However, if college and university infosec programs are going to improve, it will likely take some initiative and collaboration from the professionals. "The relationship between universities, colleges, careers services and the infosec community needs to be joined up," said Andrew Avenessian, vice president of professional services at Avecto.
"Organizations in the IT security space need to work with schools, universities and colleges to guide and advise them on the skills and competences needed in an ever-evolving environment."
Avenessian and others also say a computing degree is not the only path to a successful cybersecurity career. "They could be studying mathematics, engineering or management," he said.
Bejtlich agrees, but said effective defense has to go well beyond academic training and technical expertise.
"The majority of defenders don't think strategically," he said. They are technicians at heart and think in terms of tools and tactics. They rarely incorporate operations/campaigns, strategy, and policy."
That, he said, is the real gap. "Strategy is more important than the skills gap," he said. "One hundred skilled people wasting their time on strategically unimportant activity is the real problem."
That was the message from Kellermann as well. He said the Russian hackers are more intelligent, "because they think through every action they take to a point where it's incredibly strategic. They're operating at eight to 12 steps ahead on both the offensive and defensive side of the (chess) board."
It will take more than better training of the coming generation of workers, however. Experts agree that attitudes, techniques and training of all employees have to be improved within enterprises.
"One of the main barriers to defending against attacks are unwieldy and unmanageable security strategies that rely on reactive detection," Avenessian said. "Organizations need to simplify their approach and be much more proactive. Many fail to meet even the very basic security steps recommended in the SANS 'First Five' or Australian DoD's Top 4."
He said he regularly encounters IT departments that, "aren't focused on security, but rather on implementing the very latest technologies or broader IT solutions, forcing them to retrofit security post deployment. Security should never be an afterthought."
Cohen said some of that has to include teaching end users. "If you teach people better, then you're going to be more secure," he said, but added that better teaching has to include simulated attacks, to give employees an experience beyond the theoretical.
"It's an easy and cost-effective way to make your people better and get rid of low-hanging fruit," he said.
Sign up for CIO Asia eNewsletters.