[Governance] [Owasp-leaders] Request - Survey - Implementation process on higher decisions

Jim Manico jim.manico at owasp.org
Tue Aug 18 18:10:36 UTC 2015


Eoin,

The board is scattered all over the world right now. Some of our 
meetings were in the middle of the night for other board members. So 
while we have board attendance rules, we have to vote to remove a board 
member due to lack of attendance.  I think it's reasonable, even if we 
disagree. We are also considering changing the participation rules.

Is that acceptable to you?

Aloha,
Jim


On 8/18/15 8:04 AM, Eoin Keary wrote:
> Sorry I have to write this email....but...
>
> I hope you don't change the rules just because certain members have 
> not complied by them....
>
> I was forwarded some emails regarding board attendance today which 
> appear that the 75% rule of board meeting attendance is now going to 
> be changed because some folks on the board have issue with it.
>
> This is like turkeys voting for Christmas.
>
> I respectfully hope the board abides by its owen guidelines, if not I 
> have great issue with the foundations governance.
>
> Respect, for the good guys in OWASP.
>
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 18 Aug 2015, at 17:08, Josh Sokol <josh.sokol at owasp.org 
> <mailto:josh.sokol at owasp.org>> wrote:
>
>> Johanna,
>>
>>     So far I remember , the idea was proposed to the board by you and
>>     the board took the decision to implement Committee 2.0. I believe
>>     this was done with all good intentions but is not working.
>>
>>
>> Actually, I would argue that even though there's only a single 
>> committee right now, it is working exactly as intended.  The truth is 
>> that OWASP's leadership sits somewhere in-between an Oligarchy (as 
>> you describe it) and an Anarchy.  We're currently somewhere between 
>> Democracy and Ochlocracy depending on the topic if you really want to 
>> get technical.  In any case, what you need to realize is that 
>> somebody needs to have the power to make decisions or decisions will 
>> never get made and we veer into Anarchy.  What Committees 2.0 did is 
>> specify that decision making power starts with the Board as they have 
>> the fiduciary responsibility for the OWASP Foundation in all legal 
>> sense.  What it also did is allow any of our leaders to carve out a 
>> piece of that power that they are passionate about and run with it, 
>> just as you did with projects.  I really thought that we would see 
>> some other committees pop up similar to what we had before in other 
>> core areas of OWASP like Governance or Chapters, but the fact that 
>> there isn't just tells me that as of yet, no leader is passionate 
>> enough about it to carve out that power.  Maybe it's because of time 
>> commitments or because of some perceived "red tape" or even (I hope) 
>> because most people think the Board is doing an OK job making 
>> decisions, but the fact is that the ability is there and you are an 
>> example of it being used.  So, as I said, the system is working.  
>> Where this is a void in the community wanting to take the power to 
>> make decisions, the Board fills that void.  In other words, if the 
>> community really thinks that they can do something better than the 
>> Board, they can form a Committee (or "Action Team" or "Initiative" or 
>> whatever they want to call it), and do it.
>>
>>     Projects are global. They promote owasp at a global level. What
>>     is OWASP known for? for its chapters? Its conferences? I strongly
>>     believe OWASP is know for its projects, Code Review, Testing
>>     guide, the Cheat Sheets, ASVS, ZAP... Many references in major
>>     publications refer to OWASP top ten and respect them because of
>>     its projects.PCI  and major vendors use them as reference and
>>     guidelines.
>>
>>
>> There is no doubt in my mind that Projects are important for OWASP.  
>> They spread our mission in places where even our Chapters cannot go.  
>> But, if you want to talk about where most people interface with 
>> OWASP, it's not projects, it's Chapters.  You won't find a reference 
>> in a major publication to the OWASP Austin Chapter, for example, but 
>> we held a CryptoParty in January and invited members of our 
>> community, the media, etc to participate because we wanted to educate 
>> others on the importance of privacy.  You're passionate about OWASP 
>> Projects, I get that, and I love it.  I'm passionate about OWASP 
>> Chapters. Neither should be trivialized as they both play a very 
>> important role within OWASP.
>>
>>     I would like to see is a better schema for them to get more
>>     awareness, especially people doing great things and because of
>>     lack of funds cannot promote their projects. Chapters are rich
>>     ,projects are poor. That is in my opinion a huge misbalance.
>>
>>
>> We have many chapters with small bank accounts, some even negative, 
>> and a few with quite large accounts. Total it all up and it's a 
>> pretty decent sum of money. But, what you're arguing for here is 
>> effectively Socialism.  You're saying that it doesn't matter that the 
>> OWASP chapter in Denver busted their ass (it is over a year's worth 
>> of effort by a team of people) to put on last year's AppSecUSA 
>> Conference.  It doesn't matter that it can cost a chapter hundreds if 
>> not thousands of dollars to rent meeting space, bring in food, fly in 
>> speakers, etc.  You only see that they have money, you do not, and 
>> you want it.  Not because you have a plan to spend it either, because 
>> if you did you could simply ask the Foundation for it, but because it 
>> is perceived as being disproportionate.  There is no payoff for 
>> OWASP's mission if we rob from the rich, give to the poor, and at the 
>> end of the day still just have money sitting in a savings account.  
>> This highlights the underlying issue here.  The issue is not that 
>> Chapters or Projects HAVE money.  The issue is that they have money 
>> and are NOT SPENDING IT to further the OWASP Mission.  Thus, the 
>> approach to fix this issue (and I agree that it's an issue) shouldn't 
>> be to take away their money, it should be to get them to spend it.
>>
>>     The limit of USD2,000- for supporting a project leader a year is
>>     for most leaders not enough. If a leader outside US or EU is
>>     invited to blackhat , that amount is not enough to cover his
>>     traveling expenses.  And thats the maximum he can have in a year
>>     after filling on forms and going through some back-and-forth
>>     emails with the staff...
>>
>>
>> Ahhhhh, finally we get to the root of the issue.  The issue isn't 
>> that money isn't available, because, frankly, we had a significant 
>> amount of money budgeted last year that wasn't used.  The issue is 
>> that there is a cap on what any one project leader can 
>> request/spend.  My personal opinion here is that this $2k cap should 
>> be treated as a guideline, not a rule.  It is likely in place to 
>> prevent abuse by having a significant amount of money from the pool 
>> go to any one individual.  But, that cap certainly should not prevent 
>> the OWASP Foundation from investing in the projects, and people 
>> behind the projects, to make them better.  The Board entrusts Paul, 
>> as Executive Director, and the OWASP staff to handle the day-to-day 
>> operations of the OWASP Foundation.  Part of their job is to review 
>> these types of requests in order to determine whether they make sense 
>> and there are funds available.  That said, if you get to a point 
>> where you feel that they are being unreasonable, the Board can 
>> certainly step in and try to determine if an exception should be 
>> made.  So, net-net, maybe that $2k cap is too low.  Should we raise 
>> it?  If so, what should it be?  What amount would be reasonable for 
>> any one individual to consume from that shared pool of funds?  
>> Guidelines can be changed.  Guidelines can even be overruled for the 
>> right reasons.  This is a relatively minor issue that it sounds like 
>> should be re-evaluated given rising costs, bigger budget pools, 
>> unused funds, etc.  Can you please come up with a reasonable proposal 
>> here and I will take that to the Board for approval to change this 
>> guideline?
>>
>>     Should we scrap projects and focus to be a dedicated conference
>>     organisation?...thats what  I see is happening whether
>>     consciously or not.
>>
>>
>> Your perception is VERY far from the truth.  I've spent the past 8.5 
>> years working with the OWASP Austin chapter and I've seen it grow 
>> from literally 3 people in a monthly meeting to around 70.  You, 
>> yourself, even said that OWASP is being referenced in major 
>> publications and our tools are being used around the globe.  That 
>> said, keep in mind that the OWASP mission is one of education, and 
>> conferences address that mission directly.  They are also the main 
>> fundraiser that helps to make sure that our chapters and projects 
>> have the money that they need in order to be successful.
>>
>>     Should we scrap conferences and focus to gather those funds to
>>     create a better platforms for projects and become the next Apache
>>     foundation?
>>
>>
>> Where do you think those funds would come from?  By far, the majority 
>> of OWASP's annual revenue comes from AppSecUSA and AppSecEU.  To be 
>> frank, OWASP would be VERY different if it weren't for our conferences.
>>
>>     Should we use crowdsource for gathering funds for projects
>>     through the OWASP foundation?
>>
>>
>> This is not a mutually exclusive solution.  Yes, absolutely, use 
>> crowdfunding to gather funds for projects.  Please prove out this 
>> model of bringing another revenue source to OWASP.  I would imagine 
>> that this is a way that projects would be able to get funds that a 
>> chapter never could.
>>
>>     Project summits = events . Thats what I'm proposing. That Summits
>>     are treated like events to generate money for projects so they
>>     have also a fair way to generate money as chapters do. They will
>>     depend less from sponsors with commercial intentions.
>>
>>
>> OK, but every project summit that we have had thus far has cost OWASP 
>> money, not made it.  Speaking as the former Co-Chair of LASCON and 
>> AppSecUSA, I can tell you that these types of events are a lot of 
>> work and that it is difficult to attract attendees.  Attendees 
>> actually barely end up covering their own costs (food, schwag, etc). 
>> Sponsors and trainings are usually the ones who generate the profit 
>> for these events.  So, let's say you do a project summit.  How would 
>> you intend to attract attendees who are willing to pay for the 
>> content?  If not, how would you intend to attract sponsors whose sole 
>> purpose in being there is to sell product to the attendees?  
>> Especially if you don't want sponsors with commercial intentions.  
>> You would be lucky if you get enough sponsors to cover costs. Or, in 
>> the situation of every past project summit that we've had, the 
>> Foundation ends up covering the difference.  I'm not saying that you 
>> shouldn't try to prove out this model.  I'm saying that it hasn't 
>> been proven to date.  Also, it's a bit naive to say that chapters 
>> leveraging their members and holding a conference isn't "fair".  We 
>> should be encouraging as many endeavors as we can at OWASP that 
>> spread our mission.  Even more so if they generate additional revenue 
>> because that helps to further our mission even more after the 
>> conference is over.  Nothing is stopping a project from having a 
>> conference.  This isn't a matter of "fair" or "unfair". It's a matter 
>> of a team of people putting in the effort and making it happen.  
>> Please don't trivialize those efforts.
>>
>>     Also more focus on crowdsourcing projects. If people finds it a
>>     great idea they will sponsor it.
>>
>>
>> As I said above, I think this is a great idea.  Let's do it!
>>
>>     I will ask the staff to create a survey and ask the community
>>     about it.  This is my proposal and based on those results I hope
>>     and expect the board to take actions.
>>
>>
>> Ask the staff to create a survey?  Why not make the survey yourself?  
>> What exactly are we surveying and why? The only thing that I think 
>> you've identified as an actual issue preventing projects from 
>> operating efficiently is a cap on the amount of funding availing.  
>> That doesn't require a survey to get changed, just a plan and an 
>> approval.  I can't guarantee support or action as it depends on the 
>> varying opinions of 7 unique individuals, but the Board would 
>> certainly evaluate any proposal that is put on the table.
>>
>> ~josh
>>
>> On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel 
>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>
>>     Josh,
>>
>>     So far I remember , the idea was proposed to the board by you and
>>     the board took the decision to implement Committee 2.0. I believe
>>     this was done with all good intentions but is not working.
>>     http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>
>>     In this same email Sarah mentions:
>>
>>     The 2008 committees worked, for the most part, independently of each other.
>>     This often created duplicate or even conflicting efforts leading to frustration.
>>
>>     Results now: I'm the only committee called the Project Task
>>     Force.Maybe thats why none wants to create anymore committees.
>>
>>     Projects are global. They promote owasp at a global level. What
>>     is OWASP known for? for its chapters? Its conferences? I strongly
>>     believe OWASP is know for its projects, Code Review, Testing
>>     guide, the Cheat Sheets, ASVS, ZAP... Many references in major
>>     publications refer to OWASP top ten and respect them because of
>>     its projects.PCI  and major vendors use them as reference and
>>     guidelines.
>>
>>     I would like to see is a better schema for them to get more
>>     awareness, especially people doing great things and because of
>>     lack of funds cannot promote their projects. Chapters are rich
>>     ,projects are poor. That is in my opinion a huge misbalance.
>>
>>     The limit of USD2,000- for supporting a project leader a year is
>>     for most leaders not enough. If a leader outside US or EU is
>>     invited to blackhat , that amount is not enough to cover his
>>     traveling expenses.  And thats the maximum he can have in a year
>>     after filling on forms and going through some back-and-forth
>>     emails with the staff...
>>
>>       * Should we scrap projects and focus to be a dedicated
>>         conference organisation?...thats what  I see is happening
>>         whether consciously or not.
>>       * Should we scrap conferences and focus to gather those funds
>>         to create a better platforms for projects and become the next
>>         Apache foundation?
>>       * Should we use crowdsource for gathering funds for projects
>>         through the OWASP foundation?
>>
>>
>>     I would like to see a solution to this or an action.
>>
>>     Project summits = events . Thats what I'm proposing. That Summits
>>     are treated like events to generate money for projects so they
>>     have also a fair way to generate money as chapters do. They will
>>     depend less from sponsors with commercial intentions.(easier to
>>     avoid  Logogate issues and projects with the intention to promote
>>     apssec companies). Also more focus on crowdsourcing projects. If
>>     people finds it a great idea they will sponsor it.
>>
>>     I will ask the staff to create a survey and ask the community
>>     about it. This is my proposal and based on those results I hope
>>     and expect the board to take actions.
>>
>>     regards
>>
>>     Johanna
>>
>>
>>
>>     On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles
>>     <mario.robles at owasp.org <mailto:mario.robles at owasp.org>> wrote:
>>
>>         Hey Josh,
>>
>>         I could be wrong but the term Committee is commonly
>>         associated with "bureaucracy" even if it's not what you
>>         meant, at least it was the first thing on top of my head, I'm
>>         sure if you change the word Committee to something like
>>         "Action Team" it would be better accepted
>>
>>         Just my point view,
>>
>>         Mario
>>
>>
>>         	
>>
>>         On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>
>>>             I think we need to create Project Summits in the form of
>>>             events with the whole purpose to gather funds for projects
>>>
>>>
>>>         Please forgive my ignorance. How does a Project Summit
>>>         generate funds for project? Every Project Summit that we
>>>         have had to date has cost the Foundation money, hasn't it?
>>>         Can you please elaborate?
>>>
>>>             Look, Denver chapter has around 50K in their bucket. The
>>>             richest Project is ZAP with 10k... but thats is the
>>>             exception. Even worse when you look at chapters outside
>>>             US or EU, mine has only USD40 dollars. Most projects
>>>             have Zero Dollars.
>>>
>>>
>>>         I'm not sure I understand the fixation on what other
>>>         chapters have in their bucket.  They have these funds
>>>         because they worked hard to obtain them.  In the case of
>>>         Denver, they ran last year's AppSecUSA Conference. Just
>>>         because they have money in their account, it doesn't mean
>>>         that you aren't able to do things with the $40 you have in
>>>         your account.  It just means that they have to use their
>>>         account funds first before being able to use money from the
>>>         Foundation pool while you would need to request funds from
>>>         that pool for anything over $40.  Any sort of reallocation
>>>         just moves the "ring fenced funds" issue to another
>>>         account.  The model of chapters and projects having accounts
>>>         is not what's broken here.  It's the model of chapters and
>>>         projects saving their funds instead of spending them.  This
>>>         is why I voted "no" on the Summer of Code initiative.  It
>>>         was giving money to those who already had it and not forcing
>>>         them to spend their funds first.  In any case, I'm not sure
>>>         I understand why the amount of money Denver has in their
>>>         account has any impact on any other chapter or project other
>>>         than themselves.  We have tens of thousands of dollars
>>>         allocated by the Foundation to project and chapters on an
>>>         annual basis, much of which goes completely unused.  There
>>>         is money available at OWASP for those who need it and I have
>>>         yet to hear of a situation where someone was told otherwise.
>>>
>>>             Yes but how do they know where to go, that's why the
>>>             survey. The survey is the compass. And the leaders are
>>>             elected to listed to the community.
>>>
>>>
>>>         I agree with this notion.  The OWASP Board should act in
>>>         accordance with the desires of the community and should be
>>>         doing frequent checks to confirm that initiatives are aligned.
>>>
>>>             So the committee concept in theory seemed like a great
>>>             idea but in practice is not working because in my eyes,
>>>             creating a committee is creating a mini board inside OWASP.
>>>
>>>
>>>         To be honest, I have been surprised by the lack of desire to
>>>         participate in OWASP Committees.  The community has said
>>>         that they want empowerment and the goal of the committees
>>>         was to do that.  But, now that it's there, nobody wants it? 
>>>         Your example with John Lita follows the Committees 2.0
>>>         process almost verbatim.  The only difference is that it
>>>         provides scoping to ensure that we don't have competing, or
>>>         even worse, conflicting initiatives and it specifies that
>>>         the individuals involved need to work within that scope. 
>>>         Without it, you have a loosely knit group of people running
>>>         around with their own individual initiatives.  At that
>>>         level, OWASP is just a funding source for experimentation,
>>>         not a Foundation.  There is no accountability, but the
>>>         liability on the Foundation is still there. Legally, we
>>>         can't just have people running around spending money without
>>>         any form of guidance.
>>>
>>>              Allow me  and let the staff know that they should
>>>             support me and any other volunteers seeking for
>>>             implementing their ideas ;-).
>>>             Lets cut the red tape with committees and let people
>>>             know that if they want to do something,
>>>
>>>               * Contact the staff.
>>>               * Set a survey and gather support
>>>               * Need more money? Set a crowd funding project @
>>>                 https://www.kickstarter.com under OWASP
>>>               * Volunteers implement idea or project with the
>>>                 support of owasp staff and other volunteers
>>>
>>>         I'm not sure how this is that much different from a
>>>         Committee. Contact the community via the mailing list and
>>>         gather support, scope the activities (ie. define the
>>>         project), Board ensures that there's no conflict, do your
>>>         thing.  The "red tape" that you keep referring to is just a
>>>         process document that walks you through how to set up a
>>>         committee.  After that's done, the idea was to empower you
>>>         to act within the defined scope without going to the Board. 
>>>         If we're talking specifically about projects, which it
>>>         sounds like this is geared towards, then it's even easier. 
>>>         Register as a project (so that staff knows you exist and can
>>>         support you) and do your thing.  If you need money, ask for
>>>         it.  I'm not sure I see the problem here.  I'm also not sure
>>>         what you're asking for as it doesn't seem that different to
>>>         me than how the status quo is supposed to operate.  Is it
>>>         operating differently in practice than it should in theory? 
>>>         I don't have an OWASP project and so perhaps I'm blind to
>>>         the realities.  If so, then the specific issues need to be
>>>         addressed by bylaw change, policy change, staff engagement,
>>>         etc.  So far, all you've said is "projects need money",
>>>         which you have access to, and "cut the red tape", of which I
>>>         don't see anything more than a step to say "Hey, I want to
>>>         be a project".  Please help me to understand.
>>>
>>>         ~josh
>>>
>>>         On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel curiel
>>>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>>         wrote:
>>>
>>>              >I don't think there is anything preventing a project
>>>             from doing the same, but I haven't seen it done at this
>>>             point.
>>>
>>>             I think we need to create Project Summits in the form of
>>>             events with the whole purpose to gather funds for
>>>             projects .Open samm has done this and I think we can try
>>>             that. Fo that we need the support of the staff Business
>>>             liaison, Event manager, just as they put their work and
>>>             efforts in Events and appsecs. Here cut share between
>>>             OWASp staff time and projects can also be done.
>>>
>>>              >OWASP has a project funding bucket.
>>>             Look, Denver chapter has around 50K in their bucket. The
>>>             richest Project is ZAP with 10k... but thats is the
>>>             exception. Even worse when you look at chapters outside
>>>             US or EU, mine has only USD40 dollars. Most projects
>>>             have Zero Dollars.
>>>             And the limits right now are a support but do not help
>>>             to get important things moving like OWASP Academy
>>>             portal, Leaders like Azzedine assist and show case his
>>>             chapter or project or other more complex initiatives. Or
>>>             major improvements or promotions to their projects.
>>>
>>>               >Remember that the Board is just a handful of leaders
>>>             who were elected to set the compass.
>>>               Yes but how do they know where to go, that's why the
>>>             survey. The survey is the compass. And the leaders are
>>>             elected to listed to the community.
>>>
>>>             And About committees...
>>>             The only existing active committee right now is the
>>>             Project Review (which I still call myself a taskforce).
>>>             I haven't see much initiatives or participation from
>>>             other committees. So the committee concept in theory
>>>             seemed like a great idea but in practice is not working
>>>             because in my eyes, creating a committee is creating a
>>>             mini board inside OWASP. We do not want to create
>>>             oligarchies in the end.
>>>
>>>               I thik we should cut off that comitee idea and be more
>>>             practical. More like this
>>>
>>>               Example:
>>>
>>>               * John Lita wants to create an academy portal but
>>>                 developing it costs money and resources that
>>>                 volunteers alone cannot be easy pull off(owaspa
>>>                 project was the same and died, just like many
>>>                 educational initiatives)
>>>               * John must create a proposal with defined goals and
>>>                 how to reach them. He joins other volunteers in this
>>>                 effort. No need to be a commitee.
>>>               *  John & Claudia create a survey and seek support of
>>>                 the community
>>>               *   If the idea has major feedback and volunteers,
>>>                 then John has the support from the staff to execute
>>>                 including looking for sponsors using crowdsource
>>>                 funding portals
>>>               * Staff monitors development and results of the
>>>                 actions taken
>>>               * Staff reports results to the community back
>>>
>>>             This is in my eyes how I have been working in the end,
>>>             because , as volunteers, available time mostly depends
>>>             on one or 2 passionate individuals like John-Lita, which
>>>             are more dedicated and the rest follows...
>>>
>>>             Now if we want to change things, don't tell me to set a
>>>             committee, because Josh , this has not work so far.
>>>
>>>              Allow me  and let the staff know that they should
>>>             support me and any other volunteers seeking for
>>>             implementing their ideas ;-).
>>>             Lets cut the red tape with committees and let people
>>>             know that if they want to do something,
>>>
>>>               * Contact the staff.
>>>               * Set a survey and gather support
>>>               * Need more money? Set a crowd funding project @
>>>                 https://www.kickstarter.com under OWASP
>>>               * Volunteers implement idea or project with the
>>>                 support of owasp staff and other volunteers
>>>
>>>             How do we get this idea to action?
>>>             Shall we create a survey?
>>>             Do you need to discuss this on a board meeting?
>>>             How do I get empowered and let the staff know that as a
>>>             volunteer I have your support for this?(if I do?
>>>
>>>             You see...how dependable I'm from the board to be able
>>>             to execute?
>>>
>>>             Off course I can always do this on my own but them I
>>>             better do it without OWASP...
>>>
>>>             Regards
>>>
>>>             Johanna
>>>
>>>             On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol
>>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>
>>>                 Johanna,
>>>
>>>                 Thank you for putting your thoughts out there for
>>>                 everyone. Silence is not good for anyone and OWASP
>>>                 will be far more successful if we know what our
>>>                 leaders are struggling with and make a conscious
>>>                 effort to improve it.  I think that many of your
>>>                 points are very valid and strongly support the idea
>>>                 of polls to gauge community support for actions
>>>                 being taken.  I also support the idea that the Board
>>>                 should be making as few of these decisions as
>>>                 possible and putting the power back in the hands of
>>>                 the community with support from the staff.  The
>>>                 Board should be the "compass" making sure that we
>>>                 are moving in the right direction with the community
>>>                 and staff being the ones actually pushing us
>>>                 forward. That's not to say that members of the Board
>>>                 won't have their own projects or initiatives, but
>>>                 they do so as part of the community, not because of
>>>                 their roles on the Board. The Committees 2.0
>>>                 framework was a first step in driving this level of
>>>                 empowerment back to the community while maintaining
>>>                 accountability and providing appropriately scoped
>>>                 actions.  My impression was that the Projects
>>>                 Committee was rolling forward quite well under this
>>>                 guidance, but it sounds like maybe I was wrong. Are
>>>                 there specific actions that you have tried to take
>>>                 on the committee that got blocked by the Board or
>>>                 hung up in "red tape"? Are there needs for funding
>>>                 that haven't been met?
>>>
>>>                 Regarding the project vs chapter funding schemas,
>>>                 I'm not sure that there is a good answer. Projects
>>>                 are typically made up of a pocket of individuals.
>>>                 Typically one leader with sometimes one or two
>>>                 others assisting. Chapters are typically anywhere
>>>                 from 20 people to hundreds.  We provide members with
>>>                 the ability to allocate their funds to either, but
>>>                 most associate themselves with a chapter rather than
>>>                 a project because that's where they participate. We
>>>                 also have chapters putting on conferences with the
>>>                 goal of raising funds.  I don't think there is
>>>                 anything preventing a project from doing the same,
>>>                 but I haven't seen it done at this point. Those are
>>>                 the two main ways that I see chapters raising
>>>                 money.  Yes, there is certainly a difference in
>>>                 schemas and projects will have a more difficult
>>>                 time, but that's also why OWASP has a project
>>>                 funding bucket.  Money from these local events as
>>>                 well as funds raised by our AppSec conferences gets
>>>                 budgeted specifically for this purpose.  To my
>>>                 knowledge, no reasonable request for funds by
>>>                 projects has been denied. Just because there isn't
>>>                 money sitting "ring fenced" in an account for the
>>>                 projects, doesn't mean that there isn't money that
>>>                 can be spent.  It just means that it needs to be
>>>                 requested from the pool. Yes, it's a different model
>>>                 of funding, but the end result is the same. There
>>>                 are funds available at OWASP for everyone who needs
>>>                 them.
>>>
>>>                 There are obviously many things that need to be
>>>                 improved at OWASP and, unfortunately, the Board has
>>>                 been tied up in rules, events, bylaws, etc for a
>>>                 while now.  It's definitely not the "fun" part of
>>>                 the job and it is very time consuming. That said, I
>>>                 would argue that these are the things that need to
>>>                 be changed in order for everyone else (staff,
>>>                 community, etc) to be able to be better served. 
>>>                 We've made several changes to the Bylaws and are
>>>                 working on more.  We've hired an Executive Director
>>>                 (Paul), an Event Manager (Laura), a Community
>>>                 Manager (Noreen), and a Project Coordinator
>>>                 (Claudia) just in the almost two years that I've
>>>                 been on the Board. The needle on the compass is set
>>>                 and, while it takes some time to right the ship, we
>>>                 are getting there by giving our community the
>>>                 support it requires to be successful. So, here's my
>>>                 general thought:
>>>
>>>                 1) If it's within the scope of a defined Committee,
>>>                 JUST DO IT!
>>>
>>>                 2) If there's no Committee defined for it, CREATE
>>>                 ONE, then JUST DO IT!
>>>
>>>                 3) If a Committee doesn't make sense, ASK THE STAFF
>>>                 FOR IT!
>>>
>>>                 4) If asking the staff isn't working or we need to
>>>                 change a policy to make it happen, LET THE BOARD KNOW!
>>>
>>>                 The Board should be the last resort, in my opinion,
>>>                 not the first.  We should be the enabler, not the
>>>                 bottleneck.  I think that our leaders make too many
>>>                 assumptions (probably based on past Board actions)
>>>                 about what needs to go to the Board and we need to
>>>                 get away from that. Remember that the Board is just
>>>                 a handful of leaders who were elected to set the
>>>                 compass.  We have a finite number of things that we
>>>                 can handle and our Board meetings are typically
>>>                 overflowing with topics.  So, if something is
>>>                 bothering you, I would encourage you to change it.
>>>                 That's why, with the David Rook situation, I
>>>                 encouraged creation of a new Committee to determine
>>>                 a reasonable solution.  If it requires a policy
>>>                 change by the Board, then we can vote on that, but
>>>                 asking the Board to take action just perpetuates the
>>>                 oligarchy that you mention in your e-mail. Instead
>>>                 of pushing these issues up to the Board for action,
>>>                 let's have the community DECIDE what they want and
>>>                 have the Board change the compass needle via bylaws,
>>>                 policies, and staff discussions, accordingly.  At
>>>                 least, that's my vision for OWASP. Is that something
>>>                 that you can get on board with?
>>>
>>>                 ~josh
>>>
>>>                 On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel
>>>                 curiel <johanna.curiel at owasp.org
>>>                 <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>>                     Members of the board,
>>>
>>>                     With the recent issue regarding David Rook, and
>>>                     my latest experience with red-tape, I'm
>>>                     proposing the following.
>>>
>>>                     My goals is to call your attention to these
>>>                     issues which I have been observing for a years
>>>                     and not as a critique to your work, but I think
>>>                     if you do not pay attention to these issues and
>>>                     DO something about them, OWASP will loose
>>>                     valuable community participation.
>>>
>>>                       * When an initiative is proposed or launched
>>>                         by a member of the board, this should be
>>>                         followed up by a survey where the community
>>>                         can vote.Wether is a rule or money, these
>>>                         decisions should be taken based on collected
>>>                         data and proper substantiation to avoid
>>>                         oligarchy
>>>                       * When an initiative is launched by a member
>>>                         of the community, especially when this
>>>                         initiative cost more than 10k, it should be
>>>                         substantiated with data how this initiative
>>>                         will benefit the community. Also should be
>>>                         followed by a survey
>>>                       * Staff should help creating the survey and
>>>                         analyse the votes
>>>                       * *In other words: do more survey to find out
>>>                         what the community needs and wants.*
>>>
>>>                     My observations and where I think you need to
>>>                     give more attention:
>>>
>>>                       * Board/Executive director should work closer
>>>                         with the staff for guidance and empowering
>>>                         their role. I have the feeling that the
>>>                         staff is paralysed waiting for instructions
>>>                         or following strict rules. The staff should
>>>                         be motivated to take initiative and
>>>                         implement projects on their own that can
>>>                         help the community. They should not be too
>>>                         dependent on an Executive director or member
>>>                         of the board for this part
>>>
>>>                     As I see it ,OWASP is known for his Projects &
>>>                     Chapter leaders which as volunteers have
>>>                     contributed the most to set OWASP on the
>>>                     spotlight. Therefore:
>>>
>>>                       * You should determine and implement better
>>>                         ways  to provide better funding schemas for
>>>                         projects . This is something a volunteer
>>>                         cannot do. And /nothing/ has been done to
>>>                         help  solve this issue
>>>                       * There is an unfair inequality in the way
>>>                         chapters can generate funds vs Projects.
>>>                       * Money is locked down in the chapters budget
>>>                       * Chapters outside US & EU have more struggles
>>>                         to find support. You should consider a way
>>>                         to support better these ones since their
>>>                         countries are not developed in the area of
>>>                         security as countries in EU and US.
>>>                       * Follow up: when issues like David Rook or a
>>>                         volunteer rants(like me or others ) out of
>>>                         frustation, take action. Put it in the
>>>                         agenda and try to solve and discuss the
>>>                         issues to improve the actual problems. So
>>>                         far I have seen very little follow up on
>>>                         major issues and discussions raised in the
>>>                         mailing lists
>>>                       * Way to much attention to rules, /events/ and
>>>                         bylaws etc. Time to take action and take
>>>                         decisions and propose plans for improvements
>>>                         of the actual situation above mentioned
>>>
>>>                     Being that said, and with all due respect to
>>>                     you, I hope that you can take actions and
>>>                     /execute/ improvements that have been an issue
>>>                     since I joined OWASP 3 years ago.
>>>
>>>
>>>                     Regards
>>>
>>>
>>>                     Johanna
>>>
>>>
>>>
>>>
>>>
>>>
>>>                     _______________________________________________
>>>                     Governance mailing list
>>>                     Governance at lists.owasp.org
>>>                     <mailto:Governance at lists.owasp.org>
>>>                     https://lists.owasp.org/mailman/listinfo/governance
>>>
>>>
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         OWASP-Leaders mailing list
>>>         OWASP-Leaders at lists.owasp.org
>>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/governance
> -- 
> You received this message because you are subscribed to the Google 
> Groups "OWASP Projects Task Force" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to projects-task-force+unsubscribe at owasp.org 
> <mailto:projects-task-force+unsubscribe at owasp.org>.
> To post to this group, send email to projects-task-force at owasp.org 
> <mailto:projects-task-force at owasp.org>.
> To view this discussion on the web visit 
> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/0C3F284E-30CD-4D92-BE9A-29879EA25FF6%40owasp.org 
> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/0C3F284E-30CD-4D92-BE9A-29879EA25FF6%40owasp.org?utm_medium=email&utm_source=footer>.

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150818/c5bef30f/attachment-0001.html>


More information about the Governance mailing list