[Governance] [Owasp-leaders] Request - Survey - Implementation process on higher decisions

Jim Manico jim.manico at owasp.org
Tue Aug 18 18:38:53 UTC 2015


Ok Eoin and Josh, I re-read the bylaws and yes they currently do call 
for a board vote. I support following the current bylaws and we should vote.

But I also think these should be loosened to account for forcing a board 
member into two midnight meetings. That's not reasonable. This does not 
impact me, I do not sleep that much. But I am concerned about other 
board members with tight schedules and family to consider.

Aloha,
Jim


On 8/18/15 8:23 AM, Eoin Keary wrote:
> I'm unsure of the context here but retro fitting rules is generally 
> bad. Changing rules going forward via vote is different.
>
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 18 Aug 2015, at 19:10, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> Eoin,
>>
>> The board is scattered all over the world right now. Some of our 
>> meetings were in the middle of the night for other board members. So 
>> while we have board attendance rules, we have to vote to remove a 
>> board member due to lack of attendance.  I think it's reasonable, 
>> even if we disagree. We are also considering changing the 
>> participation rules.
>>
>> Is that acceptable to you?
>>
>> Aloha,
>> Jim
>>
>>
>> On 8/18/15 8:04 AM, Eoin Keary wrote:
>>> Sorry I have to write this email....but...
>>>
>>> I hope you don't change the rules just because certain members have 
>>> not complied by them....
>>>
>>> I was forwarded some emails regarding board attendance today which 
>>> appear that the 75% rule of board meeting attendance is now going to 
>>> be changed because some folks on the board have issue with it.
>>>
>>> This is like turkeys voting for Christmas.
>>>
>>> I respectfully hope the board abides by its owen guidelines, if not 
>>> I have great issue with the foundations governance.
>>>
>>> Respect, for the good guys in OWASP.
>>>
>>>
>>> Eoin Keary
>>> OWASP Volunteer
>>> @eoinkeary
>>>
>>>
>>>
>>> On 18 Aug 2015, at 17:08, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>>> Johanna,
>>>>
>>>>     So far I remember , the idea was proposed to the board by you
>>>>     and the board took the decision to implement Committee 2.0. I
>>>>     believe this was done with all good intentions but is not working.
>>>>
>>>>
>>>> Actually, I would argue that even though there's only a single 
>>>> committee right now, it is working exactly as intended.  The truth 
>>>> is that OWASP's leadership sits somewhere in-between an Oligarchy 
>>>> (as you describe it) and an Anarchy.  We're currently somewhere 
>>>> between Democracy and Ochlocracy depending on the topic if you 
>>>> really want to get technical.  In any case, what you need to 
>>>> realize is that somebody needs to have the power to make decisions 
>>>> or decisions will never get made and we veer into Anarchy.  What 
>>>> Committees 2.0 did is specify that decision making power starts 
>>>> with the Board as they have the fiduciary responsibility for the 
>>>> OWASP Foundation in all legal sense.  What it also did is allow any 
>>>> of our leaders to carve out a piece of that power that they are 
>>>> passionate about and run with it, just as you did with projects.  I 
>>>> really thought that we would see some other committees pop up 
>>>> similar to what we had before in other core areas of OWASP like 
>>>> Governance or Chapters, but the fact that there isn't just tells me 
>>>> that as of yet, no leader is passionate enough about it to carve 
>>>> out that power.  Maybe it's because of time commitments or because 
>>>> of some perceived "red tape" or even (I hope) because most people 
>>>> think the Board is doing an OK job making decisions, but the fact 
>>>> is that the ability is there and you are an example of it being 
>>>> used.  So, as I said, the system is working.  Where this is a void 
>>>> in the community wanting to take the power to make decisions, the 
>>>> Board fills that void.  In other words, if the community really 
>>>> thinks that they can do something better than the Board, they can 
>>>> form a Committee (or "Action Team" or "Initiative" or whatever they 
>>>> want to call it), and do it.
>>>>
>>>>     Projects are global. They promote owasp at a global level. What
>>>>     is OWASP known for? for its chapters? Its conferences? I
>>>>     strongly believe OWASP is know for its projects, Code Review,
>>>>     Testing guide, the Cheat Sheets, ASVS, ZAP... Many references
>>>>     in major publications refer to OWASP top ten and respect them
>>>>     because of its projects.PCI  and major vendors use them as
>>>>     reference and guidelines.
>>>>
>>>>
>>>> There is no doubt in my mind that Projects are important for 
>>>> OWASP.  They spread our mission in places where even our Chapters 
>>>> cannot go.  But, if you want to talk about where most people 
>>>> interface with OWASP, it's not projects, it's Chapters.  You won't 
>>>> find a reference in a major publication to the OWASP Austin 
>>>> Chapter, for example, but we held a CryptoParty in January and 
>>>> invited members of our community, the media, etc to participate 
>>>> because we wanted to educate others on the importance of privacy.  
>>>> You're passionate about OWASP Projects, I get that, and I love it.  
>>>> I'm passionate about OWASP Chapters.  Neither should be trivialized 
>>>> as they both play a very important role within OWASP.
>>>>
>>>>     I would like to see is a better schema for them to get more
>>>>     awareness, especially people doing great things and because of
>>>>     lack of funds cannot promote their projects. Chapters are rich
>>>>     ,projects are poor. That is in my opinion a huge misbalance.
>>>>
>>>>
>>>> We have many chapters with small bank accounts, some even negative, 
>>>> and a few with quite large accounts.  Total it all up and it's a 
>>>> pretty decent sum of money.  But, what you're arguing for here is 
>>>> effectively Socialism.  You're saying that it doesn't matter that 
>>>> the OWASP chapter in Denver busted their ass (it is over a year's 
>>>> worth of effort by a team of people) to put on last year's 
>>>> AppSecUSA Conference.  It doesn't matter that it can cost a chapter 
>>>> hundreds if not thousands of dollars to rent meeting space, bring 
>>>> in food, fly in speakers, etc.  You only see that they have money, 
>>>> you do not, and you want it.  Not because you have a plan to spend 
>>>> it either, because if you did you could simply ask the Foundation 
>>>> for it, but because it is perceived as being disproportionate.  
>>>> There is no payoff for OWASP's mission if we rob from the rich, 
>>>> give to the poor, and at the end of the day still just have money 
>>>> sitting in a savings account.  This highlights the underlying issue 
>>>> here.  The issue is not that Chapters or Projects HAVE money.  The 
>>>> issue is that they have money and are NOT SPENDING IT to further 
>>>> the OWASP Mission.  Thus, the approach to fix this issue (and I 
>>>> agree that it's an issue) shouldn't be to take away their money, it 
>>>> should be to get them to spend it.
>>>>
>>>>     The limit of USD2,000- for supporting a project leader a year
>>>>     is for most leaders not enough. If a leader outside US or EU is
>>>>     invited to blackhat , that amount is not enough to cover his
>>>>     traveling expenses.  And thats the maximum he can have in a
>>>>     year after filling on forms and going through some
>>>>     back-and-forth emails with the staff...
>>>>
>>>>
>>>> Ahhhhh, finally we get to the root of the issue. The issue isn't 
>>>> that money isn't available, because, frankly, we had a significant 
>>>> amount of money budgeted last year that wasn't used.  The issue is 
>>>> that there is a cap on what any one project leader can 
>>>> request/spend.  My personal opinion here is that this $2k cap 
>>>> should be treated as a guideline, not a rule.  It is likely in 
>>>> place to prevent abuse by having a significant amount of money from 
>>>> the pool go to any one individual.  But, that cap certainly should 
>>>> not prevent the OWASP Foundation from investing in the projects, 
>>>> and people behind the projects, to make them better.  The Board 
>>>> entrusts Paul, as Executive Director, and the OWASP staff to handle 
>>>> the day-to-day operations of the OWASP Foundation.  Part of their 
>>>> job is to review these types of requests in order to determine 
>>>> whether they make sense and there are funds available.  That said, 
>>>> if you get to a point where you feel that they are being 
>>>> unreasonable, the Board can certainly step in and try to determine 
>>>> if an exception should be made.  So, net-net, maybe that $2k cap is 
>>>> too low. Should we raise it?  If so, what should it be?  What 
>>>> amount would be reasonable for any one individual to consume from 
>>>> that shared pool of funds?  Guidelines can be changed.  Guidelines 
>>>> can even be overruled for the right reasons.  This is a relatively 
>>>> minor issue that it sounds like should be re-evaluated given rising 
>>>> costs, bigger budget pools, unused funds, etc.  Can you please come 
>>>> up with a reasonable proposal here and I will take that to the 
>>>> Board for approval to change this guideline?
>>>>
>>>>     Should we scrap projects and focus to be a dedicated conference
>>>>     organisation?...thats what  I see is happening whether
>>>>     consciously or not.
>>>>
>>>>
>>>> Your perception is VERY far from the truth.  I've spent the past 
>>>> 8.5 years working with the OWASP Austin chapter and I've seen it 
>>>> grow from literally 3 people in a monthly meeting to around 70.  
>>>> You, yourself, even said that OWASP is being referenced in major 
>>>> publications and our tools are being used around the globe.  That 
>>>> said, keep in mind that the OWASP mission is one of education, and 
>>>> conferences address that mission directly.  They are also the main 
>>>> fundraiser that helps to make sure that our chapters and projects 
>>>> have the money that they need in order to be successful.
>>>>
>>>>     Should we scrap conferences and focus to gather those funds to
>>>>     create a better platforms for projects and become the next
>>>>     Apache foundation?
>>>>
>>>>
>>>> Where do you think those funds would come from? By far, the 
>>>> majority of OWASP's annual revenue comes from AppSecUSA and 
>>>> AppSecEU.  To be frank, OWASP would be VERY different if it weren't 
>>>> for our conferences.
>>>>
>>>>     Should we use crowdsource for gathering funds for projects
>>>>     through the OWASP foundation?
>>>>
>>>>
>>>> This is not a mutually exclusive solution.  Yes, absolutely, use 
>>>> crowdfunding to gather funds for projects.  Please prove out this 
>>>> model of bringing another revenue source to OWASP.  I would imagine 
>>>> that this is a way that projects would be able to get funds that a 
>>>> chapter never could.
>>>>
>>>>     Project summits = events . Thats what I'm proposing. That
>>>>     Summits are treated like events to generate money for projects
>>>>     so they have also a fair way to generate money as chapters do.
>>>>     They will depend less from sponsors with commercial intentions.
>>>>
>>>>
>>>> OK, but every project summit that we have had thus far has cost 
>>>> OWASP money, not made it. Speaking as the former Co-Chair of LASCON 
>>>> and AppSecUSA, I can tell you that these types of events are a lot 
>>>> of work and that it is difficult to attract attendees.  Attendees 
>>>> actually barely end up covering their own costs (food, schwag, 
>>>> etc). Sponsors and trainings are usually the ones who generate the 
>>>> profit for these events.  So, let's say you do a project summit.  
>>>> How would you intend to attract attendees who are willing to pay 
>>>> for the content?  If not, how would you intend to attract sponsors 
>>>> whose sole purpose in being there is to sell product to the 
>>>> attendees?  Especially if you don't want sponsors with commercial 
>>>> intentions.  You would be lucky if you get enough sponsors to cover 
>>>> costs.  Or, in the situation of every past project summit that 
>>>> we've had, the Foundation ends up covering the difference.  I'm not 
>>>> saying that you shouldn't try to prove out this model.  I'm saying 
>>>> that it hasn't been proven to date.  Also, it's a bit naive to say 
>>>> that chapters leveraging their members and holding a conference 
>>>> isn't "fair".  We should be encouraging as many endeavors as we can 
>>>> at OWASP that spread our mission.  Even more so if they generate 
>>>> additional revenue because that helps to further our mission even 
>>>> more after the conference is over.  Nothing is stopping a project 
>>>> from having a conference.  This isn't a matter of "fair" or 
>>>> "unfair".  It's a matter of a team of people putting in the effort 
>>>> and making it happen.  Please don't trivialize those efforts.
>>>>
>>>>     Also more focus on crowdsourcing projects. If people finds it a
>>>>     great idea they will sponsor it.
>>>>
>>>>
>>>> As I said above, I think this is a great idea. Let's do it!
>>>>
>>>>     I will ask the staff to create a survey and ask the community
>>>>     about it.  This is my proposal and based on those results I
>>>>     hope and expect the board to take actions.
>>>>
>>>>
>>>> Ask the staff to create a survey?  Why not make the survey 
>>>> yourself?  What exactly are we surveying and why?  The only thing 
>>>> that I think you've identified as an actual issue preventing 
>>>> projects from operating efficiently is a cap on the amount of 
>>>> funding availing.  That doesn't require a survey to get changed, 
>>>> just a plan and an approval.  I can't guarantee support or action 
>>>> as it depends on the varying opinions of 7 unique individuals, but 
>>>> the Board would certainly evaluate any proposal that is put on the 
>>>> table.
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel 
>>>> <johanna.curiel at owasp.org> wrote:
>>>>
>>>>     Josh,
>>>>
>>>>     So far I remember , the idea was proposed to the board by you
>>>>     and the board took the decision to implement Committee 2.0. I
>>>>     believe this was done with all good intentions but is not working.
>>>>     http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>>>
>>>>     In this same email Sarah mentions:
>>>>
>>>>     The 2008 committees worked, for the most part, independently of each other.
>>>>     This often created duplicate or even conflicting efforts leading to frustration.
>>>>
>>>>     Results now: I'm the only committee called the Project Task
>>>>     Force.Maybe thats why none wants to create anymore committees.
>>>>
>>>>     Projects are global. They promote owasp at a global level. What
>>>>     is OWASP known for? for its chapters? Its conferences? I
>>>>     strongly believe OWASP is know for its projects, Code Review,
>>>>     Testing guide, the Cheat Sheets, ASVS, ZAP... Many references
>>>>     in major publications refer to OWASP top ten and respect them
>>>>     because of its projects.PCI  and major vendors use them as
>>>>     reference and guidelines.
>>>>
>>>>     I would like to see is a better schema for them to get more
>>>>     awareness, especially people doing great things and because of
>>>>     lack of funds cannot promote their projects. Chapters are rich
>>>>     ,projects are poor. That is in my opinion a huge misbalance.
>>>>
>>>>     The limit of USD2,000- for supporting a project leader a year
>>>>     is for most leaders not enough. If a leader outside US or EU is
>>>>     invited to blackhat , that amount is not enough to cover his
>>>>     traveling expenses.  And thats the maximum he can have in a
>>>>     year after filling on forms and going through some
>>>>     back-and-forth emails with the staff...
>>>>
>>>>       * Should we scrap projects and focus to be a dedicated
>>>>         conference organisation?...thats what  I see is happening
>>>>         whether consciously or not.
>>>>       * Should we scrap conferences and focus to gather those funds
>>>>         to create a better platforms for projects and become the
>>>>         next Apache foundation?
>>>>       * Should we use crowdsource for gathering funds for projects
>>>>         through the OWASP foundation?
>>>>
>>>>
>>>>     I would like to see a solution to this or an action.
>>>>
>>>>     Project summits = events . Thats what I'm proposing. That
>>>>     Summits are treated like events to generate money for projects
>>>>     so they have also a fair way to generate money as chapters do.
>>>>     They will depend less from sponsors with commercial
>>>>     intentions.(easier to avoid  Logogate issues and projects with
>>>>     the intention to promote apssec companies). Also more focus on
>>>>     crowdsourcing projects. If people finds it a great idea they
>>>>     will sponsor it.
>>>>
>>>>     I will ask the staff to create a survey and ask the community
>>>>     about it. This is my proposal and based on those results I hope
>>>>     and expect the board to take actions.
>>>>
>>>>     regards
>>>>
>>>>     Johanna
>>>>
>>>>
>>>>
>>>>     On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles
>>>>     <mario.robles at owasp.org> wrote:
>>>>
>>>>         Hey Josh,
>>>>
>>>>         I could be wrong but the term Committee is commonly
>>>>         associated with "bureaucracy" even if it's not what you
>>>>         meant, at least it was the first thing on top of my head,
>>>>         I'm sure if you change the word Committee to something like
>>>>         "Action Team" it would be better accepted
>>>>
>>>>         Just my point view,
>>>>
>>>>         Mario
>>>>
>>>>
>>>>         	
>>>>
>>>>         On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>>>
>>>>>             I think we need to create Project Summits in the form
>>>>>             of events with the whole purpose to gather funds for
>>>>>             projects
>>>>>
>>>>>
>>>>>         Please forgive my ignorance.  How does a Project Summit
>>>>>         generate funds for project? Every Project Summit that we
>>>>>         have had to date has cost the Foundation money, hasn't
>>>>>         it?  Can you please elaborate?
>>>>>
>>>>>             Look, Denver chapter has around 50K in their bucket.
>>>>>             The richest Project is ZAP with 10k... but thats is
>>>>>             the exception. Even worse when you look at chapters
>>>>>             outside US or EU, mine has only USD40 dollars. Most
>>>>>             projects have Zero Dollars.
>>>>>
>>>>>
>>>>>         I'm not sure I understand the fixation on what other
>>>>>         chapters have in their bucket.  They have these funds
>>>>>         because they worked hard to obtain them.  In the case of
>>>>>         Denver, they ran last year's AppSecUSA Conference.  Just
>>>>>         because they have money in their account, it doesn't mean
>>>>>         that you aren't able to do things with the $40 you have in
>>>>>         your account.  It just means that they have to use their
>>>>>         account funds first before being able to use money from
>>>>>         the Foundation pool while you would need to request funds
>>>>>         from that pool for anything over $40.  Any sort of
>>>>>         reallocation just moves the "ring fenced funds" issue to
>>>>>         another account.  The model of chapters and projects
>>>>>         having accounts is not what's broken here.  It's the model
>>>>>         of chapters and projects saving their funds instead of
>>>>>         spending them.  This is why I voted "no" on the Summer of
>>>>>         Code initiative.  It was giving money to those who already
>>>>>         had it and not forcing them to spend their funds first. 
>>>>>         In any case, I'm not sure I understand why the amount of
>>>>>         money Denver has in their account has any impact on any
>>>>>         other chapter or project other than themselves.  We have
>>>>>         tens of thousands of dollars allocated by the Foundation
>>>>>         to project and chapters on an annual basis, much of which
>>>>>         goes completely unused.  There is money available at OWASP
>>>>>         for those who need it and I have yet to hear of a
>>>>>         situation where someone was told otherwise.
>>>>>
>>>>>             Yes but how do they know where to go, that's why the
>>>>>             survey. The survey is the compass. And the leaders are
>>>>>             elected to listed to the community.
>>>>>
>>>>>
>>>>>         I agree with this notion. The OWASP Board should act in
>>>>>         accordance with the desires of the community and should be
>>>>>         doing frequent checks to confirm that initiatives are aligned.
>>>>>
>>>>>             So the committee concept in theory seemed like a great
>>>>>             idea but in practice is not working because in my
>>>>>             eyes, creating a committee is creating a mini board
>>>>>             inside OWASP.
>>>>>
>>>>>
>>>>>         To be honest, I have been surprised by the lack of desire
>>>>>         to participate in OWASP Committees.  The community has
>>>>>         said that they want empowerment and the goal of the
>>>>>         committees was to do that.  But, now that it's there,
>>>>>         nobody wants it?  Your example with John Lita follows the
>>>>>         Committees 2.0 process almost verbatim.  The only
>>>>>         difference is that it provides scoping to ensure that we
>>>>>         don't have competing, or even worse, conflicting
>>>>>         initiatives and it specifies that the individuals involved
>>>>>         need to work within that scope. Without it, you have a
>>>>>         loosely knit group of people running around with their own
>>>>>         individual initiatives.  At that level, OWASP is just a
>>>>>         funding source for experimentation, not a Foundation. 
>>>>>         There is no accountability, but the liability on the
>>>>>         Foundation is still there.  Legally, we can't just have
>>>>>         people running around spending money without any form of
>>>>>         guidance.
>>>>>
>>>>>              Allow me  and let the staff know that they should
>>>>>             support me and any other volunteers seeking for
>>>>>             implementing their ideas ;-).
>>>>>             Lets cut the red tape with committees and let people
>>>>>             know that if they want to do something,
>>>>>
>>>>>               * Contact the staff.
>>>>>               * Set a survey and gather support
>>>>>               * Need more money? Set a crowd funding project @
>>>>>                 https://www.kickstarter.com under OWASP
>>>>>               * Volunteers implement idea or project with the
>>>>>                 support of owasp staff and other volunteers
>>>>>
>>>>>         I'm not sure how this is that much different from a
>>>>>         Committee.  Contact the community via the mailing list and
>>>>>         gather support, scope the activities (ie. define the
>>>>>         project), Board ensures that there's no conflict, do your
>>>>>         thing. The "red tape" that you keep referring to is just a
>>>>>         process document that walks you through how to set up a
>>>>>         committee.  After that's done, the idea was to empower you
>>>>>         to act within the defined scope without going to the
>>>>>         Board.  If we're talking specifically about projects,
>>>>>         which it sounds like this is geared towards, then it's
>>>>>         even easier.  Register as a project (so that staff knows
>>>>>         you exist and can support you) and do your thing.  If you
>>>>>         need money, ask for it. I'm not sure I see the problem
>>>>>         here.  I'm also not sure what you're asking for as it
>>>>>         doesn't seem that different to me than how the status quo
>>>>>         is supposed to operate.  Is it operating differently in
>>>>>         practice than it should in theory?  I don't have an OWASP
>>>>>         project and so perhaps I'm blind to the realities.  If so,
>>>>>         then the specific issues need to be addressed by bylaw
>>>>>         change, policy change, staff engagement, etc.  So far, all
>>>>>         you've said is "projects need money", which you have
>>>>>         access to, and "cut the red tape", of which I don't see
>>>>>         anything more than a step to say "Hey, I want to be a
>>>>>         project".  Please help me to understand.
>>>>>
>>>>>         ~josh
>>>>>
>>>>>         On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel curiel
>>>>>         <johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>              >I don't think there is anything preventing a project
>>>>>             from doing the same, but I haven't seen it done at
>>>>>             this point.
>>>>>
>>>>>             I think we need to create Project Summits in the form
>>>>>             of events with the whole purpose to gather funds for
>>>>>             projects .Open samm has done this and I think we can
>>>>>             try that. Fo that we need the support of the staff
>>>>>             Business liaison, Event manager, just as they put
>>>>>             their work and efforts in Events and appsecs. Here cut
>>>>>             share between OWASp staff time and projects can also
>>>>>             be done.
>>>>>
>>>>>              >OWASP has a project funding bucket.
>>>>>             Look, Denver chapter has around 50K in their bucket.
>>>>>             The richest Project is ZAP with 10k... but thats is
>>>>>             the exception. Even worse when you look at chapters
>>>>>             outside US or EU, mine has only USD40 dollars. Most
>>>>>             projects have Zero Dollars.
>>>>>             And the limits right now are a support but do not help
>>>>>             to get important things moving like OWASP Academy
>>>>>             portal, Leaders like Azzedine assist and show case his
>>>>>             chapter or project or other more complex initiatives.
>>>>>             Or major improvements or promotions to their projects.
>>>>>
>>>>>               >Remember that the Board is just a handful of
>>>>>             leaders who were elected to set the compass.
>>>>>               Yes but how do they know where to go, that's why the
>>>>>             survey. The survey is the compass. And the leaders are
>>>>>             elected to listed to the community.
>>>>>
>>>>>             And About committees...
>>>>>             The only existing active committee right now is the
>>>>>             Project Review (which I still call myself a
>>>>>             taskforce). I haven't see much initiatives or
>>>>>             participation from other committees. So the committee
>>>>>             concept in theory seemed like a great idea but in
>>>>>             practice is not working because in my eyes, creating a
>>>>>             committee is creating a mini board inside OWASP. We do
>>>>>             not want to create oligarchies in the end.
>>>>>
>>>>>               I thik we should cut off that comitee idea and be
>>>>>             more practical. More like this
>>>>>
>>>>>               Example:
>>>>>
>>>>>               * John Lita wants to create an academy portal but
>>>>>                 developing it costs money and resources that
>>>>>                 volunteers alone cannot be easy pull off(owaspa
>>>>>                 project was the same and died, just like many
>>>>>                 educational initiatives)
>>>>>               * John must create a proposal with defined goals and
>>>>>                 how to reach them. He joins other volunteers in
>>>>>                 this effort. No need to be a commitee.
>>>>>               *  John & Claudia create a survey and seek support
>>>>>                 of the community
>>>>>               *   If the idea has major feedback and volunteers,
>>>>>                 then John has the support from the staff to
>>>>>                 execute including looking for sponsors using
>>>>>                 crowdsource funding portals
>>>>>               * Staff monitors development and results of the
>>>>>                 actions taken
>>>>>               * Staff reports results to the community back
>>>>>
>>>>>             This is in my eyes how I have been working in the end,
>>>>>             because , as volunteers, available time mostly depends
>>>>>             on one or 2 passionate individuals like John-Lita,
>>>>>             which are more dedicated and the rest follows...
>>>>>
>>>>>             Now if we want to change things, don't tell me to set
>>>>>             a committee, because Josh , this has not work so far.
>>>>>
>>>>>              Allow me  and let the staff know that they should
>>>>>             support me and any other volunteers seeking for
>>>>>             implementing their ideas ;-).
>>>>>             Lets cut the red tape with committees and let people
>>>>>             know that if they want to do something,
>>>>>
>>>>>               * Contact the staff.
>>>>>               * Set a survey and gather support
>>>>>               * Need more money? Set a crowd funding project @
>>>>>                 https://www.kickstarter.com under OWASP
>>>>>               * Volunteers implement idea or project with the
>>>>>                 support of owasp staff and other volunteers
>>>>>
>>>>>             How do we get this idea to action?
>>>>>             Shall we create a survey?
>>>>>             Do you need to discuss this on a board meeting?
>>>>>             How do I get empowered and let the staff know that as
>>>>>             a volunteer I have your support for this?(if I do?
>>>>>
>>>>>             You see...how dependable I'm from the board to be able
>>>>>             to execute?
>>>>>
>>>>>             Off course I can always do this on my own but them I
>>>>>             better do it without OWASP...
>>>>>
>>>>>             Regards
>>>>>
>>>>>             Johanna
>>>>>
>>>>>             On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol
>>>>>             <josh.sokol at owasp.org> wrote:
>>>>>
>>>>>                 Johanna,
>>>>>
>>>>>                 Thank you for putting your thoughts out there for
>>>>>                 everyone. Silence is not good for anyone and OWASP
>>>>>                 will be far more successful if we know what our
>>>>>                 leaders are struggling with and make a conscious
>>>>>                 effort to improve it.  I think that many of your
>>>>>                 points are very valid and strongly support the
>>>>>                 idea of polls to gauge community support for
>>>>>                 actions being taken.  I also support the idea that
>>>>>                 the Board should be making as few of these
>>>>>                 decisions as possible and putting the power back
>>>>>                 in the hands of the community with support from
>>>>>                 the staff.  The Board should be the "compass"
>>>>>                 making sure that we are moving in the right
>>>>>                 direction with the community and staff being the
>>>>>                 ones actually pushing us forward. That's not to
>>>>>                 say that members of the Board won't have their own
>>>>>                 projects or initiatives, but they do so as part of
>>>>>                 the community, not because of their roles on the
>>>>>                 Board. The Committees 2.0 framework was a first
>>>>>                 step in driving this level of empowerment back to
>>>>>                 the community while maintaining accountability and
>>>>>                 providing appropriately scoped actions.  My
>>>>>                 impression was that the Projects Committee was
>>>>>                 rolling forward quite well under this guidance,
>>>>>                 but it sounds like maybe I was wrong. Are there
>>>>>                 specific actions that you have tried to take on
>>>>>                 the committee that got blocked by the Board or
>>>>>                 hung up in "red tape"? Are there needs for funding
>>>>>                 that haven't been met?
>>>>>
>>>>>                 Regarding the project vs chapter funding schemas,
>>>>>                 I'm not sure that there is a good answer. Projects
>>>>>                 are typically made up of a pocket of individuals.
>>>>>                 Typically one leader with sometimes one or two
>>>>>                 others assisting. Chapters are typically anywhere
>>>>>                 from 20 people to hundreds.  We provide members
>>>>>                 with the ability to allocate their funds to
>>>>>                 either, but most associate themselves with a
>>>>>                 chapter rather than a project because that's where
>>>>>                 they participate. We also have chapters putting on
>>>>>                 conferences with the goal of raising funds.  I
>>>>>                 don't think there is anything preventing a project
>>>>>                 from doing the same, but I haven't seen it done at
>>>>>                 this point. Those are the two main ways that I see
>>>>>                 chapters raising money.  Yes, there is certainly a
>>>>>                 difference in schemas and projects will have a
>>>>>                 more difficult time, but that's also why OWASP has
>>>>>                 a project funding bucket.  Money from these local
>>>>>                 events as well as funds raised by our AppSec
>>>>>                 conferences gets budgeted specifically for this
>>>>>                 purpose.  To my knowledge, no reasonable request
>>>>>                 for funds by projects has been denied. Just
>>>>>                 because there isn't money sitting "ring fenced" in
>>>>>                 an account for the projects, doesn't mean that
>>>>>                 there isn't money that can be spent.  It just
>>>>>                 means that it needs to be requested from the pool.
>>>>>                 Yes, it's a different model of funding, but the
>>>>>                 end result is the same. There are funds available
>>>>>                 at OWASP for everyone who needs them.
>>>>>
>>>>>                 There are obviously many things that need to be
>>>>>                 improved at OWASP and, unfortunately, the Board
>>>>>                 has been tied up in rules, events, bylaws, etc for
>>>>>                 a while now.  It's definitely not the "fun" part
>>>>>                 of the job and it is very time consuming. That
>>>>>                 said, I would argue that these are the things that
>>>>>                 need to be changed in order for everyone else
>>>>>                 (staff, community, etc) to be able to be better
>>>>>                 served.  We've made several changes to the Bylaws
>>>>>                 and are working on more.  We've hired an Executive
>>>>>                 Director (Paul), an Event Manager (Laura), a
>>>>>                 Community Manager (Noreen), and a Project
>>>>>                 Coordinator (Claudia) just in the almost two years
>>>>>                 that I've been on the Board. The needle on the
>>>>>                 compass is set and, while it takes some time to
>>>>>                 right the ship, we are getting there by giving our
>>>>>                 community the support it requires to be
>>>>>                 successful. So, here's my general thought:
>>>>>
>>>>>                 1) If it's within the scope of a defined
>>>>>                 Committee, JUST DO IT!
>>>>>
>>>>>                 2) If there's no Committee defined for it, CREATE
>>>>>                 ONE, then JUST DO IT!
>>>>>
>>>>>                 3) If a Committee doesn't make sense, ASK THE
>>>>>                 STAFF FOR IT!
>>>>>
>>>>>                 4) If asking the staff isn't working or we need to
>>>>>                 change a policy to make it happen, LET THE BOARD KNOW!
>>>>>
>>>>>                 The Board should be the last resort, in my
>>>>>                 opinion, not the first.  We should be the enabler,
>>>>>                 not the bottleneck.  I think that our leaders make
>>>>>                 too many assumptions (probably based on past Board
>>>>>                 actions) about what needs to go to the Board and
>>>>>                 we need to get away from that. Remember that the
>>>>>                 Board is just a handful of leaders who were
>>>>>                 elected to set the compass.  We have a finite
>>>>>                 number of things that we can handle and our Board
>>>>>                 meetings are typically overflowing with topics.
>>>>>                 So, if something is bothering you, I would
>>>>>                 encourage you to change it. That's why, with the
>>>>>                 David Rook situation, I encouraged creation of a
>>>>>                 new Committee to determine a reasonable solution. 
>>>>>                 If it requires a policy change by the Board, then
>>>>>                 we can vote on that, but asking the Board to take
>>>>>                 action just perpetuates the oligarchy that you
>>>>>                 mention in your e-mail. Instead of pushing these
>>>>>                 issues up to the Board for action, let's have the
>>>>>                 community DECIDE what they want and have the Board
>>>>>                 change the compass needle via bylaws, policies,
>>>>>                 and staff discussions, accordingly. At least,
>>>>>                 that's my vision for OWASP.  Is that something
>>>>>                 that you can get on board with?
>>>>>
>>>>>                 ~josh
>>>>>
>>>>>                 On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel
>>>>>                 curiel <johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>                     Members of the board,
>>>>>
>>>>>                     With the recent issue regarding David Rook,
>>>>>                     and my latest experience with red-tape, I'm
>>>>>                     proposing the following.
>>>>>
>>>>>                     My goals is to call your attention to these
>>>>>                     issues which I have been observing for a years
>>>>>                     and not as a critique to your work, but I
>>>>>                     think if you do not pay attention to these
>>>>>                     issues and DO something about them, OWASP will
>>>>>                     loose valuable community participation.
>>>>>
>>>>>                       * When an initiative is proposed or launched
>>>>>                         by a member of the board, this should be
>>>>>                         followed up by a survey where the
>>>>>                         community can vote.Wether is a rule or
>>>>>                         money, these decisions should be taken
>>>>>                         based on collected data and proper
>>>>>                         substantiation to avoid oligarchy
>>>>>                       * When an initiative is launched by a member
>>>>>                         of the community, especially when this
>>>>>                         initiative cost more than 10k, it should
>>>>>                         be substantiated with data how this
>>>>>                         initiative will benefit the community.
>>>>>                         Also should be followed by a survey
>>>>>                       * Staff should help creating the survey and
>>>>>                         analyse the votes
>>>>>                       * *In other words: do more survey to find
>>>>>                         out what the community needs and wants.*
>>>>>
>>>>>                     My observations and where I think you need to
>>>>>                     give more attention:
>>>>>
>>>>>                       * Board/Executive director should work
>>>>>                         closer with the staff for guidance and
>>>>>                         empowering their role. I have the feeling
>>>>>                         that the staff is paralysed waiting for
>>>>>                         instructions or following strict rules.
>>>>>                         The staff should be motivated to take
>>>>>                         initiative and implement projects on their
>>>>>                         own that can help the community. They
>>>>>                         should not be too dependent on an
>>>>>                         Executive director or member of the board
>>>>>                         for this part
>>>>>
>>>>>                     As I see it ,OWASP is known for his Projects &
>>>>>                     Chapter leaders which as volunteers have
>>>>>                     contributed the most to set OWASP on the
>>>>>                     spotlight. Therefore:
>>>>>
>>>>>                       * You should determine and implement better
>>>>>                         ways  to provide better funding schemas
>>>>>                         for projects . This is something a
>>>>>                         volunteer cannot do. And /nothing/ has
>>>>>                         been done to help  solve this issue
>>>>>                       * There is an unfair inequality in the way
>>>>>                         chapters can generate funds vs Projects.
>>>>>                       * Money is locked down in the chapters budget
>>>>>                       * Chapters outside US & EU have more
>>>>>                         struggles to find support. You should
>>>>>                         consider a way to support better these
>>>>>                         ones since their countries are not
>>>>>                         developed in the area of security as
>>>>>                         countries in EU and US.
>>>>>                       * Follow up: when issues like David Rook or
>>>>>                         a volunteer rants(like me or others ) out
>>>>>                         of frustation, take action. Put it in the
>>>>>                         agenda and try to solve and discuss the
>>>>>                         issues to improve the actual problems. So
>>>>>                         far I have seen very little follow up on
>>>>>                         major issues and discussions raised in the
>>>>>                         mailing lists
>>>>>                       * Way to much attention to rules, /events/
>>>>>                         and bylaws etc. Time to take action and
>>>>>                         take decisions and propose plans for
>>>>>                         improvements of the actual situation above
>>>>>                         mentioned
>>>>>
>>>>>                     Being that said, and with all due respect to
>>>>>                     you, I hope that you can take actions and
>>>>>                     /execute/ improvements that have been an issue
>>>>>                     since I joined OWASP 3 years ago.
>>>>>
>>>>>
>>>>>                     Regards
>>>>>
>>>>>
>>>>>                     Johanna
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     Governance mailing list
>>>>>                     Governance at lists.owasp.org
>>>>>                     https://lists.owasp.org/mailman/listinfo/governance
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>         _______________________________________________
>>>>>         OWASP-Leaders mailing list
>>>>>         OWASP-Leaders at lists.owasp.org
>>>>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "OWASP Projects Task Force" group.
>>> To unsubscribe from this group and stop receiving emails from it, 
>>> send an email to projects-task-force+unsubscribe at owasp.org 
>>> <mailto:projects-task-force+unsubscribe at owasp.org>.
>>> To post to this group, send email to projects-task-force at owasp.org 
>>> <mailto:projects-task-force at owasp.org>.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/0C3F284E-30CD-4D92-BE9A-29879EA25FF6%40owasp.org.
>>
>> -- 
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA 2015!

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150818/660a426c/attachment-0001.html>


More information about the Governance mailing list