Despite the nationwide pandemic, the number of cybersecurity job openings in Idaho saw a 28% increase in 2020 with an estimated 1,200 available postings through the course of the year. Since 2015, openings for cybersecurity jobs have grown by 160%, sustained by accelerating demand across multiple industry sectors. Nationwide, job postings rose to more than 350,000 in 2020.

With rising phishing attacks fueled by pandemic concerns and widespread remote work, the industry is set to grow even more rapidly. According to a recent Fortune Business Insights Market Report, the global cybersecurity market size was $153.16 billion in 2020 and is projected to more than double to $366.1 billion in 2028.

Idaho’s Cybersecurity Cluster

Cybersecurity is often referred to as a unique industry, yet it is not formally classified under the North American Industry Classification System (NAICS) standard for established businesses. This is because while the NAICS system is production-oriented – grouping businesses into industries based on similarities in the processes used to produce goods or services – cybersecurity is more market/product-oriented. Thus, where the NAICS fails to capture cybersecurity, the North American Product Classification System (NAPCS) identifies network security – a cybersecurity service – as a unique product. Both NAICS and NAPCS are classification systems administered by the U.S. Census Bureau.

The NAPCS is a comprehensive, market- or demand-based, hierarchical classification system for products (goods and services) that is not industry-of-origin based but can be linked to the NAICS industry structure. The most recent Economic Census (2017) showed that the NAPCS-based product – network security design and development services – generated revenue of $3.71 billion from surveyed establishments nationwide. The revenue generated was linked to an expansive cluster comprised of 13 NAICS industries as shown below.

This NAPCS cluster has shown rapid employment growth in recent years. Since 2013, the average employment in these 13 industries combined saw a 49% increase statewide; employment growth for all industries in the state was 18.7% over the same timeframe. The establishments comprising this cluster are numerous and are mostly micro-businesses. As of 2020 preliminary estimates, there were 2,900 businesses with at least one employee in this cluster and only 9% of these businesses had 10 or more employees.

Despite the rapid growth seen over the past decade, Idaho’s cybersecurity scene is still considered emergent when compared with the more established clusters in Virginia, Maryland or the District of Columbia. A SWOT analysis of the NAPCS cyber cluster shows that Idaho still has a location quotient – a measure of concentration relative to the national average – less than the national average. Idaho has the 13^th lowest concentration of cyber employment. Virginia has a location quotient of 2.2 – more than three times the national average. Idaho’s cluster, on the other hand has a location quotient of only 0.55. This low concentration, however, implies the state has lots of room for growth.

Home-grown company successes like Intuit (formally Tsheets) and ClickFunnels have contributed significantly to employment growth in Idaho’s cybersecurity cluster. However, these businesses are not considered cybersecurity businesses. Not all businesses within the cluster are cybersecurity businesses, such as businesses that provide cybersecurity services as a product. However, all cybersecurity businesses would be included in this cluster. The share of cybersecurity companies varies by industry. For instance, although the computer systems design services industry contributed more than half of all cybersecurity product sales (see Table 1 above), this contribution was from only about 15% of businesses in that industry. Similarly, about 27% of businesses in the computer facilities management services industry are cybersecurity businesses.

Idaho has a surprisingly large number of businesses that provide cybersecurity services as a product. Idaho is the headquarters of large cybersecurity companies like Kount, CRI Advantage and AppDetex. MarkMonitor, currently headquartered in California, was founded in Boise. There are currently over 200 Idaho businesses operating within the state that offer cybersecurity services. For many of these companies, their presence is merely remote, but a considerable number have physical locations within the state. The list includes larger Managed Security Service Providers like IBM, Accenture and AT&T as well as smaller companies that provide security services including, but not limited to, cloud security, penetration testing, brand protection, data loss protection and cybersecurity trainings. It excludes companies like St Luke’s with IT divisions that offer cybersecurity services internally. A mapping of known cybersecurity establishments indicates clear geographic clustering in the Boise metro area and some light clustering in the Coeur d’Alene, Pocatello and Idaho Falls metro areas.

The potential to develop a thriving ecosystem is present in nearly every region across the state. In a 2017 Report by New America’s Cybersecurity Initiative, the authors identified four factors that contribute to cluster growth:

• Proximity to government cybersecurity functions.
• The ability to attract or develop a workforce.
• The presence of research centers and incubators.
• Industry leadership.

Recent cybersecurity initiatives around the state have largely addressed these four factors. The development of cybersecurity programs in all of Idaho’s colleges and universities will play a large role in creating the necessary workforce to sustain a cluster. The presence of research institutions like the Idaho National Laboratory not only serves as a workforce attraction, but also provides a platform to foster collaborations between government, private sector and academia. One such initiatives is the recently launched Cybercore Integration Center at the Idaho National Laboratory.

The decision of the Department of Justice to consolidate all data centers has worked in favor of southeastern Idaho, leading to an expanded footprint of the Federal Bureau of Investigation’s existing Pocatello facility and an increase in the local cybersecurity talent pool. Since the new FBI data center opened, two new defense and government cybersecurity companies – Buchanan and Edwards and ECS Federal have moved into the Pocatello-Chubbuck area.

Regional Cybersecurity Clusters

Cybersecurity is becoming increasingly relevant given the fast pace of digitization. This is evident in industry staffing patterns and job postings. Almost every major industry sector has at least one cybersecurity position, and cybersecurity job postings cut across multiple industries. In the last year, the largest volume of cybersecurity postings was from Humana, a health care insurance company. Other employers hiring cybersecurity workers include American Express, Fiserv and even food processors JR Simplot and Lamb Weston. While cybersecurity is a well-established concern in service industries like finance, retail and health care, it is still an emerging concern in goods-producing industries like agriculture, manufacturing and construction. These are opportunity cluster areas for growth in the state.

Research suggests that areas trying to incubate cybersecurity clusters are more likely to succeed if they leverage existing industry. Each region in Idaho is capable of developing a cybersecurity ecosystem with focus areas tied to regional industry strongholds. Southwestern Idaho already has a strong presence of financial technology services that a cybersecurity cluster can leverage. Northern Idaho has more than three dozen aerospace companies. South central Idaho is known for its dairy industry and food processors; and the eastern part of the state is already seeing an emerging cluster tied to federal government contracts.

With proper attention to regional strengths, cybersecurity can be an engine for growth in Idaho. However, workforce development remains a challenge.

The Cybersecurity Worker

In order to capture the cybersecurity worker and assess demand, it might be more accurate to view cybersecurity as a skill rather than a singular occupation. In this analysis, the cybersecurity skill is defined as group of information technology skill clusters that include both the cybersecurity skill cluster and other related skill clusters such as information security, internet security, application security, network security and anti-malware software skills. These skill clusters are as defined in the Burning Glass skills taxonomy.

Burning Glass data shows that computer occupations are increasingly demanding cybersecurity skills. On average, 14.3% of all computer occupations are currently requesting cybersecurity skills. The occupation most closely tied to this skill set is the information security analyst. More than 80% of job postings for this occupation request cybersecurity skills. Other high demand occupations requesting cybersecurity skills include computer network administrators and architects – roughly a quarter of these job postings request cybersecurity skills. With the rapidly expanding demand for cloud architects and penetration testers, the ‘computer occupations, all other’ occupation is increasingly associated with the cybersecurity worker.

As cyberattacks expand, the demand for cybersecurity skills is likely to rise to the point where virtually every computer occupation position is also a cybersecurity position.

Idaho’s share of the cybersecurity workforce is fairly sizable. According to the latest 2020 Occupational and Wage Survey, there are 690 information security analysts currently employed in the state. The location quotient, a measure of concentration relative to the national average, is 0.97 – just 3% below the national average.  When compared with demand however, the size of the state’s workforce is severely limited. There are approximately two information security analysts available for every job posting for this occupation. Many other computer occupations are also in high demand with some, like the “computer occupations, all other” showing a total demand that is much higher than the workforce supply.

Overall, the state has a relatively low concentration of computer/math occupations relative to the nation. The location quotient for computer/math occupations is 0.68 – 32% below the national average. In contrast, the neighboring state of Washington, has a concentration of computer occupations that is 90% above the national average.

As the cybersecurity market expands, the chronic workforce gap for cybersecurity professionals is expected to widen. Nationwide, there is currently a shortage of more than 300,000 cybersecurity professionals. Higher education entities in Idaho have taken decisive steps to address this growing demand. In less than a year, the University of Idaho launched the state’s first cybersecurity bachelor’s degree program; Boise State University launched the Institute for Pervasive Cybersecurity, and both universities, along with Idaho State University, are investing in a joint cybersecurity major.

With Idaho increasingly becoming a breeding ground for technology startups, and with the strong presence of government functions, research centers and incubators, Idaho’s cybersecurity cluster has the potential to progress from emergent to established. This cluster will thrive once the state is able to develop and maintain a steady pipeline of cybersecurity talent.

Esther.Eke@labor.idaho.gov, regional economist
Idaho Department of Labor
(208) 236-6710 ext. 4331