Information security certifications and risk management skills are among the most important attributes for IT security professionals this year, according to new research from IDC and security organisation ISC2.

The annual Global Information Security Workforce Study polled over 4,000 information security professionals worldwide. It found that firms spend more than 40 percent of their IT security budgets on personnel, education and training.

Top of the training priorities is security risk management. This reflects the growing requirement in the industry for professionals to have more business-oriented skills, according to Yves Le Roux, security technology strategist at CA.

"We're talking about information security, not information technology. We have to look at the business risk and know how to [manage that]," Le Roux explained. "You need training in technical skills and business skills but those purely technical guys will never be [chief security officer]."

As part of the increasing importance of risk management approaches, the survey found that responsibility for security strategy is being extended to other areas of senior management, many previously not associated with IT security.

"In many cases we'll migrate responsibility over to the business process owner and the security guy will become more of an advisor," Le Roux said.

The survey also emphasised the value of security certifications to hiring managers. Le Roux argued that certifications have become more important as compliance pressures have increased the responsibilities of security staff. " They are important to show the [quality] of staff and a level of recognition. It used to be just US companies [that looked for certifications] but now we're seeing it in Europe," he added.