The Great Illusion of Information Security Job Numbers
Written on
Chapter 1: Understanding Job Market Misconceptions
The ongoing debate about the actual number of information security roles often raises eyebrows. How can we ascertain the quantity of security positions available when there is a distinct lack of verifiable statistical data?
As previously discussed in my article on the so-called "information security jobs crisis," claims of millions of available positions are often inflated. For instance, Cybersecurity Ventures predicts a staggering 3.5 million unfilled jobs by 2025, while the ISC2 Cyber Workforce Study 2023 estimates a global demand for around 4 million cybersecurity experts. However, these figures lack solid statistical backing.
Numerous media outlets, including Fortune and IBM, frequently refer to these same ISC2 and Cybersecurity Ventures statistics, perpetuating the myth. The absence of empirical data has led to a knowledge void, which Cybersecurity Ventures has capitalized on. Even major firms like McKinsey & Company have cited their findings in reports about the cybersecurity market.
Moreover, the history of job predictions in the information security sector is riddled with inaccuracies. For instance, Analytics Insight projected that 10 million new cybersecurity roles would emerge by 2023—a forecast that has proven to be overly optimistic.
So, how many genuine information security jobs exist? The short answer: it’s unclear. The challenge lies in the absence of statistically sound and empirically researched data regarding current job availability and future forecasts. Most existing data derives from surveys and extrapolations, which do not provide a robust foundation for meaningful statistical analysis.
Section 1.1: The Importance of Evidence
Industry veteran Richard Stiennon advocates for skepticism regarding job claims, emphasizing that all assertions must be backed by evidence. Headlines boasting of millions of available positions are compelling, but without credible proof, they amount to little more than sensationalized statements.
For example, Stiennon points out that there has not been a multi-trillion dollar loss attributed to cybercrime. Cybersecurity Ventures previously estimated that cybercrime would cost the world $10.5 trillion annually by 2025, yet as of late 2023, the figures do not even come close.
When analyzing job openings, Stiennon found 15,849 listings across 1,433 cybersecurity companies. The notion of millions of security jobs could similarly apply to other roles, such as office administrators—many businesses exist, but that does not mean each one requires a full-time security professional.
Veteran CISO Helen Patton echoes these sentiments, arguing that while capable candidates abound, there is no genuine crisis in the job market. Instead, she attributes the issue to hiring managers who fail to accurately assess the necessary skills for a role, often relying on misleading proxies like degrees and certifications. This results in a search for candidates who simply do not exist. She advocates for refining the hiring process to bridge the skills gap more effectively than simply training new recruits.
Subsection 1.1.1: The Role of the Bureau of Labor Statistics
The Bureau of Labor Statistics (BLS) plays a crucial role in labor market analysis, measuring working conditions and economic changes. As a primary fact-finding entity for the U.S. government, the BLS compiles and disseminates essential statistical data that serves as a resource for various stakeholders.
The BLS ensures that its data meets criteria such as relevance, timeliness, accuracy, and impartiality. Its information on computer and information technology occupations includes ten categories, but only lists information security analyst as a distinct role. The outlook for this position predicts a remarkable 32% growth from 2022 to 2032, with approximately 16,800 openings anticipated annually.
However, the BLS's focus solely on information security analysts overlooks the broader spectrum of security roles. SANS identifies 20 different types of security positions, from malware analysts to Chief Information Security Officers (CISOs). Even extrapolating the BLS data across these roles would not yield the millions of positions often claimed.
Section 1.2: Flaws in the ISC2 Cyber Workforce Study
The ISC2 Cyber Workforce Study released in October 2023 surveyed 14,864 global practitioners and decision-makers. While the study cites BLS data, its methodology for estimating information security jobs remains unclear, particularly since the BLS only recognizes a single category.
One significant flaw in the ISC2 study is its reliance on survey data, which alone is insufficient for generating actionable insights. Additionally, a large portion of respondents were non-managerial staff or independent contractors, suggesting that they might lack insights into hiring practices.
Half of those surveyed indicated they influence hiring decisions without final authority, while only 40% were based in the U.S. Notably, a significant majority of respondents were male—77%—which could skew the data interpretation.
Chapter 2: Realities from the Job Market
In the first video, "From Immigrant To Million Dollar Cybersecurity Career!!", the discussion revolves around personal journeys into cybersecurity, highlighting the skills needed and the realities of the job market.
The second video, "3.5 Million Unfilled Cybersecurity Jobs In 2024", explores the significant gaps in the cybersecurity workforce and the implications for job seekers.
Stories from professionals searching for information security roles reveal the complex landscape of job availability. Russ Fairchild, an IT Security and Risk Program Manager, emphasizes the shortcomings of HR departments in hiring cybersecurity talent. He recounts experiences where HR personnel failed to understand the technical requirements of security roles.
Similarly, Ben Tomhave, who recently navigated the job market, expresses skepticism about the purported millions of available positions. He notes that job postings are often duplicated across platforms, which significantly inflates the perceived number of openings.
Lee Kushner, a seasoned cybersecurity recruiter, acknowledges a genuine talent shortage but emphasizes that the reported numbers often mislead potential entrants into the field. The illusion of abundant opportunities may encourage aspiring professionals to invest in certifications and training programs that do not guarantee employment.
Ultimately, while there are indeed cybersecurity job openings, the numbers are far less dramatic than often portrayed. To accurately gauge the state of information security job opportunities, one must consider the perspectives of those actively seeking roles in the field.
So, when asked how many information security job openings truly exist, the answer remains elusive—no one really knows.