This document provides a summary of cybersecurity news and topics related to open source software. It discusses a new report on different types of CISOs ("tribes") and challenges with compliance as the GDPR deadline approaches. Additional articles summarize topics like using open source for core banking systems, open source security challenges, cybersecurity predictions for 2018, and questions around automotive cybersecurity and the GDPR.

1. Open Source Insight:
Banking and Open Source, 2018 CISO Report, GDPR Looming
Fred Bals | Senior Content Writer/Editor

2. Cybersecurity News This Week
Cybercriminals are expected to extend their threat deeper into ransomware and
IoT. In a just-released report, Synopsys examines the four “tribes” of CISOs, and
the characteristics of each. A link to the complimentary report is below. And with
the GDPR going into force in just four months, businesses are scrambling for
compliance.
All these cybersecurity stories and more in the January 19th edition of Open
Source Insight.

3. • Will Tomorrow's Core Banking Systems
Run on Open-Source Software?
• Open Source Software Security Challenges
Persist, but the Risk Can Be Managed
• Cybersecurity Predictions
• Introducing the 2018 CISO Report: A Q&A
with Gary McGraw
Open Source News

4. More Open Source News
• Synopsys Report Identifies Four Approaches to the
CISO Role
• Fine Time: What GDPR Enforcement Could Look Like
• 4 Key Questions (and Answers) for Automotive
Cybersecurity
• Is Shadow Engineering Developing Your Applications?
• What Does GDPR Enforcement Mean for Your
Business?

5. via American Banker: As financial institutions experiment
with new technologies, more are expected to adopt open-
source software in place of commercial applications. This
embrace of openness can — and, some experts say, should
— go beyond peripheral tools and apps, to banks using open-
source software for their core banking systems one day.
Will Tomorrow's Core Banking Systems Run on
Open-Source Software?

6. Open Source Software Security Challenges Persist,
but the Risk Can Be Managed
via Security Asia: According to the latest Black Duck report,
open source components are now present in 96 percent of
commercial applications. The average application had 147
different open source components -- and 67 percent of the
applications used components with known vulnerabilities.

7. via Open Access Government: Cyber
adversaries will extend further into
ransomware, OT systems and
cryptocurrencies. The growing commercial
utilization of IoT and OT systems means
that, for the adversary, the value of
breaching and controlling these types of
systems is increasing.
Cybersecurity Predictions

8. Introducing the 2018 CISO Report: A Q&A with
Gary McGraw
via Synopsys Software Integrity blog: We recently sat down with
Synopsys VP of security technology, Dr. Gary McGraw, to discuss
his latest research effort. In addition to the annual Building Security
In Maturity Model (BSIMM), Gary has set out to identify the ways in
which CISOs approach their job role. The CISO project team, which
included Sammy Migues and Dr. Brian Chess, interviewed 25
CISOs to identify approaches to the CISO role, characteristics of
CISOs, and discriminators between types of CISOs and to establish
a coherent model describing how CISOs organize and execute their
work.

9. via Data Center Journal: The Chief Information Security
Officer (CISO) Report identifies four unique approaches to
the CISO role called “tribes,” each with distinct
characteristics. The study emphasizes how the four tribes
differ in executing a security plan and what the tribes can
learn from one another, providing insight for leaders
looking to improve their security programs and advance
their careers. Download a complimentary copy of the CISO
Report.
Synopsys Report Identifies Four Approaches to
the CISO Role

10. Fine Time: What GDPR Enforcement
Could Look Like
via InfoSecurity Magazine: Contained in
a comprehensive Google Document, the research looks at
the annual financial reports of the FTSE 100 and includes
their turnover, profit after tax and what impact a fine of
4%, 2% or 1% of the turnover would look like. The
research reveals that the company listed #1 on that day –
Royal Dutch Shell – would see their entire annual profit
wiped out if they were to face a 4% fine under GDPR. In
fact, of the 100 companies listed, 34 would see their profit
wiped out with a 4% fine, 19 with a 2% fine and 15 with a
1% fine.

11. via Black Duck blog (Mike Pittenger): As with
safety, ensuring automotive security is going to
be about visibility and control across the supply
chain. If manufacturers don’t know what’s in the
code of their connected car technology
suppliers, they won’t be able to control their
cybersecurity risks. The industry can start by
establishing a self-imposed set of minimum
security requirements.
4 Key Questions (and Answers) for
Automotive Cybersecurity

12. Is Shadow Engineering Developing
Your Applications?
via Black Duck blog (David Znidarsic): Do you allow a supplier’s
goods and services to be acquired and used by your employees
without the approval of your management? Certainly not any more.
You’ve probably spent years applying better governance around the
acquisitions made by Shadow IT. However, even before the
emergence of shadow IT, your engineers have been making
acquisitions from ungoverned suppliers: open source software
authors.

13. via Synopsys Software Integrity blog: Now that
a new year is upon us, we must remember that this
is the year the General Data Protection Regulation
(GDPR) supersedes Directive 95/36/EC. The new
regulation will take effect May 25, 2018. In other
words, this is the date by which organizations must
be compliant.
What Does GDPR Enforcement Mean for Your
Business?

14. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.