university system.
"Our universities and state agencies are sometimes very challenged to find appropriate help because of the lack of locally available qualified help and thus may share personnel from other locations," Miller says.
Hord Tipton, executive director of (ISC)Â², the not-for-profit information security accrediting and education organization, says the situation Miller finds himself in isn't unusual.
"Open information security positions are going unfilled; 56 percent of those responding to [a 2013 (ISC)Â² survey) feel their organizations currently have too few information security workers to manage threats now, let alone in the future," says Tipton, a former chief information officer at the U.S. Department of Interior.
Tipton cites a survey from Burning Glass Technologies, an IT-driven recruiting firm, that shows demand for information security workers grew 3.5 times faster than those in other IT specialties over the past five years.
Skill Set Most in Demand
While the workforce for administrators is in decline, that's not the case for information security analysts, which according to our analysis, has increased by 23 percent since 2011. For the four quarters ended March 31, the number of individuals who consider themselves information security analyst has increased to 55,300 from 45,000 in 2011.
"Overall, the skill set most in demand is for the security analyst, who conducts the integration and testing, operation and maintenance of systems security," Tipton says. "In addition, a security analyst possesses significant higher order skills and has a deep understanding of all business systems, knowing what information an organization cannot afford to lose."
But even with the increase in the number of information security analysts, there aren't a sufficient number to meet demand.
"We see fewer qualified analysts in the marketplace," Miller says. "We do not believe there are enough universities that are teaching this and we also sense that there is a lack of interest by students. It is causing some increased risk for our university and state agencies because of that."
Miller says he believes large businesses and the federal government "snap up" information security analysts, leaving few such experts available for smaller organizations to recruit.
That's what City of Chicago CISO Arlan McMillan sees. "I use to work in the D.C. area and was constantly having my staff and candidates stolen by [the Department of Homeland Security] as well as others in the area that have been very strongly recruiting," he says. "Since moving back to Chicago, I expected to be rid of that challenge. Unfortunately, recently I learned that that one of my better analysts submitted his resignation because he was moving to D.C. to work for DHS."
Quality vs. Quantity
While the pool of information security analysts has increased, McMillan questions how many of them are truly qualified. "We've had a significant number of IT professionals get a security specific certification and then begin to call themselves security professionals," McMillan says. "While a strong IT background can be considered a prerequisite for the information security field, there are other skills such as risk management and compliance that need to be honed to be strong in this field. It's this mix of skills that are required that separates IT from information security and shallows the pool of available resources."
The workforce and employment numbers in this report come from the government's Current Population Survey of American households that produce the monthly unemployment rate. Survey takers interviewing households ask respondents characteristics about their jobs, and then determine their appropriate occupation category.
BLS each quarter furnishes, upon request, a breakdown of 535 job categories, including the one labeled information security analysts as well other computer-related fields, including computer and network system administrators. Because the survey size for some individual occupation categories, such as information security analysts, is too small to be statistically reliable, BLS neither officially publishes this data, nor claims it's reliable. BLS Economist Karen Kosanovich explains that occupations such as information security analysts with a base of fewer than 50,000 individuals for annual averages and 75,000 for quarterly averages don't meet the bureau's publication standards.
Jobless Rate Reflects 'Full' Employment
Yet, the numbers do reflect IT and information security employment trends, especially after they're annualized. We take the past four quarters of statistics and divide by four, making them more consistent. With this proviso, here's what the latest BLS data shows:
For the first quarter of 2014, according to ISMG calculations, the unemployment rate among information security analysts stood at 3.2 percent, with 53,500 employed and 1,800 unemployed. In 2011, BLS didn't register any unemployed information security analysts because of the small sample size that year.
Among network and computer systems administrators, the unemployment rate was calculated to be 2.9 percent for the first three months of 2014, based on 199,500 employed and 6,000 unemployed; that's down from a 4 percent jobless rate in 2011.
Many economists believe that an unemployment rate of 3 percent or less is considered full employment because of the normal churn of jobs.