A recent presentation by Adrian Sanabria inspired me to look at the community of information security professionals. Analyzing a community can provide insights into workforce development initiatives and for marketers’ communication to their audiences. As someone who surveys B2B technology markets, this subject is important to me.
A professional community can be seen as a labor market. Since the success of a market sizing initiative is based on defining an accurate categorization scheme, the determining the scope of analysis is essential. According to a study commissioned by the Information System Security Certification Consortium, there are about 3.4 million information security professionals worldwide. However, the skills, education and focus of this population varies widely. The demand for trained infosec pros is robust and wages rising. In fact, the aforementioned study estimates that by 2020 there will be a significant labor shortage, with 1.5 million information security jobs going unfilled for lack of trained workers. In other industries, labor shortages often lead to technological innovation and outsourcing, yet for information security these options are often not viable alternatives.
Industry and government are working hard to recruit and train new employees but they face challenges in getting new workers into the field. Looking at the chart below, how do we increase the size of the largest bubble? Perhaps increasing the overall community of security pros can be done by recruiting a lot of entry-level employees and labeling them as “cyber security” analysts. Yet, this will not alleviate the larger problem of upgrading their skills so they can perform the rather complicated job functions that are required of a real security pro. The definition of a highly trained security pro can vary, but using Adrian Sanabria’s model as a guide, I found 147,949 people on LinkedIn with either a CISSP or GIAC certification. That is only 4% of the workforce – imagine if only 4% of accountants were CPAs. Does anyone know what a good goal should be for the percentage of information security pros having a professional certification or advanced training?
While identifying new employees and candidates for advanced training is important, that is not necessarily what marketers care about. Instead, information security vendors are focuses on communicating with decision makers and influencers. Decision makers are the people who approve new purchases and hires. Depending on the size of the company, the decision maker may be the CEO or CIO, but they can also be a chief information security officer (CISO) or a VP of IT infrastructure. Of all these roles, only the CISO actually knows enough about security to actually influence decisions. Defining who actually influences technology decisions is a difficult task. Many media companies and surveys ask people to self-identify as an influencer, but I don’t really trust that metric. I prefer to identify influencers by using specialized mailing lists along with communities like Bug Crowd and Peerlyst. In addition, Facebook has gotten into the action with its ThreatExchange community, but since it is still in beta I am not sure what to make of it. The people who participate in these forums are highly engaged and have at least some willingness to interact with their peers. In addition, we can assume that if someone is investing the time and energy to attend security industry conference that they are at least somewhat influential. Using these criteria, I estimate that there are over 67,000 influencers in the security community. At 2% of the total workforce, this seems like a reasonable estimate.
While there are many techniques to identify influencers via social media, it is pretty hard to take this small sub-set and identify who the influencers are. Using keywords I identified 9,919 infosec pros on Twitter, which is equivalent to .03% of the security workforce. Even if we were to expand the analysis to people who tweeted about information security related subjects, the numbers would still be low. Because of the nature of their work, many security pros are not involved with social media. Yet, many infosec pros are very active online. In fact, anecdotally I have found them to be much heavier users of Twitter than other IT pros I have had the pleasure of studying. Furthermore, in regards to bug tracking and monitoring exploits, it is a job requirement to interact with other infosec pros.
I am skeptical that observations about this community can be used to make inferences about other technology communities. That being said, it is interesting to compare these dynamics to the 90-9-1 rule. This is a widely observed dynamic that states that 90% of online users are lurkers that read but do not contribute content. Nine percent of users contribute occasionally but only 1% of user account for most of the contributions online. I identified about 2% of the security community as influential and that does seem to be in the ballpark. I wonder what percentage of the influencers are active online.