Steve Morgan is the founder of Cybersecurity Ventures, a leading cybersecurity research company that provides data and insights on global cybercrime to C-suite executives, and editor-in-chief of Cybercrime Magazine. Before starting the company, he worked for antivirus giant McAfee Corp. as the company grew to a market-leading security vendor. VEDP President and CEO Stephen Moret spoke with Morgan about skyrocketing cybercrime damages, the cybersecurity skills gap, and Virginia's place at the top of the cybersecurity industry.
Stephen Moret: Can you tell us a bit about Cybersecurity Ventures, why you started the company, and what type of work the company is involved in today?
Steve Morgan: I started up the company in 2015 in direct response to a lack of cybersecurity research data and figures that I had been after. At the time, I was writing for the media, and I’d been covering the industry for a while. I started out by compiling lists of companies nationally, then broke that down regionally. From there, I started conducting cybercrime research, mainly the damage costs associated with cybercrime. And in 2018, after finding there was a big appetite for that information, we launched Cybercrime Magazine, our own media, which originally was intended to serve up that data. We had a growing body of reports we’d published, and I guess you could say, accidentally, it turned into a mainstream media property.
Moret: You worked at McAfee — one of the most well-known names in tech — in the mid-‘90s. That was when the internet was really becoming more widespread. Cybersecurity was in its infancy, but starting to become a concern of the general public instead of just a relatively small group of users. What cybersecurity issues did you see back then? How did that change, and what persists today?
Morgan: It was very different back then. The biggest threats were computer viruses infecting PCs and, frankly, most companies didn’t take it very seriously until the proliferation of the internet interconnected them with so many other organizations. The internet became much like the airplane was to the human virus. It was the carrier.
Companies started to infect each other, and it was a very big deal. That was the start of our industry, the tipping point. You could argue that it started when there were products to protect PCs, which had been around for a long time. McAfee and other companies were organized around that.
Moret: Your organization is estimating that cybercrime damages will cost the world $6 trillion annually by 2025. How does that underscore the importance of cybersecurity to businesses moving forward? Is this something we’re eventually going to get our arms around, or is it something that’s going to be with us permanently?
Morgan: We originally published that figure at the end of 2017. And when you’re talking about such a big number, a number that equates to what would be the world’s third-largest country if you measured GDP, it’s certainly not to the penny. It’s not to the dollar. If you had to round it off, it might be by a few billion dollars, although I do believe it’s the most accurate estimation we have. It’s funny — many people would ask me in 2017, “Where did you get that figure?” It was vetted. We spoke to a lot of media, but people were wondering, could cybercrime really be causing that much damage?
Now, a lot of those same people say, “Steve, that’s a vast underestimation.” And a lot of those people are chief information security officers at Fortune 500 companies. So, there’s been a wake-up call. Unfortunately, that wake-up call has taken five or six years. Thousands of cyberattacks and data breaches. The world has woken up to the reality that just about every company in the world — whether they’re small, midsize, or large — has been hacked. They may know about it. They may not know about it. The threat is real. Looking forward, we believe that number is going to grow, at minimum, 15% per year through 2030. We see that number growing to over $10 trillion annually.
Moret: You helped sound the alarm on the cybersecurity skills gap, among other things. From your vantage point, what skills are the most important for the cybersecurity workforce of the future?
Morgan: I’m glad you asked that question, because there’s a misunderstanding about opportunity in cybersecurity. And it’s so important for our country and for the world to reach out to young people. I think it starts as early as middle school, or some people may argue it should start as early as kindergarten, K-6. We must engage young people. We have to get them at the high school level. They have to be thinking about cyber before they enter college.
I’m not someone who thinks cyber is for everybody. I’m certainly not here to argue that it’s a better career opportunity than so many other options available to young people. I’m here to argue that it should be on the radar screen, but it’s not. It should be a choice. If a young man or woman is thinking about becoming a police officer, or thinking about law enforcement, then they should be thinking about becoming a cyber fighter. That should be available to them. Their parents should know about it. Educators should know about it, and it should be a choice.
Unfortunately, I don’t think it is. And I say that from experience, I’ve been out talking to schools, and I’ve had a chance to speak with a lot of young people. I don’t feel that enough of them are being engaged early enough.
Moret: In Virginia, we’re very familiar with this because we’re one of the biggest sources of cybersecurity talent in the world. Are there particular types of skills that are most relevant or in greatest demand?
Morgan: The problem we have is the obvious skills the kids probably know about, even just abstractly. So, you talk about engineering, software engineering, cyber engineering. Those are hard skills that have to do with computer science, and I think a lot of people only think about that. So yes, clearly, we do need kids coming into the workforce with those skill sets. But if someone has an affinity for cars, there’s a great opportunity in the automotive space for people to get involved with cybersecurity. There are opportunities with forensics, investigations — you don’t necessarily need coding skills for that.
There are so many positions in cyber where you don’t have to become a cryptographer and be a mathematics major or a computer science major. That’s what we really need to get the word out around, because there are just a vast number of positions.
Moret: With that in mind, what do you think colleges, universities, and other public entities, state governments, and others can do to help close the gap between available jobs in the cybersecurity space and the talent available to fill them?
Morgan: We’re seeing a vast number of B.A. programs. We’re seeing a vast number of programs in the community college system, as well as vocational schools. So, we’ve seen huge growth around cybersecurity courseware across the board. And that’s a really, really good thing. There’s been a lot of investment, and I definitely think we’re moving in the right direction.
Moret: Building on that, are there any leading examples you’ve seen around the country, around the world, in talent development for cybersecurity professionals, which you think we ought to be paying attention to here in Virginia?
Morgan: We need to think outside the box. I recently interviewed Craig Froelich, the chief information security officer at Bank of America. He has been an advocate for reaching out to the neurodiverse community. Craig has done a great job of engaging them, hiring them, getting the word out to his peers, and starting a movement around our industry, looking to that community of people who otherwise have been ignored and may not have been proactive looking for positions themselves.
