[Global_industry_committee] Future of the GIC

Tobias tobias.gondrom at owasp.org
Sun Feb 24 13:51:09 UTC 2013

Hi dear GIC fellows,

as you read on the leaders list and my previous post, the board and our
staff decided to shut down all committees and transfer some of their
activities to initiatives to re-energize activity and make things more
open for new volunteers.
The reasoning was also that the committees were not functioning well,
which possibly for most committees may be true.

FYI some background info: In the context of the new initiatives program,
I had a conversation during the last AppSecUS in Austin with a board
member and some of our staff and thought we had established a common
understanding that the GIC would continue to remain active in parallel
to the new initiatives starting up. Unfortunately that seems to have
been misunderstood or wasn't communicated clearly enough among the board
and leadership teams during the decision making process. Anyway. Water
under the bridge.

Based on the past announcement and the political discussions about the
shut-down of the committees, I had last Thursday a longer constructive
conversation with Jim and Sarah at the AppSecAPAC in Jeju on how to move
forward with the duties of the GIC.

The GIC goals are very nicely phrased: "The OWASP Global Industry
Committee (GIC) shall expand awareness of and promote the inclusion of
software security best practices in Industry, Government, Academia and
regulatory agencies and be a voice for industry. This will be
accomplished through outreach; including presentations, development of
position papers and collaborative efforts with other entities."

To be clear, I strongly believe that these goals are very important for
OWASP and our success in going beyond pen-testing and making sure we can
reach the wider community of developers and end-users, and that we need
an entity in OWASP to focus and improve on that.
- advocating industry interests and building relationship with industry
and eventually improving our corporate memberships and influence.
- initiating new industry related projects and building synergy between
these industry related projects and promoting them (CISO guide, CISO
Survey, Industry links, etc.).

Back to the conversation with Jim and Sarah at the AppSec APAC in Jeju:
to find a way on how we can continue to work on these goals in the
current or a future framework.

In general, it seems that it is accepted that the GIC is the one
committee that is still functioning reasonably well (though I personally
could see us improve on that - and myself becoming a better chair) and
fulfills important goals for OWASP. However, there seems to be great
hesitation (and political resistance) to make an exception and keep the
GIC alive as the only remaining committee.

Following we discussed various options:
1. Make the GIC an initiative:
We had a discussion about why it would not be such a good idea to change
the GIC to an initiative. Two of the reasons why this would not be a
good fit:
- initiatives shall a clear finite scope and lifetime (more like a
mini-project) and in fact the GIC serves the need for a long-term
contact point for industry relations and synergy across different projects
- the GIC in fact inspires initiatives or projects that make sense for
industry members.
During our discussion it became clear and agreed that due to the nature
of the GIC and our current work, that to try and make the GIC into an
initiative would not be a viable solution.

2. Replacing the GIC with another to-be-founded entity:
As I personally don't feel strongly about the name of a thing as long as
it does achieve the objective, the proposal was to close the GIC and
replace it with the "Global Industry Advisory Board" (GIAB) with similar
This proposal was developed together during the conversation between
Sarah, Jim and myself and would have full support from both of them and

Things that we would need to do for this to happen:
- we need to write a document on the goals and the selection process of
the members and terms (I would base that on the committee selection
- there will be a board meeting on Mar-11 and we should have that
document ready by Mar-7 so it can be send around in time before the
meeting, so the board can "nod on it". We would be active on April-1 (or
Mar-31 to avoid people thinking this is an April-1 joke).

This can actually also be an opportunity for us to review some of our
past committee weaknesses and try to learn from them:
Some ideas of things we should consider:
- define how and what to do with GIAB memberships if people do not
attend calls etc. E.g. it should be easier to remove members and the
chair if they are not active. One idea is to make the terms of members
and the chair finite and members need to actively re-apply after 1 year.
- be more clear on our goals and what specific success criteria should be?
- I liked the fact that for an application to the GIAB, you need to be
endorsed as one of the selection criteria. (the way we handled this with
the GIC with 5 endorsements). What do you think would 3 endorsements be
sufficient? What would be a good number? The second selection criteria
should be a vote by the existing GIAB  members.
- Initially for the transition, I propose to basically transfer all the
active members of the GIC into the GIAB and add active volunteers based
on their applications and member votes.
- It would be good if we can have diversity in industry and regions in
the GIAB reflected in the members.
(e.g. members from different industries and regions). That can also help
with active outreach and promotion of OWASP topics towards different
industries and regions.
- I would suggest to limit the number of members to a maximum of 12.
(personally I think group sizes beyond 8 become less and less effective
- with twelve being a reasonable upper limit for the GIAB)

What do you think about this plan?
Would this be agreeable?

Please let me know your feedback.

I also will send round a doodle for time slots for our next call in a
few minutes. Please let me know ASAP, as I need to schedule the call
ASAP, so that we have a document for the board to decide (nod on) in time.

Cheers, Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/global_industry_committee/attachments/20130224/cece5e52/attachment.html>

More information about the Global_industry_committee mailing list