"It's a lot easier to know the play than to defend it," he said. "And there's a much bigger attack surface out there than before you always have the low-hanging fruit."
Richard Bejtlich, chief security strategist at FireEye and a nonresident senior fellow at the Brookings Institution, agrees, noting that attackers have the initiative.
"Cyberspace favors the offense," he said. "Defenders are not allowed to take the initiative to degrade adversary capabilities through direct action against the intruder's resources."
Bejtlich also said that he does not see an intruder simply gaining unauthorized access as an automatic win. "If you define it a win' for an intruder to accomplish his ultimate mission stealing data, altering a system, degrading resources then it is possible for intruders to lose," he said, adding that, "preventing the consequences of unauthorized activity should be the mission for defenders."
It is also a bit more complicated than a "skills gap," they say. "I don't agree that the bad guys are always smarter," Cohen said. "I know some really smart good guys."
The problem, he said, is that it is frequently not the professional "defenders" the IT staff who fail to prevent breaches. It is workers in other departments who fall for a scam like phishing or use weak passwords, or workers from third-party contractors (as was the case with Target), who open the door to attackers.
"There is no patch for human stupidity," Cohen said.
That said, security experts do agree that defensive skills can and should be better, and that to achieve it, education in cybersecurity must improve.
It has to start, they agree, during the formative education years. "We've known for a while that we're not turning out enough cyber security professionals, starting at the K-20 level," said Michael Garvin,(senior manager, product management, Cyber Security Group at Symantec.
But he and others say that is only the beginning that to have defenders with the skills to counter the sophistication of attackers, they need hands-on, real-world experience.
"Pilots spend hundreds of hours in flight simulators before flying a real plane, gaining the skills they need and building muscle memory through repetition in a safe environment," Garvin said.
Bejtlich agrees. "I would not want to take security classes from a professor who lacks time defending an enterprise," he said.
That is Cohen's message as well. "High school and college is one area where we are so far behind. You can't train through a book," he said, arguing that cybersecurity training has to be more practical and hands on, somewhat like a vocational school.
He said much of the training at the Hacker Academy and other available courses is real-world simulation. "Until you're thrown into the fire, you don't know," he said.
Sign up for CIO Asia eNewsletters.