[Governance] [Owasp-board] [Owasp-leaders] Request - Survey - Implementation process on higher decisions

Jim Manico jim.manico at owasp.org
Tue Aug 18 18:55:29 UTC 2015


Sorry all, I changed my mind mid email and meant to delete this.

I support following the bylaws and triggered a vote. I personally am 
voting "no" to remove Fabio.

Aloha,
Jim


On 8/18/15 8:35 AM, Jim Manico wrote:
> Josh,
>
> First of all I have good attendance and my comments are not for 
> personal benefit.
>
> Since the board is globally distributed, I think we should be more 
> forgiving. To penalize a board member because they missed two meetings 
> that were held at Midnight is not at all reasonable to me. I'm all 
> about fiduciary duty and commitment and all that - but I'm also about 
> sleep and Maslow's hierarchy of needs. I consider sleeping to be a 
> Physiological need, the more core need from Maslow. I place attending 
> OWASP Board meetings at the "Self actualization" portions of Maslows 
> hierarchy. So while
>
> - Jim
>
> On 8/18/15 8:22 AM, Josh Sokol wrote:
>> I agree 100% Eoin.  The rule is there for a reason. Voting to change 
>> it is one thing, but that change cannot be applied retroactively to 
>> the present situation.  The Bylaws are very clear in that this should 
>> trigger a Board vote to determine whether they should be removed.  I 
>> am absolutely pushing for that vote to happen, regardless of whether 
>> it actually results in a removal.  If the Board wants to evaluate a 
>> change to the Bylaws at a later date, then so be it, but I will not 
>> support it.  The Board is a commitment. When you run, you are doing 
>> so knowing that meetings will not always happen when convenient and 
>> that you are expected to attend 75% of them.  There are certainly 
>> extenuating circumstances where a case could be made here, but I 
>> don't think I've heard any thus far.
>>
>> ~josh
>>
>> On Tue, Aug 18, 2015 at 1:04 PM, Eoin Keary <eoin.keary at owasp.org 
>> <mailto:eoin.keary at owasp.org>> wrote:
>>
>>     Sorry I have to write this email....but...
>>
>>     I hope you don't change the rules just because certain members
>>     have not complied by them....
>>
>>     I was forwarded some emails regarding board attendance today
>>     which appear that the 75% rule of board meeting attendance is now
>>     going to be changed because some folks on the board have issue
>>     with it.
>>
>>     This is like turkeys voting for Christmas.
>>
>>     I respectfully hope the board abides by its owen guidelines, if
>>     not I have great issue with the foundations governance.
>>
>>     Respect, for the good guys in OWASP.
>>
>>
>>     Eoin Keary
>>     OWASP Volunteer
>>     @eoinkeary
>>
>>
>>
>>     On 18 Aug 2015, at 17:08, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>>     Johanna,
>>>
>>>         So far I remember , the idea was proposed to the board by
>>>         you and the board took the decision to implement Committee
>>>         2.0. I believe this was done with all good intentions but is
>>>         not working.
>>>
>>>
>>>     Actually, I would argue that even though there's only a single
>>>     committee right now, it is working exactly as intended.  The
>>>     truth is that OWASP's leadership sits somewhere in-between an
>>>     Oligarchy (as you describe it) and an Anarchy.  We're currently
>>>     somewhere between Democracy and Ochlocracy depending on the
>>>     topic if you really want to get technical.  In any case, what
>>>     you need to realize is that somebody needs to have the power to
>>>     make decisions or decisions will never get made and we veer into
>>>     Anarchy. What Committees 2.0 did is specify that decision making
>>>     power starts with the Board as they have the fiduciary
>>>     responsibility for the OWASP Foundation in all legal sense. 
>>>     What it also did is allow any of our leaders to carve out a
>>>     piece of that power that they are passionate about and run with
>>>     it, just as you did with projects.  I really thought that we
>>>     would see some other committees pop up similar to what we had
>>>     before in other core areas of OWASP like Governance or Chapters,
>>>     but the fact that there isn't just tells me that as of yet, no
>>>     leader is passionate enough about it to carve out that power. 
>>>     Maybe it's because of time commitments or because of some
>>>     perceived "red tape" or even (I hope) because most people think
>>>     the Board is doing an OK job making decisions, but the fact is
>>>     that the ability is there and you are an example of it being
>>>     used.  So, as I said, the system is working.  Where this is a
>>>     void in the community wanting to take the power to make
>>>     decisions, the Board fills that void. In other words, if the
>>>     community really thinks that they can do something better than
>>>     the Board, they can form a Committee (or "Action Team" or
>>>     "Initiative" or whatever they want to call it), and do it.
>>>
>>>         Projects are global. They promote owasp at a global level.
>>>         What is OWASP known for? for its chapters? Its conferences?
>>>         I strongly believe OWASP is know for its projects, Code
>>>         Review, Testing guide, the Cheat Sheets, ASVS, ZAP... Many
>>>         references in major publications refer to OWASP top ten and
>>>         respect them because of its projects.PCI  and major vendors
>>>         use them as reference and guidelines.
>>>
>>>
>>>     There is no doubt in my mind that Projects are important for
>>>     OWASP.  They spread our mission in places where even our
>>>     Chapters cannot go.  But, if you want to talk about where most
>>>     people interface with OWASP, it's not projects, it's Chapters. 
>>>     You won't find a reference in a major publication to the OWASP
>>>     Austin Chapter, for example, but we held a CryptoParty in
>>>     January and invited members of our community, the media, etc to
>>>     participate because we wanted to educate others on the
>>>     importance of privacy.  You're passionate about OWASP Projects,
>>>     I get that, and I love it.  I'm passionate about OWASP
>>>     Chapters.  Neither should be trivialized as they both play a
>>>     very important role within OWASP.
>>>
>>>         I would like to see is a better schema for them to get more
>>>         awareness, especially people doing great things and because
>>>         of lack of funds cannot promote their projects. Chapters are
>>>         rich ,projects are poor. That is in my opinion a huge
>>>         misbalance.
>>>
>>>
>>>     We have many chapters with small bank accounts, some even
>>>     negative, and a few with quite large accounts.  Total it all up
>>>     and it's a pretty decent sum of money. But, what you're arguing
>>>     for here is effectively Socialism.  You're saying that it
>>>     doesn't matter that the OWASP chapter in Denver busted their ass
>>>     (it is over a year's worth of effort by a team of people) to put
>>>     on last year's AppSecUSA Conference.  It doesn't matter that it
>>>     can cost a chapter hundreds if not thousands of dollars to rent
>>>     meeting space, bring in food, fly in speakers, etc.  You only
>>>     see that they have money, you do not, and you want it.  Not
>>>     because you have a plan to spend it either, because if you did
>>>     you could simply ask the Foundation for it, but because it is
>>>     perceived as being disproportionate.  There is no payoff for
>>>     OWASP's mission if we rob from the rich, give to the poor, and
>>>     at the end of the day still just have money sitting in a savings
>>>     account.  This highlights the underlying issue here.  The issue
>>>     is not that Chapters or Projects HAVE money.  The issue is that
>>>     they have money and are NOT SPENDING IT to further the OWASP
>>>     Mission. Thus, the approach to fix this issue (and I agree that
>>>     it's an issue) shouldn't be to take away their money, it should
>>>     be to get them to spend it.
>>>
>>>         The limit of USD2,000- for supporting a project leader a
>>>         year is for most leaders not enough. If a leader outside US
>>>         or EU is invited to blackhat , that amount is not enough to
>>>         cover his traveling expenses. And thats the maximum he can
>>>         have in a year after filling on forms and going through some
>>>         back-and-forth emails with the staff...
>>>
>>>
>>>     Ahhhhh, finally we get to the root of the issue.  The issue
>>>     isn't that money isn't available, because, frankly, we had a
>>>     significant amount of money budgeted last year that wasn't
>>>     used.  The issue is that there is a cap on what any one project
>>>     leader can request/spend.  My personal opinion here is that this
>>>     $2k cap should be treated as a guideline, not a rule.  It is
>>>     likely in place to prevent abuse by having a significant amount
>>>     of money from the pool go to any one individual.  But, that cap
>>>     certainly should not prevent the OWASP Foundation from investing
>>>     in the projects, and people behind the projects, to make them
>>>     better.  The Board entrusts Paul, as Executive Director, and the
>>>     OWASP staff to handle the day-to-day operations of the OWASP
>>>     Foundation.  Part of their job is to review these types of
>>>     requests in order to determine whether they make sense and there
>>>     are funds available.  That said, if you get to a point where you
>>>     feel that they are being unreasonable, the Board can certainly
>>>     step in and try to determine if an exception should be made. 
>>>     So, net-net, maybe that $2k cap is too low.  Should we raise
>>>     it?  If so, what should it be?  What amount would be reasonable
>>>     for any one individual to consume from that shared pool of
>>>     funds?  Guidelines can be changed.  Guidelines can even be
>>>     overruled for the right reasons.  This is a relatively minor
>>>     issue that it sounds like should be re-evaluated given rising
>>>     costs, bigger budget pools, unused funds, etc.  Can you please
>>>     come up with a reasonable proposal here and I will take that to
>>>     the Board for approval to change this guideline?
>>>
>>>         Should we scrap projects and focus to be a dedicated
>>>         conference organisation?...thats what  I see is happening
>>>         whether consciously or not.
>>>
>>>
>>>     Your perception is VERY far from the truth. I've spent the past
>>>     8.5 years working with the OWASP Austin chapter and I've seen it
>>>     grow from literally 3 people in a monthly meeting to around 70. 
>>>     You, yourself, even said that OWASP is being referenced in major
>>>     publications and our tools are being used around the globe. 
>>>     That said, keep in mind that the OWASP mission is one of
>>>     education, and conferences address that mission directly.  They
>>>     are also the main fundraiser that helps to make sure that our
>>>     chapters and projects have the money that they need in order to
>>>     be successful.
>>>
>>>         Should we scrap conferences and focus to gather those funds
>>>         to create a better platforms for projects and become the
>>>         next Apache foundation?
>>>
>>>
>>>     Where do you think those funds would come from?  By far, the
>>>     majority of OWASP's annual revenue comes from AppSecUSA and
>>>     AppSecEU.  To be frank, OWASP would be VERY different if it
>>>     weren't for our conferences.
>>>
>>>         Should we use crowdsource for gathering funds for projects
>>>         through the OWASP foundation?
>>>
>>>
>>>     This is not a mutually exclusive solution.  Yes, absolutely, use
>>>     crowdfunding to gather funds for projects.  Please prove out
>>>     this model of bringing another revenue source to OWASP.  I would
>>>     imagine that this is a way that projects would be able to get
>>>     funds that a chapter never could.
>>>
>>>         Project summits = events . Thats what I'm proposing. That
>>>         Summits are treated like events to generate money for
>>>         projects so they have also a fair way to generate money as
>>>         chapters do. They will depend less from sponsors with
>>>         commercial intentions.
>>>
>>>
>>>     OK, but every project summit that we have had thus far has cost
>>>     OWASP money, not made it.  Speaking as the former Co-Chair of
>>>     LASCON and AppSecUSA, I can tell you that these types of events
>>>     are a lot of work and that it is difficult to attract attendees.
>>>     Attendees actually barely end up covering their own costs (food,
>>>     schwag, etc). Sponsors and trainings are usually the ones who
>>>     generate the profit for these events. So, let's say you do a
>>>     project summit.  How would you intend to attract attendees who
>>>     are willing to pay for the content?  If not, how would you
>>>     intend to attract sponsors whose sole purpose in being there is
>>>     to sell product to the attendees?  Especially if you don't want
>>>     sponsors with commercial intentions.  You would be lucky if you
>>>     get enough sponsors to cover costs.  Or, in the situation of
>>>     every past project summit that we've had, the Foundation ends up
>>>     covering the difference.  I'm not saying that you shouldn't try
>>>     to prove out this model.  I'm saying that it hasn't been proven
>>>     to date. Also, it's a bit naive to say that chapters leveraging
>>>     their members and holding a conference isn't "fair".  We should
>>>     be encouraging as many endeavors as we can at OWASP that spread
>>>     our mission.  Even more so if they generate additional revenue
>>>     because that helps to further our mission even more after the
>>>     conference is over.  Nothing is stopping a project from having a
>>>     conference.  This isn't a matter of "fair" or "unfair".  It's a
>>>     matter of a team of people putting in the effort and making it
>>>     happen.  Please don't trivialize those efforts.
>>>
>>>         Also more focus on crowdsourcing projects. If people finds
>>>         it a great idea they will sponsor it.
>>>
>>>
>>>     As I said above, I think this is a great idea.  Let's do it!
>>>
>>>         I will ask the staff to create a survey and ask the
>>>         community about it.  This is my proposal and based on those
>>>         results I hope and expect the board to take actions.
>>>
>>>
>>>     Ask the staff to create a survey?  Why not make the survey
>>>     yourself?  What exactly are we surveying and why?  The only
>>>     thing that I think you've identified as an actual issue
>>>     preventing projects from operating efficiently is a cap on the
>>>     amount of funding availing.  That doesn't require a survey to
>>>     get changed, just a plan and an approval.  I can't guarantee
>>>     support or action as it depends on the varying opinions of 7
>>>     unique individuals, but the Board would certainly evaluate any
>>>     proposal that is put on the table.
>>>
>>>     ~josh
>>>
>>>     On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel
>>>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>>         Josh,
>>>
>>>         So far I remember , the idea was proposed to the board by
>>>         you and the board took the decision to implement Committee
>>>         2.0. I believe this was done with all good intentions but is
>>>         not working.
>>>         http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>>
>>>         In this same email Sarah mentions:
>>>
>>>         The 2008 committees worked, for the most part, independently of each other.
>>>         This often created duplicate or even conflicting efforts leading to frustration.
>>>
>>>         Results now: I'm the only committee called the Project Task
>>>         Force.Maybe thats why none wants to create anymore committees.
>>>
>>>         Projects are global. They promote owasp at a global level.
>>>         What is OWASP known for? for its chapters? Its conferences?
>>>         I strongly believe OWASP is know for its projects, Code
>>>         Review, Testing guide, the Cheat Sheets, ASVS, ZAP... Many
>>>         references in major publications refer to OWASP top ten and
>>>         respect them because of its projects.PCI  and major vendors
>>>         use them as reference and guidelines.
>>>
>>>         I would like to see is a better schema for them to get more
>>>         awareness, especially people doing great things and because
>>>         of lack of funds cannot promote their projects. Chapters are
>>>         rich ,projects are poor. That is in my opinion a huge
>>>         misbalance.
>>>
>>>         The limit of USD2,000- for supporting a project leader a
>>>         year is for most leaders not enough. If a leader outside US
>>>         or EU is invited to blackhat , that amount is not enough to
>>>         cover his traveling expenses.  And thats the maximum he can
>>>         have in a year after filling on forms and going through some
>>>         back-and-forth emails with the staff...
>>>
>>>           * Should we scrap projects and focus to be a dedicated
>>>             conference organisation?...thats what  I see is
>>>             happening whether consciously or not.
>>>           * Should we scrap conferences and focus to gather those
>>>             funds to create a better platforms for projects and
>>>             become the next Apache foundation?
>>>           * Should we use crowdsource for gathering funds for
>>>             projects through the OWASP foundation?
>>>
>>>
>>>         I would like to see a solution to this or an action.
>>>
>>>         Project summits = events . Thats what I'm proposing. That
>>>         Summits are treated like events to generate money for
>>>         projects so they have also a fair way to generate money as
>>>         chapters do. They will depend less from sponsors with
>>>         commercial intentions.(easier to avoid  Logogate issues and
>>>         projects with the intention to promote apssec companies).
>>>         Also more focus on crowdsourcing projects. If people finds
>>>         it a great idea they will sponsor it.
>>>
>>>         I will ask the staff to create a survey and ask the
>>>         community about it. This is my proposal and based on those
>>>         results I hope and expect the board to take actions.
>>>
>>>         regards
>>>
>>>         Johanna
>>>
>>>
>>>
>>>         On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles
>>>         <mario.robles at owasp.org> wrote:
>>>
>>>             Hey Josh,
>>>
>>>             I could be wrong but the term Committee is commonly
>>>             associated with "bureaucracy" even if it's not what you
>>>             meant, at least it was the first thing on top of my
>>>             head, I'm sure if you change the word Committee to
>>>             something like "Action Team" it would be better accepted
>>>
>>>             Just my point view,
>>>
>>>             Mario
>>>
>>>
>>>             	
>>>
>>>             On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>>
>>>>                 I think we need to create Project Summits in the
>>>>                 form of events with the whole purpose to gather
>>>>                 funds for projects
>>>>
>>>>
>>>>             Please forgive my ignorance. How does a Project Summit
>>>>             generate funds for project? Every Project Summit that
>>>>             we have had to date has cost the Foundation money,
>>>>             hasn't it?  Can you please elaborate?
>>>>
>>>>                 Look, Denver chapter has around 50K in their
>>>>                 bucket. The richest Project is ZAP with 10k... but
>>>>                 thats is the exception. Even worse when you look at
>>>>                 chapters outside US or EU, mine has only USD40
>>>>                 dollars. Most projects have Zero Dollars.
>>>>
>>>>
>>>>             I'm not sure I understand the fixation on what other
>>>>             chapters have in their bucket.  They have these funds
>>>>             because they worked hard to obtain them.  In the case
>>>>             of Denver, they ran last year's AppSecUSA Conference. 
>>>>             Just because they have money in their account, it
>>>>             doesn't mean that you aren't able to do things with the
>>>>             $40 you have in your account.  It just means that they
>>>>             have to use their account funds first before being able
>>>>             to use money from the Foundation pool while you would
>>>>             need to request funds from that pool for anything over
>>>>             $40.  Any sort of reallocation just moves the "ring
>>>>             fenced funds" issue to another account.  The model of
>>>>             chapters and projects having accounts is not what's
>>>>             broken here.  It's the model of chapters and projects
>>>>             saving their funds instead of spending them. This is
>>>>             why I voted "no" on the Summer of Code initiative.  It
>>>>             was giving money to those who already had it and not
>>>>             forcing them to spend their funds first.  In any case,
>>>>             I'm not sure I understand why the amount of money
>>>>             Denver has in their account has any impact on any other
>>>>             chapter or project other than themselves. We have tens
>>>>             of thousands of dollars allocated by the Foundation to
>>>>             project and chapters on an annual basis, much of which
>>>>             goes completely unused.  There is money available at
>>>>             OWASP for those who need it and I have yet to hear of a
>>>>             situation where someone was told otherwise.
>>>>
>>>>                 Yes but how do they know where to go, that's why
>>>>                 the survey. The survey is the compass. And the
>>>>                 leaders are elected to listed to the community.
>>>>
>>>>
>>>>             I agree with this notion.  The OWASP Board should act
>>>>             in accordance with the desires of the community and
>>>>             should be doing frequent checks to confirm that
>>>>             initiatives are aligned.
>>>>
>>>>                 So the committee concept in theory seemed like a
>>>>                 great idea but in practice is not working because
>>>>                 in my eyes, creating a committee is creating a mini
>>>>                 board inside OWASP.
>>>>
>>>>
>>>>             To be honest, I have been surprised by the lack of
>>>>             desire to participate in OWASP Committees.  The
>>>>             community has said that they want empowerment and the
>>>>             goal of the committees was to do that.  But, now that
>>>>             it's there, nobody wants it?  Your example with John
>>>>             Lita follows the Committees 2.0 process almost
>>>>             verbatim.  The only difference is that it provides
>>>>             scoping to ensure that we don't have competing, or even
>>>>             worse, conflicting initiatives and it specifies that
>>>>             the individuals involved need to work within that
>>>>             scope.  Without it, you have a loosely knit group of
>>>>             people running around with their own individual
>>>>             initiatives.  At that level, OWASP is just a funding
>>>>             source for experimentation, not a Foundation.  There is
>>>>             no accountability, but the liability on the Foundation
>>>>             is still there.  Legally, we can't just have people
>>>>             running around spending money without any form of
>>>>             guidance.
>>>>
>>>>                  Allow me  and let the staff know that they should
>>>>                 support me and any other volunteers seeking for
>>>>                 implementing their ideas ;-).
>>>>                 Lets cut the red tape with committees and let
>>>>                 people know that if they want to do something,
>>>>
>>>>                   * Contact the staff.
>>>>                   * Set a survey and gather support
>>>>                   * Need more money? Set a crowd funding project @
>>>>                     https://www.kickstarter.com under OWASP
>>>>                   * Volunteers implement idea or project with the
>>>>                     support of owasp staff and other volunteers
>>>>
>>>>             I'm not sure how this is that much different from a
>>>>             Committee.  Contact the community via the mailing list
>>>>             and gather support, scope the activities (ie. define
>>>>             the project), Board ensures that there's no conflict,
>>>>             do your thing.  The "red tape" that you keep referring
>>>>             to is just a process document that walks you through
>>>>             how to set up a committee. After that's done, the idea
>>>>             was to empower you to act within the defined scope
>>>>             without going to the Board.  If we're talking
>>>>             specifically about projects, which it sounds like this
>>>>             is geared towards, then it's even easier. Register as a
>>>>             project (so that staff knows you exist and can support
>>>>             you) and do your thing.  If you need money, ask for
>>>>             it.  I'm not sure I see the problem here.  I'm also not
>>>>             sure what you're asking for as it doesn't seem that
>>>>             different to me than how the status quo is supposed to
>>>>             operate.  Is it operating differently in practice than
>>>>             it should in theory?  I don't have an OWASP project and
>>>>             so perhaps I'm blind to the realities.  If so, then the
>>>>             specific issues need to be addressed by bylaw change,
>>>>             policy change, staff engagement, etc.  So far, all
>>>>             you've said is "projects need money", which you have
>>>>             access to, and "cut the red tape", of which I don't see
>>>>             anything more than a step to say "Hey, I want to be a
>>>>             project".  Please help me to understand.
>>>>
>>>>             ~josh
>>>>
>>>>             On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel curiel
>>>>             <johanna.curiel at owasp.org> wrote:
>>>>
>>>>                  >I don't think there is anything preventing a
>>>>                 project from doing the same, but I haven't seen it
>>>>                 done at this point.
>>>>
>>>>                 I think we need to create Project Summits in the
>>>>                 form of events with the whole purpose to gather
>>>>                 funds for projects .Open samm has done this and I
>>>>                 think we can try that. Fo that we need the support
>>>>                 of the staff Business liaison, Event manager, just
>>>>                 as they put their work and efforts in Events and
>>>>                 appsecs. Here cut share between OWASp staff time
>>>>                 and projects can also be done.
>>>>
>>>>                  >OWASP has a project funding bucket.
>>>>                 Look, Denver chapter has around 50K in their
>>>>                 bucket. The richest Project is ZAP with 10k... but
>>>>                 thats is the exception. Even worse when you look at
>>>>                 chapters outside US or EU, mine has only USD40
>>>>                 dollars. Most projects have Zero Dollars.
>>>>                 And the limits right now are a support but do not
>>>>                 help to get important things moving like OWASP
>>>>                 Academy portal, Leaders like Azzedine assist and
>>>>                 show case his chapter or project or other more
>>>>                 complex initiatives. Or major improvements or
>>>>                 promotions to their projects.
>>>>
>>>>                 >Remember that the Board is just a handful of
>>>>                 leaders who were elected to set the compass.
>>>>                   Yes but how do they know where to go, that's why
>>>>                 the survey. The survey is the compass. And the
>>>>                 leaders are elected to listed to the community.
>>>>
>>>>                 And About committees...
>>>>                 The only existing active committee right now is the
>>>>                 Project Review (which I still call myself a
>>>>                 taskforce). I haven't see much initiatives or
>>>>                 participation from other committees. So the
>>>>                 committee concept in theory seemed like a great
>>>>                 idea but in practice is not working because in my
>>>>                 eyes, creating a committee is creating a mini board
>>>>                 inside OWASP. We do not want to create oligarchies
>>>>                 in the end.
>>>>
>>>>                   I thik we should cut off that comitee idea and be
>>>>                 more practical. More like this
>>>>
>>>>                   Example:
>>>>
>>>>                   * John Lita wants to create an academy portal but
>>>>                     developing it costs money and resources that
>>>>                     volunteers alone cannot be easy pull off(owaspa
>>>>                     project was the same and died, just like many
>>>>                     educational initiatives)
>>>>                   * John must create a proposal with defined goals
>>>>                     and how to reach them. He joins other
>>>>                     volunteers in this effort. No need to be a
>>>>                     commitee.
>>>>                   *  John & Claudia create a survey and seek
>>>>                     support of the community
>>>>                   *   If the idea has major feedback and
>>>>                     volunteers, then John has the support from the
>>>>                     staff to execute including looking for sponsors
>>>>                     using crowdsource funding portals
>>>>                   * Staff monitors development and results of the
>>>>                     actions taken
>>>>                   * Staff reports results to the community back
>>>>
>>>>                 This is in my eyes how I have been working in the
>>>>                 end, because , as volunteers, available time mostly
>>>>                 depends on one or 2 passionate individuals like
>>>>                 John-Lita, which are more dedicated and the rest
>>>>                 follows...
>>>>
>>>>                 Now if we want to change things, don't tell me to
>>>>                 set a committee, because Josh , this has not work
>>>>                 so far.
>>>>
>>>>                  Allow me  and let the staff know that they should
>>>>                 support me and any other volunteers seeking for
>>>>                 implementing their ideas ;-).
>>>>                 Lets cut the red tape with committees and let
>>>>                 people know that if they want to do something,
>>>>
>>>>                   * Contact the staff.
>>>>                   * Set a survey and gather support
>>>>                   * Need more money? Set a crowd funding project @
>>>>                     https://www.kickstarter.com under OWASP
>>>>                   * Volunteers implement idea or project with the
>>>>                     support of owasp staff and other volunteers
>>>>
>>>>                 How do we get this idea to action?
>>>>                 Shall we create a survey?
>>>>                 Do you need to discuss this on a board meeting?
>>>>                 How do I get empowered and let the staff know that
>>>>                 as a volunteer I have your support for this?(if I do?
>>>>
>>>>                 You see...how dependable I'm from the board to be
>>>>                 able to execute?
>>>>
>>>>                 Off course I can always do this on my own but them
>>>>                 I better do it without OWASP...
>>>>
>>>>                 Regards
>>>>
>>>>                 Johanna
>>>>
>>>>                 On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol
>>>>                 <josh.sokol at owasp.org> wrote:
>>>>
>>>>                     Johanna,
>>>>
>>>>                     Thank you for putting your thoughts out there
>>>>                     for everyone. Silence is not good for anyone
>>>>                     and OWASP will be far more successful if we
>>>>                     know what our leaders are struggling with and
>>>>                     make a conscious effort to improve it.  I think
>>>>                     that many of your points are very valid and
>>>>                     strongly support the idea of polls to gauge
>>>>                     community support for actions being taken.  I
>>>>                     also support the idea that the Board should be
>>>>                     making as few of these decisions as possible
>>>>                     and putting the power back in the hands of the
>>>>                     community with support from the staff.  The
>>>>                     Board should be the "compass" making sure that
>>>>                     we are moving in the right direction with the
>>>>                     community and staff being the ones actually
>>>>                     pushing us forward. That's not to say that
>>>>                     members of the Board won't have their own
>>>>                     projects or initiatives, but they do so as part
>>>>                     of the community, not because of their roles on
>>>>                     the Board. The Committees 2.0 framework was a
>>>>                     first step in driving this level of empowerment
>>>>                     back to the community while maintaining
>>>>                     accountability and providing appropriately
>>>>                     scoped actions.  My impression was that the
>>>>                     Projects Committee was rolling forward quite
>>>>                     well under this guidance, but it sounds like
>>>>                     maybe I was wrong. Are there specific actions
>>>>                     that you have tried to take on the committee
>>>>                     that got blocked by the Board or hung up in
>>>>                     "red tape"? Are there needs for funding that
>>>>                     haven't been met?
>>>>
>>>>                     Regarding the project vs chapter funding
>>>>                     schemas, I'm not sure that there is a good
>>>>                     answer. Projects are typically made up of a
>>>>                     pocket of individuals. Typically one leader
>>>>                     with sometimes one or two others assisting.
>>>>                     Chapters are typically anywhere from 20 people
>>>>                     to hundreds.  We provide members with the
>>>>                     ability to allocate their funds to either, but
>>>>                     most associate themselves with a chapter rather
>>>>                     than a project because that's where they
>>>>                     participate. We also have chapters putting on
>>>>                     conferences with the goal of raising funds.  I
>>>>                     don't think there is anything preventing a
>>>>                     project from doing the same, but I haven't seen
>>>>                     it done at this point. Those are the two main
>>>>                     ways that I see chapters raising money.  Yes,
>>>>                     there is certainly a difference in schemas and
>>>>                     projects will have a more difficult time, but
>>>>                     that's also why OWASP has a project funding
>>>>                     bucket.  Money from these local events as well
>>>>                     as funds raised by our AppSec conferences gets
>>>>                     budgeted specifically for this purpose.  To my
>>>>                     knowledge, no reasonable request for funds by
>>>>                     projects has been denied. Just because there
>>>>                     isn't money sitting "ring fenced" in an account
>>>>                     for the projects, doesn't mean that there isn't
>>>>                     money that can be spent.  It just means that it
>>>>                     needs to be requested from the pool. Yes, it's
>>>>                     a different model of funding, but the end
>>>>                     result is the same. There are funds available
>>>>                     at OWASP for everyone who needs them.
>>>>
>>>>                     There are obviously many things that need to be
>>>>                     improved at OWASP and, unfortunately, the Board
>>>>                     has been tied up in rules, events, bylaws, etc
>>>>                     for a while now.  It's definitely not the "fun"
>>>>                     part of the job and it is very time consuming.
>>>>                     That said, I would argue that these are the
>>>>                     things that need to be changed in order for
>>>>                     everyone else (staff, community, etc) to be
>>>>                     able to be better served.  We've made several
>>>>                     changes to the Bylaws and are working on more. 
>>>>                     We've hired an Executive Director (Paul), an
>>>>                     Event Manager (Laura), a Community Manager
>>>>                     (Noreen), and a Project Coordinator (Claudia)
>>>>                     just in the almost two years that I've been on
>>>>                     the Board. The needle on the compass is set
>>>>                     and, while it takes some time to right the
>>>>                     ship, we are getting there by giving our
>>>>                     community the support it requires to be
>>>>                     successful. So, here's my general thought:
>>>>
>>>>                     1) If it's within the scope of a defined
>>>>                     Committee, JUST DO IT!
>>>>
>>>>                     2) If there's no Committee defined for it,
>>>>                     CREATE ONE, then JUST DO IT!
>>>>
>>>>                     3) If a Committee doesn't make sense, ASK THE
>>>>                     STAFF FOR IT!
>>>>
>>>>                     4) If asking the staff isn't working or we need
>>>>                     to change a policy to make it happen, LET THE
>>>>                     BOARD KNOW!
>>>>
>>>>                     The Board should be the last resort, in my
>>>>                     opinion, not the first.  We should be the
>>>>                     enabler, not the bottleneck.  I think that our
>>>>                     leaders make too many assumptions (probably
>>>>                     based on past Board actions) about what needs
>>>>                     to go to the Board and we need to get away from
>>>>                     that. Remember that the Board is just a handful
>>>>                     of leaders who were elected to set the
>>>>                     compass.  We have a finite number of things
>>>>                     that we can handle and our Board meetings are
>>>>                     typically overflowing with topics. So, if
>>>>                     something is bothering you, I would encourage
>>>>                     you to change it. That's why, with the David
>>>>                     Rook situation, I encouraged creation of a new
>>>>                     Committee to determine a reasonable solution. 
>>>>                     If it requires a policy change by the Board,
>>>>                     then we can vote on that, but asking the Board
>>>>                     to take action just perpetuates the oligarchy
>>>>                     that you mention in your e-mail. Instead of
>>>>                     pushing these issues up to the Board for
>>>>                     action, let's have the community DECIDE what
>>>>                     they want and have the Board change the compass
>>>>                     needle via bylaws, policies, and staff
>>>>                     discussions, accordingly. At least, that's my
>>>>                     vision for OWASP.  Is that something that you
>>>>                     can get on board with?
>>>>
>>>>                     ~josh
>>>>
>>>>                     On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel
>>>>                     curiel <johanna.curiel at owasp.org> wrote:
>>>>
>>>>                         Members of the board,
>>>>
>>>>                         With the recent issue regarding David Rook,
>>>>                         and my latest experience with red-tape, I'm
>>>>                         proposing the following.
>>>>
>>>>                         My goals is to call your attention to these
>>>>                         issues which I have been observing for a
>>>>                         years and not as a critique to your work,
>>>>                         but I think if you do not pay attention to
>>>>                         these issues and DO something about them,
>>>>                         OWASP will loose valuable community
>>>>                         participation.
>>>>
>>>>                           * When an initiative is proposed or
>>>>                             launched by a member of the board, this
>>>>                             should be followed up by a survey where
>>>>                             the community can vote.Wether is a rule
>>>>                             or money, these decisions should be
>>>>                             taken based on collected data and
>>>>                             proper substantiation to avoid oligarchy
>>>>                           * When an initiative is launched by a
>>>>                             member of the community, especially
>>>>                             when this initiative cost more than
>>>>                             10k, it should be substantiated with
>>>>                             data how this initiative will benefit
>>>>                             the community. Also should be followed
>>>>                             by a survey
>>>>                           * Staff should help creating the survey
>>>>                             and analyse the votes
>>>>                           * *In other words: do more survey to find
>>>>                             out what the community needs and wants.*
>>>>
>>>>                         My observations and where I think you need
>>>>                         to give more attention:
>>>>
>>>>                           * Board/Executive director should work
>>>>                             closer with the staff for guidance and
>>>>                             empowering their role. I have the
>>>>                             feeling that the staff is paralysed
>>>>                             waiting for instructions or following
>>>>                             strict rules. The staff should be
>>>>                             motivated to take initiative and
>>>>                             implement projects on their own that
>>>>                             can help the community. They should not
>>>>                             be too dependent on an Executive
>>>>                             director or member of the board for
>>>>                             this part
>>>>
>>>>                         As I see it ,OWASP is known for his
>>>>                         Projects & Chapter leaders which as
>>>>                         volunteers have contributed the most to set
>>>>                         OWASP on the spotlight. Therefore:
>>>>
>>>>                           * You should determine and implement
>>>>                             better ways  to provide better funding
>>>>                             schemas for projects . This is
>>>>                             something a volunteer cannot do. And
>>>>                             /nothing/ has been done to help  solve
>>>>                             this issue
>>>>                           * There is an unfair inequality in the
>>>>                             way chapters can generate funds vs
>>>>                             Projects.
>>>>                           * Money is locked down in the chapters budget
>>>>                           * Chapters outside US & EU have more
>>>>                             struggles to find support. You should
>>>>                             consider a way to support better these
>>>>                             ones since their countries are not
>>>>                             developed in the area of security as
>>>>                             countries in EU and US.
>>>>                           * Follow up: when issues like David Rook
>>>>                             or a volunteer rants(like me or others
>>>>                             ) out of frustation, take action. Put
>>>>                             it in the agenda and try to solve and
>>>>                             discuss the issues to improve the
>>>>                             actual problems. So far I have seen
>>>>                             very little follow up on major issues
>>>>                             and discussions raised in the mailing lists
>>>>                           * Way to much attention to rules,
>>>>                             /events/ and bylaws etc. Time to take
>>>>                             action and take decisions and propose
>>>>                             plans for improvements of the actual
>>>>                             situation above mentioned
>>>>
>>>>                         Being that said, and with all due respect
>>>>                         to you, I hope that you can take actions
>>>>                         and /execute/ improvements that have been
>>>>                         an issue since I joined OWASP 3 years ago.
>>>>
>>>>
>>>>                         Regards
>>>>
>>>>
>>>>                         Johanna
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>                         _______________________________________________
>>>>                         Governance mailing list
>>>>                         Governance at lists.owasp.org
>>>>                         https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             OWASP-Leaders mailing list
>>>>             OWASP-Leaders at lists.owasp.org
>>>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>     _______________________________________________
>>>     Governance mailing list
>>>     Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>
> -- 
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me at AppSecUSA 2015!

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150818/0eaa4715/attachment-0001.html>


More information about the Governance mailing list