The IT security profession in the United States is heavily white with a disproportionate number of Asians, as compared with the overall workforce, according to an Information Security Media Group analysis of Labor Department employment figures.
Labor Department figures also show that for the third straight quarter, no unemployment exists among information security analysts, an occupation category that includes a number of IT security roles (see Infosec Unemployment Remains Steady at 0%). The sample size is too small to be statistically reliable, but the government numbers, nonetheless, strongly suggests what many employers lament: a critical shortage of skilled IT security personnel exists.
According to the government statistics, the number of IT security analysts is steadily growing, though not necessarily as fast as employers want. In the third quarter, the IT security workforce stood at 47,000, up from 43,000 in the first quarter and 37,000 in the first quarter. That represents an increase of 27 percent over six months.
Whites, who account for about 80 percent of the American workforce, make up 70 percent of the IT security workforce. About 7 percent of those categorized as information security analysts are African Americans; blacks make up about 12 percent of the overall workforce. Latinos make up about 5 percent of the IT security labor force vs. 15 percent of the overall workforce. Women also are underrepresented in the IT security workforce: about 8 percent vs. 45 percent overall.
Alan Paller, director of research at the SANS Institute, explains that many IT security personnel came from the armed forces, and like pilots, who received their flight training in the military, are overwhelmingly white men.
Carolyn Leighton, founder and chairwoman of the professional group Women in Technology International, says there are so many reasons why more women aren't in IT security, "starting with young girls in school often being pushed away from interest in computers by teachers, the male model of teaching some of the topic areas required for IT; and right up there at the top: people hire in their own image - most of the IT hiring is by men."
The demographics of the cybersecurity workforce also reflect, in general, the imbalance found in other scientific and technical fields, with the exception of women in medicine and, to a lesser extent, IT (BLS figures show that women represent about half of pharmacists, one-third of physicians and one-quarter of IT professionals).
Great Source of the Highly Qualified Overlooked
Why so? "Social equity and the relative scarcity of women and persons of color, (which) means that we must be overlooking a great source of highly qualified people that can help us address the shortage problem," says Franklin Reeder, cofounder and board member of the Center for Internet Security, which sponsor the U.S. Cyberchallenge, an initiative aimed at encouraging high school and college students to enter the IT security field.
Karen Evans, national director of the U.S. Cyber Challenge, says the organization is attempting to find the right type of IT security challenges to attract more underrepresented populations into the field. "In our case, this means going to back to the high school/middle-school levels where many of these of the decisions are made and/or taught about what a child can or can't do. We are attempting challenges in these areas to make the field fund and attract to both the students and parents."
Asians make up more than 20 percent of the information security analysts occupation category, even though the group comprises only 5 percent of the overall American workforce. The government data do not differentiate American citizens, foreigners on work visas or, for that matter, those working in the country illegally.
For more than a decade, many Asian Indians - whether born here or in India - have entered the U.S. IT workforce, which has fed the ranks of the IT security labor force. According to the Migration Policy Institute, a nonpartisan think tank, about one-quarter of Indian-born men are employed in information technology occupations in the United States.
The department's Bureau of Labor Statistics broadly defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. Information security analysts may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure as well as respond to computer security breaches and viruses.
Though available on request, BLS does not publicly post its quarterly statistics on each occupation category, which are culled from its monthly survey of 60,000 households used to determine the nation's unemployment rate, which stood at 9.1 percent in September. Because of the small sample size for many occupation categories, such as information security analysts, BLS cautions that the figures are not statistically reliable. Though neither gospel nor precise, the occupation data historically reflect general workforce conditions.
David Foote of Foote Partners, an IT employment advisory firm, questions the government data, contending a shortage exists of specific IT security skills but not of people who consider themselves IT security professionals. "There are many, many unemployed security professionals," he says. Foote contends many of these IT security pros have either taken part-time jobs or other IT jobs that no longer qualify them under the BLS definition of information security analyst. "If they were included in that category, there would not be zero unemployment," he says. "So the whole thing is a fallacy."
In some respects, the BLS survey is a self-choosing one. Those interviewed identify their own occupation, though survey takers ask a series of questions to confirm which category an individual should be placed. "If they are not employed as security people they don't think of themselves as security people but general IT people," says SANS's Paller, responding to the question of the lack of IT security joblessness.
The analysis of BLS data shows an American IT labor force for the first nine months of 2011 approaching 4.2 million people, with just over 4 million holding jobs and 174,000 out of work, resulting in an IT unemployment rate of 4.2 percent.
Starting this past January, the government developed new occupation categories -including information security analyst, the first for an IT security occupation - so it's impossible to compare the data to those collected in previous years. For the purposes of analyzing the demographic makeup of the IT security field and for the overall IT employment rate, and too boost its reliability, we aggregated the first three quarters of data the government collected.