Last week's report by the nonpartisan Commission on Enhancing National Cybersecurity recommended training 100,000 new cybersecurity professionals and increasing federal R&D funding for cybersecurity by $4 billion over the next decade -- but that's not enough to address the current shortfall, experts say.
One positive aspect is that the report focuses on the human side of cybersecurity, said Nathan Wenzler, principal security architect at San Francisco-based AsTech Consulting.
"Historically, as the Commission's report also points out, there has been a tendency to lean toward technological solutions to every information security problem," he said.
It's refreshing to see more of an emphasis on policy, metrics and training, he said.
Training 100,000 new cybersecurity professionals might not be enough, however.
"It's a good start, but it's about half of it," said Paul Petefish, co-founder and CEO at Chicago-based Evolve Security Academy, Inc.
According to the Bureau of Labor Statistics, more than 200,000 cybersecurity jobs were unfilled last year -- and the shortfall could climb to 1.5 million by 2019, according to a report by Cybersecurity Ventures.
"We are far, far from automation and AI -- regardless of what the media and some cybersecurity tech companies marketing will have you believe," said Petefish. "We will still need folks to implement, care and manage the cybersecurity solutions in 2020 -- and in 2030."
"The report from the President's Commission on Enhancing National Cybersecurity certainly got some of the issues right," said Chris Roberts, chief security architect at Santa Clara, Calif.-based Acalvio Technologies. "We’ve been fighting for 20 years and what we’ve done and what we are doing is not working."
However, throwing money at the problem won't necessarily fix things.
"Money doesn't solve everything," he said. "Sometimes a cattle prod or punitive punishment against those who still think that security is someone else’s problem might be the right answer."
"This report provides a solid foundation for the current challenges and threats we are facing," said Joseph Carson, head of global strategic alliances at Washington DC-based Thycotic Software Ltd. "The recommendations lead us in a good direction."
But implementing these recommendations will require people with actual expertise in cybersecurity, he said.
"It's easy to hire entry-level professionals," said Kasey Cross, director of product management at Los Altos, Calif.-based security firm LightCyber. "But there aren't really enough advanced, sophisticated security engineers."
The $4 billion funding recommendation may also be too little, she said.
"On the face of it, it seems like a lot," she said. "But they're also planning on spending $4 billion on a couple of new Air Force planes."
And the money will be spent over the course of ten years, on various projects.
Sign up for Computerworld eNewsletters.