The (ISC)², in case you were wondering, is an international security association approaching 70,000 members worldwide and is perhaps best known for its Certified Information Systems Security Professional (CISSP) qualification program.

The not-for-profit organisation, which is now 21 years old, is formally known as the International Information Systems Security Certification Consortium and, Colley told his audience, seeks to educate its members in the ways of IT security and best practices.

"This is why we do a lot of research into what members – and companies – needs are on the IT security front. It's clear from our research that there is a wide diversity of tech users in the marketplace, including end users, consultants, vendors and IT managers", he said.

"There are also a great many different types of organisation that use technology, so their knowledge and understanding of IT security also varies a lot", he added.

According to Colley, his observations suggest that patch management is starting to move out of the purview of IT security and into the realm of IT operations, meaning that it is becoming a lot more routine and better understood IT function.

"We're also seeing the arrival of IT development operations in many organisations. Because of these changes, the skill sets of today's IT security professionals is starting to change", he said.

There is, he explained, a hierarchy of skills that is developing in IT, with dependents and dependent functions starting to evolve. And against this backdrop, different types of end users of IT are also starting to emerge.

"This creates a security role matrix where different business functions are clearly inter-related", he said.

Because of these changes, Colley notes that, unless IT security professionals are doing something very specific, they tend to develop non-security – 'soft' – skills. And, of course, so do the technology users in most organisations.

Despite this trend, the (ISC)² MD says that IT security professionals still need to gain – and update themselves – on a variety of specialist IT skills, in order to allow them to select and understand how IT security systems function.

From the consortium's research, Colley says that it's becoming clear that members are evenly split between mainstream IT security and risk management, with risk management having the slight edge in the number of members whose job functions require this skill.

"Because of this, we must think about taking a risk-based approach to security" he said, adding that risk management is a subtly different business regime than mainstream IT security.

"It's about managing risk and lowering the chances of being hit by an security attack", he asserted.

So where is the IT security industry heading?

According to Colley, during 2009, 47.9% of members had a salary increase, while 9.8% reported their salary had reduced, and 4.1% were laid off during the year.

"The average salary was 50K during 2009, which shows that IT security professionals are receiving the recognition they deserve", he noted.

In the future, he went on to say, there will undoubtedly be a need for better technical skills, as well as web security and forensics specialities.

"As there is an increasing emphasis on the security layer, so we'll see a need for better and more specialist knowledge being required in organisations of all types", he said,

"IT professionals need to have an understanding of the big picture. There is now a need for deeper skill sets in areas such as information risks, forensics, encryption and penetration testing", he added.