[Governance] [Owasp-leaders] Request - Survey - Implementation process on higher decisions

Josh Sokol josh.sokol at owasp.org
Tue Aug 18 18:22:08 UTC 2015


I agree 100% Eoin.  The rule is there for a reason.  Voting to change it is
one thing, but that change cannot be applied retroactively to the present
situation.  The Bylaws are very clear in that this should trigger a Board
vote to determine whether they should be removed.  I am absolutely pushing
for that vote to happen, regardless of whether it actually results in a
removal.  If the Board wants to evaluate a change to the Bylaws at a later
date, then so be it, but I will not support it.  The Board is a
commitment.  When you run, you are doing so knowing that meetings will not
always happen when convenient and that you are expected to attend 75% of
them.  There are certainly extenuating circumstances where a case could be
made here, but I don't think I've heard any thus far.

~josh

On Tue, Aug 18, 2015 at 1:04 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Sorry I have to write this email....but...
>
> I hope you don't change the rules just because certain members have not
> complied by them....
>
> I was forwarded some emails regarding board attendance today which appear
> that the 75% rule of board meeting attendance is now going to be changed
> because some folks on the board have issue with it.
>
> This is like turkeys voting for Christmas.
>
> I respectfully hope the board abides by its owen guidelines, if not I have
> great issue with the foundations governance.
>
> Respect, for the good guys in OWASP.
>
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 18 Aug 2015, at 17:08, Josh Sokol <josh.sokol at owasp.org> wrote:
>
> Johanna,
>
> So far I remember , the idea was proposed to the board by you and the
>> board took the decision to implement Committee 2.0. I believe this was done
>> with all good intentions but is not working.
>>
>
> Actually, I would argue that even though there's only a single committee
> right now, it is working exactly as intended.  The truth is that OWASP's
> leadership sits somewhere in-between an Oligarchy (as you describe it) and
> an Anarchy.  We're currently somewhere between Democracy and Ochlocracy
> depending on the topic if you really want to get technical.  In any case,
> what you need to realize is that somebody needs to have the power to make
> decisions or decisions will never get made and we veer into Anarchy.  What
> Committees 2.0 did is specify that decision making power starts with the
> Board as they have the fiduciary responsibility for the OWASP Foundation in
> all legal sense.  What it also did is allow any of our leaders to carve out
> a piece of that power that they are passionate about and run with it, just
> as you did with projects.  I really thought that we would see some other
> committees pop up similar to what we had before in other core areas of
> OWASP like Governance or Chapters, but the fact that there isn't just tells
> me that as of yet, no leader is passionate enough about it to carve out
> that power.  Maybe it's because of time commitments or because of some
> perceived "red tape" or even (I hope) because most people think the Board
> is doing an OK job making decisions, but the fact is that the ability is
> there and you are an example of it being used.  So, as I said, the system
> is working.  Where this is a void in the community wanting to take the
> power to make decisions, the Board fills that void.  In other words, if the
> community really thinks that they can do something better than the Board,
> they can form a Committee (or "Action Team" or "Initiative" or whatever
> they want to call it), and do it.
>
> Projects are global. They promote owasp at a global level. What is OWASP
>> known for? for its chapters? Its conferences? I strongly believe OWASP is
>> know for its projects, Code Review, Testing guide, the Cheat Sheets, ASVS,
>> ZAP... Many references in major publications refer to OWASP top ten and
>> respect them because of its projects.PCI  and major vendors use them as
>> reference and guidelines.
>>
>
> There is no doubt in my mind that Projects are important for OWASP.  They
> spread our mission in places where even our Chapters cannot go.  But, if
> you want to talk about where most people interface with OWASP, it's not
> projects, it's Chapters.  You won't find a reference in a major publication
> to the OWASP Austin Chapter, for example, but we held a CryptoParty in
> January and invited members of our community, the media, etc to participate
> because we wanted to educate others on the importance of privacy.  You're
> passionate about OWASP Projects, I get that, and I love it.  I'm passionate
> about OWASP Chapters.  Neither should be trivialized as they both play a
> very important role within OWASP.
>
> I would like to see is a better schema for them to get more awareness,
>> especially people doing great things and because of lack of funds cannot
>> promote their projects. Chapters are rich ,projects are poor. That is in my
>> opinion a huge misbalance.
>>
>
> We have many chapters with small bank accounts, some even negative, and a
> few with quite large accounts.  Total it all up and it's a pretty decent
> sum of money.  But, what you're arguing for here is effectively Socialism.
> You're saying that it doesn't matter that the OWASP chapter in Denver
> busted their ass (it is over a year's worth of effort by a team of people)
> to put on last year's AppSecUSA Conference.  It doesn't matter that it can
> cost a chapter hundreds if not thousands of dollars to rent meeting space,
> bring in food, fly in speakers, etc.  You only see that they have money,
> you do not, and you want it.  Not because you have a plan to spend it
> either, because if you did you could simply ask the Foundation for it, but
> because it is perceived as being disproportionate.  There is no payoff for
> OWASP's mission if we rob from the rich, give to the poor, and at the end
> of the day still just have money sitting in a savings account.  This
> highlights the underlying issue here.  The issue is not that Chapters or
> Projects HAVE money.  The issue is that they have money and are NOT
> SPENDING IT to further the OWASP Mission.  Thus, the approach to fix this
> issue (and I agree that it's an issue) shouldn't be to take away their
> money, it should be to get them to spend it.
>
> The limit of USD2,000- for supporting a project leader a year is for most
>> leaders not enough. If a leader outside US or EU is invited to blackhat ,
>> that amount is not enough to cover his traveling expenses.  And thats the
>> maximum he can have in a year after filling on forms and going through some
>> back-and-forth emails with the staff...
>>
>
> Ahhhhh, finally we get to the root of the issue.  The issue isn't that
> money isn't available, because, frankly, we had a significant amount of
> money budgeted last year that wasn't used.  The issue is that there is a
> cap on what any one project leader can request/spend.  My personal opinion
> here is that this $2k cap should be treated as a guideline, not a rule.  It
> is likely in place to prevent abuse by having a significant amount of money
> from the pool go to any one individual.  But, that cap certainly should not
> prevent the OWASP Foundation from investing in the projects, and people
> behind the projects, to make them better.  The Board entrusts Paul, as
> Executive Director, and the OWASP staff to handle the day-to-day operations
> of the OWASP Foundation.  Part of their job is to review these types of
> requests in order to determine whether they make sense and there are funds
> available.  That said, if you get to a point where you feel that they are
> being unreasonable, the Board can certainly step in and try to determine if
> an exception should be made.  So, net-net, maybe that $2k cap is too low.
> Should we raise it?  If so, what should it be?  What amount would be
> reasonable for any one individual to consume from that shared pool of
> funds?  Guidelines can be changed.  Guidelines can even be overruled for
> the right reasons.  This is a relatively minor issue that it sounds like
> should be re-evaluated given rising costs, bigger budget pools, unused
> funds, etc.  Can you please come up with a reasonable proposal here and I
> will take that to the Board for approval to change this guideline?
>
> Should we scrap projects and focus to be a dedicated conference
>> organisation?...thats what  I see is happening whether consciously or not.
>>
>
> Your perception is VERY far from the truth.  I've spent the past 8.5 years
> working with the OWASP Austin chapter and I've seen it grow from literally
> 3 people in a monthly meeting to around 70.  You, yourself, even said that
> OWASP is being referenced in major publications and our tools are being
> used around the globe.  That said, keep in mind that the OWASP mission is
> one of education, and conferences address that mission directly.  They are
> also the main fundraiser that helps to make sure that our chapters and
> projects have the money that they need in order to be successful.
>
> Should we scrap conferences and focus to gather those funds to create a
>> better platforms for projects and become the next Apache foundation?
>>
>
> Where do you think those funds would come from?  By far, the majority of
> OWASP's annual revenue comes from AppSecUSA and AppSecEU.  To be frank,
> OWASP would be VERY different if it weren't for our conferences.
>
> Should we use crowdsource for gathering funds for projects through the
>> OWASP foundation?
>>
>
> This is not a mutually exclusive solution.  Yes, absolutely, use
> crowdfunding to gather funds for projects.  Please prove out this model of
> bringing another revenue source to OWASP.  I would imagine that this is a
> way that projects would be able to get funds that a chapter never could.
>
> Project summits = events . Thats what I'm proposing. That Summits are
>> treated like events to generate money for projects so they have also a fair
>> way to generate money as chapters do. They will depend less from sponsors
>> with commercial intentions.
>>
>
> OK, but every project summit that we have had thus far has cost OWASP
> money, not made it.  Speaking as the former Co-Chair of LASCON and
> AppSecUSA, I can tell you that these types of events are a lot of work and
> that it is difficult to attract attendees.  Attendees actually barely end
> up covering their own costs (food, schwag, etc).  Sponsors and trainings
> are usually the ones who generate the profit for these events.  So, let's
> say you do a project summit.  How would you intend to attract attendees who
> are willing to pay for the content?  If not, how would you intend to
> attract sponsors whose sole purpose in being there is to sell product to
> the attendees?  Especially if you don't want sponsors with commercial
> intentions.  You would be lucky if you get enough sponsors to cover costs.
> Or, in the situation of every past project summit that we've had, the
> Foundation ends up covering the difference.  I'm not saying that you
> shouldn't try to prove out this model.  I'm saying that it hasn't been
> proven to date.  Also, it's a bit naive to say that chapters leveraging
> their members and holding a conference isn't "fair".  We should be
> encouraging as many endeavors as we can at OWASP that spread our mission.
> Even more so if they generate additional revenue because that helps to
> further our mission even more after the conference is over.  Nothing is
> stopping a project from having a conference.  This isn't a matter of "fair"
> or "unfair".  It's a matter of a team of people putting in the effort and
> making it happen.  Please don't trivialize those efforts.
>
> Also more focus on crowdsourcing projects. If people finds it a great idea
>> they will sponsor it.
>>
>
> As I said above, I think this is a great idea.  Let's do it!
>
> I will ask the staff to create a survey and ask the community about it.
>> This is my proposal and based on those results I hope and expect the board
>> to take actions.
>
>
> Ask the staff to create a survey?  Why not make the survey yourself?  What
> exactly are we surveying and why?  The only thing that I think you've
> identified as an actual issue preventing projects from operating
> efficiently is a cap on the amount of funding availing.  That doesn't
> require a survey to get changed, just a plan and an approval.  I can't
> guarantee support or action as it depends on the varying opinions of 7
> unique individuals, but the Board would certainly evaluate any proposal
> that is put on the table.
>
> ~josh
>
> On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Josh,
>>
>> So far I remember , the idea was proposed to the board by you and the
>> board took the decision to implement Committee 2.0. I believe this was done
>> with all good intentions but is not working.
>> http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>
>> In this same email Sarah mentions:
>>
>> The 2008 committees worked, for the most part, independently of each other.
>> This often created duplicate or even conflicting efforts leading to frustration.
>>
>> Results now: I'm the only committee called the Project Task Force.Maybe
>> thats why none wants to create anymore committees.
>>
>> Projects are global. They promote owasp at a global level. What is OWASP
>> known for? for its chapters? Its conferences? I strongly believe OWASP is
>> know for its projects, Code Review, Testing guide, the Cheat Sheets, ASVS,
>> ZAP... Many references in major publications refer to OWASP top ten and
>> respect them because of its projects.PCI  and major vendors use them as
>> reference and guidelines.
>>
>> I would like to see is a better schema for them to get more awareness,
>> especially people doing great things and because of lack of funds cannot
>> promote their projects. Chapters are rich ,projects are poor. That is in my
>> opinion a huge misbalance.
>>
>> The limit of USD2,000- for supporting a project leader a year is for most
>> leaders not enough. If a leader outside US or EU is invited to blackhat ,
>> that amount is not enough to cover his traveling expenses.  And thats the
>> maximum he can have in a year after filling on forms and going through some
>> back-and-forth emails with the staff...
>>
>>
>>    - Should we scrap projects and focus to be a dedicated conference
>>    organisation?...thats what  I see is happening whether consciously or not.
>>    - Should we scrap conferences and focus to gather those funds to
>>    create a better platforms for projects and become the next Apache
>>    foundation?
>>    - Should we use crowdsource for gathering funds for projects through
>>    the OWASP foundation?
>>
>>
>> I would like to see a solution to this or an action.
>>
>> Project summits = events . Thats what I'm proposing. That Summits are
>> treated like events to generate money for projects so they have also a fair
>> way to generate money as chapters do. They will depend less from sponsors
>> with commercial intentions.(easier to avoid  Logogate issues and projects
>> with the intention to promote apssec companies). Also more focus on
>> crowdsourcing projects. If people finds it a great idea they will sponsor
>> it.
>>
>> I will ask the staff to create a survey and ask the community about it.
>> This is my proposal and based on those results I hope and expect the board
>> to take actions.
>>
>> regards
>>
>> Johanna
>>
>>
>>
>> On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles <mario.robles at owasp.org>
>> wrote:
>>
>>> Hey Josh,
>>>
>>> I could be wrong but the term Committee is commonly associated with
>>> "bureaucracy" even if it's not what you meant, at least it was the first
>>> thing on top of my head, I'm sure if you change the word Committee to
>>> something like "Action Team" it would be better accepted
>>>
>>> Just my point view,
>>>
>>> Mario
>>>
>>>
>>> <https://www.owasp.org/index.php/Costa_Rica>
>>> On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>
>>> I think we need to create Project Summits in the form of events with the
>>>> whole purpose to gather funds for projects
>>>>
>>>
>>> Please forgive my ignorance.  How does a Project Summit generate funds
>>> for project?  Every Project Summit that we have had to date has cost the
>>> Foundation money, hasn't it?  Can you please elaborate?
>>>
>>> Look, Denver chapter has around 50K in their bucket. The richest Project
>>>> is ZAP with 10k... but thats is the exception. Even worse when you look at
>>>> chapters outside US or EU, mine has only USD40 dollars. Most projects have
>>>> Zero Dollars.
>>>>
>>>
>>> I'm not sure I understand the fixation on what other chapters have in
>>> their bucket.  They have these funds because they worked hard to obtain
>>> them.  In the case of Denver, they ran last year's AppSecUSA Conference.
>>> Just because they have money in their account, it doesn't mean that you
>>> aren't able to do things with the $40 you have in your account.  It just
>>> means that they have to use their account funds first before being able to
>>> use money from the Foundation pool while you would need to request funds
>>> from that pool for anything over $40.  Any sort of reallocation just moves
>>> the "ring fenced funds" issue to another account.  The model of chapters
>>> and projects having accounts is not what's broken here.  It's the model of
>>> chapters and projects saving their funds instead of spending them.  This is
>>> why I voted "no" on the Summer of Code initiative.  It was giving money to
>>> those who already had it and not forcing them to spend their funds first.
>>> In any case, I'm not sure I understand why the amount of money Denver has
>>> in their account has any impact on any other chapter or project other than
>>> themselves.  We have tens of thousands of dollars allocated by the
>>> Foundation to project and chapters on an annual basis, much of which goes
>>> completely unused.  There is money available at OWASP for those who need it
>>> and I have yet to hear of a situation where someone was told otherwise.
>>>
>>> Yes but how do they know where to go, that's why the survey. The survey
>>>> is the compass. And the leaders are elected to listed to the community.
>>>>
>>>
>>> I agree with this notion.  The OWASP Board should act in accordance with
>>> the desires of the community and should be doing frequent checks to confirm
>>> that initiatives are aligned.
>>>
>>> So the committee concept in theory seemed like a great idea but in
>>>> practice is not working because in my eyes, creating a committee is
>>>> creating a mini board inside OWASP.
>>>>
>>>
>>> To be honest, I have been surprised by the lack of desire to participate
>>> in OWASP Committees.  The community has said that they want empowerment and
>>> the goal of the committees was to do that.  But, now that it's there,
>>> nobody wants it?  Your example with John Lita follows the Committees 2.0
>>> process almost verbatim.  The only difference is that it provides scoping
>>> to ensure that we don't have competing, or even worse, conflicting
>>> initiatives and it specifies that the individuals involved need to work
>>> within that scope.  Without it, you have a loosely knit group of people
>>> running around with their own individual initiatives.  At that level, OWASP
>>> is just a funding source for experimentation, not a Foundation.  There is
>>> no accountability, but the liability on the Foundation is still there.
>>> Legally, we can't just have people running around spending money without
>>> any form of guidance.
>>>
>>>  Allow me  and let the staff know that they should support me and any
>>>> other volunteers seeking for implementing their ideas ;-).
>>>> Lets cut the red tape with committees and let people know that if they
>>>> want to do something,
>>>>
>>>>    - Contact the staff.
>>>>    - Set a survey and gather support
>>>>    - Need more money? Set a crowd funding project @
>>>>    <https://www.kickstarter.com>https://www.kickstarter.com under OWASP
>>>>    - Volunteers implement idea or project with the support of owasp
>>>>    staff and other volunteers
>>>>
>>>> I'm not sure how this is that much different from a Committee.  Contact
>>> the community via the mailing list and gather support, scope the activities
>>> (ie. define the project), Board ensures that there's no conflict, do your
>>> thing.  The "red tape" that you keep referring to is just a process
>>> document that walks you through how to set up a committee.  After that's
>>> done, the idea was to empower you to act within the defined scope without
>>> going to the Board.  If we're talking specifically about projects, which it
>>> sounds like this is geared towards, then it's even easier.  Register as a
>>> project (so that staff knows you exist and can support you) and do your
>>> thing.  If you need money, ask for it.  I'm not sure I see the problem
>>> here.  I'm also not sure what you're asking for as it doesn't seem that
>>> different to me than how the status quo is supposed to operate.  Is it
>>> operating differently in practice than it should in theory?  I don't have
>>> an OWASP project and so perhaps I'm blind to the realities.  If so, then
>>> the specific issues need to be addressed by bylaw change, policy change,
>>> staff engagement, etc.  So far, all you've said is "projects need money",
>>> which you have access to, and "cut the red tape", of which I don't see
>>> anything more than a step to say "Hey, I want to be a project".  Please
>>> help me to understand.
>>> ~josh
>>>
>>> On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel curiel <
>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>
>>>>  >I don't think there is anything preventing a project from doing the
>>>> same, but I haven't seen it done at this point.
>>>>
>>>> I think we need to create Project Summits in the form of events with
>>>> the whole purpose to gather funds for projects .Open samm has done this and
>>>> I think we can try that. Fo that we need the support of the staff Business
>>>> liaison, Event manager, just as they put their work and efforts in Events
>>>> and appsecs. Here cut share between OWASp staff time and projects can also
>>>> be done.
>>>>
>>>>  >OWASP has a project funding bucket.
>>>> Look, Denver chapter has around 50K in their bucket. The richest
>>>> Project is ZAP with 10k... but thats is the exception. Even worse when you
>>>> look at chapters outside US or EU, mine has only USD40 dollars. Most
>>>> projects have Zero Dollars.
>>>> And the limits right now are a support but do not help to get important
>>>> things moving like OWASP Academy portal, Leaders like Azzedine assist and
>>>> show case his chapter or project or other more complex initiatives. Or
>>>> major improvements or promotions to their projects.
>>>>
>>>>   >Remember that the Board is just a handful of leaders who were
>>>> elected to set the compass.
>>>>   Yes but how do they know where to go, that's why the survey. The
>>>> survey is the compass. And the leaders are elected to listed to the
>>>> community.
>>>>
>>>> And About committees...
>>>> The only existing active committee right now is the Project Review
>>>> (which I still call myself a taskforce). I haven't see much initiatives or
>>>> participation from other committees. So the committee concept in theory
>>>> seemed like a great idea but in practice is not working because in my eyes,
>>>> creating a committee is creating a mini board inside OWASP. We do not want
>>>> to create oligarchies in the end.
>>>>
>>>>   I thik we should cut off that comitee idea and be more practical.
>>>> More like this
>>>>
>>>>   Example:
>>>>
>>>>
>>>>    - John Lita wants to create an academy portal but developing it
>>>>    costs money and resources that volunteers alone cannot be easy pull
>>>>    off(owaspa project was the same and died, just like many educational
>>>>    initiatives)
>>>>    - John must create a proposal with defined goals and how to reach
>>>>    them. He joins other volunteers in this effort. No need to be a commitee.
>>>>    -  John & Claudia create a survey and seek support of the community
>>>>    -   If the idea has major feedback and volunteers, then John has
>>>>    the support from the staff to execute including looking for sponsors using
>>>>    crowdsource funding portals
>>>>    - Staff monitors development and results of the actions taken
>>>>    - Staff reports results to the community back
>>>>
>>>> This is in my eyes how I have been working in the end, because , as
>>>> volunteers, available time mostly depends on one or 2 passionate
>>>> individuals like John-Lita, which are more dedicated and the rest follows...
>>>>
>>>> Now if we want to change things, don't tell me to set a committee,
>>>> because Josh , this has not work so far.
>>>>
>>>>  Allow me  and let the staff know that they should support me and any
>>>> other volunteers seeking for implementing their ideas ;-).
>>>> Lets cut the red tape with committees and let people know that if they
>>>> want to do something,
>>>>
>>>>    - Contact the staff.
>>>>    - Set a survey and gather support
>>>>    - Need more money? Set a crowd funding project @
>>>>    <https://www.kickstarter.com>https://www.kickstarter.com under OWASP
>>>>    - Volunteers implement idea or project with the support of owasp
>>>>    staff and other volunteers
>>>>
>>>> How do we get this idea to action?
>>>> Shall we create a survey?
>>>> Do you need to discuss this on a board meeting?
>>>> How do I get empowered and let the staff know that as a volunteer I
>>>> have your support for this?(if I do?
>>>>
>>>> You see...how dependable I'm from the board to be able to execute?
>>>>
>>>> Off course I can always do this on my own but them I better do it
>>>> without OWASP...
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>> On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol < <josh.sokol at owasp.org>
>>>> josh.sokol at owasp.org> wrote:
>>>>
>>>>> Johanna,
>>>>>
>>>>> Thank you for putting your thoughts out there for everyone.  Silence
>>>>> is not good for anyone and OWASP will be far more successful if we know
>>>>> what our leaders are struggling with and make a conscious effort to improve
>>>>> it.  I think that many of your points are very valid and strongly support
>>>>> the idea of polls to gauge community support for actions being taken.  I
>>>>> also support the idea that the Board should be making as few of these
>>>>> decisions as possible and putting the power back in the hands of the
>>>>> community with support from the staff.  The Board should be the "compass"
>>>>> making sure that we are moving in the right direction with the community
>>>>> and staff being the ones actually pushing us forward.  That's not to say
>>>>> that members of the Board won't have their own projects or initiatives, but
>>>>> they do so as part of the community, not because of their roles on the
>>>>> Board.  The Committees 2.0 framework was a first step in driving this level
>>>>> of empowerment back to the community while maintaining accountability and
>>>>> providing appropriately scoped actions.  My impression was that the
>>>>> Projects Committee was rolling forward quite well under this guidance, but
>>>>> it sounds like maybe I was wrong.  Are there specific actions that you have
>>>>> tried to take on the committee that got blocked by the Board or hung up in
>>>>> "red tape"?  Are there needs for funding that haven't been met?
>>>>>
>>>>> Regarding the project vs chapter funding schemas, I'm not sure that
>>>>> there is a good answer.  Projects are typically made up of a pocket of
>>>>> individuals.  Typically one leader with sometimes one or two others
>>>>> assisting.  Chapters are typically anywhere from 20 people to hundreds.  We
>>>>> provide members with the ability to allocate their funds to either, but
>>>>> most associate themselves with a chapter rather than a project because
>>>>> that's where they participate.  We also have chapters putting on
>>>>> conferences with the goal of raising funds.  I don't think there is
>>>>> anything preventing a project from doing the same, but I haven't seen it
>>>>> done at this point.  Those are the two main ways that I see chapters
>>>>> raising money.  Yes, there is certainly a difference in schemas and
>>>>> projects will have a more difficult time, but that's also why OWASP has a
>>>>> project funding bucket.  Money from these local events as well as funds
>>>>> raised by our AppSec conferences gets budgeted specifically for this
>>>>> purpose.  To my knowledge, no reasonable request for funds by projects has
>>>>> been denied.  Just because there isn't money sitting "ring fenced" in an
>>>>> account for the projects, doesn't mean that there isn't money that can be
>>>>> spent.  It just means that it needs to be requested from the pool.  Yes,
>>>>> it's a different model of funding, but the end result is the same.  There
>>>>> are funds available at OWASP for everyone who needs them.
>>>>>
>>>>> There are obviously many things that need to be improved at OWASP and,
>>>>> unfortunately, the Board has been tied up in rules, events, bylaws, etc for
>>>>> a while now.  It's definitely not the "fun" part of the job and it is very
>>>>> time consuming.  That said, I would argue that these are the things that
>>>>> need to be changed in order for everyone else (staff, community, etc) to be
>>>>> able to be better served.  We've made several changes to the Bylaws and are
>>>>> working on more.  We've hired an Executive Director (Paul), an Event
>>>>> Manager (Laura), a Community Manager (Noreen), and a Project Coordinator
>>>>> (Claudia) just in the almost two years that I've been on the Board.  The
>>>>> needle on the compass is set and, while it takes some time to right the
>>>>> ship, we are getting there by giving our community the support it requires
>>>>> to be successful.  So, here's my general thought:
>>>>>
>>>>> 1) If it's within the scope of a defined Committee, JUST DO IT!
>>>>>
>>>>> 2) If there's no Committee defined for it, CREATE ONE, then JUST DO IT!
>>>>>
>>>>> 3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!
>>>>>
>>>>> 4) If asking the staff isn't working or we need to change a policy to
>>>>> make it happen, LET THE BOARD KNOW!
>>>>>
>>>>> The Board should be the last resort, in my opinion, not the first.  We
>>>>> should be the enabler, not the bottleneck.  I think that our leaders make
>>>>> too many assumptions (probably based on past Board actions) about what
>>>>> needs to go to the Board and we need to get away from that.  Remember that
>>>>> the Board is just a handful of leaders who were elected to set the
>>>>> compass.  We have a finite number of things that we can handle and our
>>>>> Board meetings are typically overflowing with topics.  So, if something is
>>>>> bothering you, I would encourage you to change it.  That's why, with the
>>>>> David Rook situation, I encouraged creation of a new Committee to determine
>>>>> a reasonable solution.  If it requires a policy change by the Board, then
>>>>> we can vote on that, but asking the Board to take action just perpetuates
>>>>> the oligarchy that you mention in your e-mail.  Instead of pushing these
>>>>> issues up to the Board for action, let's have the community DECIDE what
>>>>> they want and have the Board change the compass needle via bylaws,
>>>>> policies, and staff discussions, accordingly.  At least, that's my vision
>>>>> for OWASP.  Is that something that you can get on board with?
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel <
>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> Members of the board,
>>>>>>
>>>>>> With the recent issue regarding David Rook, and my latest experience
>>>>>> with red-tape, I'm proposing the following.
>>>>>>
>>>>>> My goals is to call your attention to these issues which I have been
>>>>>> observing for a years and not as a critique to your work, but I think if
>>>>>> you do not pay attention to these issues and DO something about them, OWASP
>>>>>> will loose valuable community participation.
>>>>>>
>>>>>>    - When an initiative is proposed or launched by a member of the
>>>>>>    board, this should be followed up by a survey where the community can
>>>>>>    vote.Wether is a rule or money, these decisions should be taken based on
>>>>>>    collected data and proper substantiation to avoid oligarchy
>>>>>>    - When an initiative is launched by a member of the community,
>>>>>>    especially when this initiative cost more than 10k, it should be
>>>>>>    substantiated with data how this initiative will benefit the community.
>>>>>>    Also should be followed by a survey
>>>>>>    - Staff should help creating the survey and analyse the votes
>>>>>>    - *In other words: do more survey to find out what the community
>>>>>>    needs and wants.*
>>>>>>
>>>>>> My observations and where I think you need to give more attention:
>>>>>>
>>>>>>
>>>>>>    - Board/Executive director should work closer with the staff for
>>>>>>    guidance and empowering their role. I have the feeling that the staff is
>>>>>>    paralysed waiting for instructions or following strict rules. The staff
>>>>>>    should be motivated to take initiative and implement projects on their own
>>>>>>    that can help the community. They should not be too dependent on an
>>>>>>    Executive director or member of the board for this part
>>>>>>
>>>>>> As I see it ,OWASP is known for his Projects & Chapter leaders which
>>>>>> as volunteers have contributed the most to set OWASP on the spotlight.
>>>>>> Therefore:
>>>>>>
>>>>>>
>>>>>>    - You should determine and implement better ways  to provide
>>>>>>    better funding schemas for projects . This is something a volunteer cannot
>>>>>>    do. And *nothing* has been done to help  solve this issue
>>>>>>    - There is an unfair inequality in the way chapters can generate
>>>>>>    funds vs Projects.
>>>>>>    - Money is locked down in the chapters budget
>>>>>>    - Chapters outside US & EU have more struggles to find support.
>>>>>>    You should consider a way to support better these ones since their
>>>>>>    countries are not developed in the area of security as countries in EU and
>>>>>>    US.
>>>>>>    - Follow up: when issues like David Rook or a volunteer
>>>>>>    rants(like me or others ) out of frustation, take action. Put it in the
>>>>>>    agenda and try to solve and discuss the issues to improve the actual
>>>>>>    problems. So far I have seen very little follow up on major issues and
>>>>>>    discussions raised in the mailing lists
>>>>>>    - Way to much attention to rules, *events* and bylaws etc. Time
>>>>>>    to take action and take decisions and propose plans for improvements of the
>>>>>>    actual situation above mentioned
>>>>>>
>>>>>> Being that said, and with all due respect to you, I hope that you can
>>>>>> take actions and *execute* improvements that have been an issue
>>>>>> since I joined OWASP 3 years ago.
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Governance mailing list
>>>>>> Governance at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150818/0e1269c2/attachment-0001.html>


More information about the Governance mailing list