[Governance] [Owasp-leaders] Request - Survey - Implementation process on higher decisions

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Aug 19 10:07:21 UTC 2015


Josh,

I remembered
http://blog.diniscruz.com/2012/04/why-owasp-cant-pay-owasp-leaders.html
this afternoon which just shows you can't reason with a junkie high on
"Meth02".


On Wed, Aug 19, 2015 at 2:01 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
>
> Just ignore Dinis as he was forced to resign in disgrace from the OWASP
> Board during the Summit he organised of which one of the reasons was the
> cost blowout which I provided references to yesterday i.e.
> http://lists.owasp.org/pipermail/governance/2015-August/000621.html
>
> Can you please add his expulsion from OWASP  for SamanthaGate incident as
> an item for the next Board Meeting please?
>
>
>
>
>
>
> On Wed, Aug 19, 2015 at 1:49 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Call it what you want, Dinis, but the fact is that more money was spent
>> than what was received.  I'm not arguing that it wasn't a worthwhile
>> investment (or that it was for that matter).  What I'm saying is that we
>> have yet to find a model of project summits that actually generates funds
>> instead of costs them.  So, until that model is found, like it or not, the
>> statements in my e-mail will hold true.
>>
>> ~josh
>>
>> On Tue, Aug 18, 2015 at 5:52 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>
>>> Owasp summits did not 'cost' owasp money, they were an investment in
>>> owasp's community and leaders (not a cost)
>>>
>>> http://blog.diniscruz.com/2012/04/summits-must-be-part-of-owasps-dna.html
>>> Johanna,
>>>
>>> So far I remember , the idea was proposed to the board by you and the
>>>> board took the decision to implement Committee 2.0. I believe this was done
>>>> with all good intentions but is not working.
>>>>
>>>
>>> Actually, I would argue that even though there's only a single committee
>>> right now, it is working exactly as intended.  The truth is that OWASP's
>>> leadership sits somewhere in-between an Oligarchy (as you describe it) and
>>> an Anarchy.  We're currently somewhere between Democracy and Ochlocracy
>>> depending on the topic if you really want to get technical.  In any case,
>>> what you need to realize is that somebody needs to have the power to make
>>> decisions or decisions will never get made and we veer into Anarchy.  What
>>> Committees 2.0 did is specify that decision making power starts with the
>>> Board as they have the fiduciary responsibility for the OWASP Foundation in
>>> all legal sense.  What it also did is allow any of our leaders to carve out
>>> a piece of that power that they are passionate about and run with it, just
>>> as you did with projects.  I really thought that we would see some other
>>> committees pop up similar to what we had before in other core areas of
>>> OWASP like Governance or Chapters, but the fact that there isn't just tells
>>> me that as of yet, no leader is passionate enough about it to carve out
>>> that power.  Maybe it's because of time commitments or because of some
>>> perceived "red tape" or even (I hope) because most people think the Board
>>> is doing an OK job making decisions, but the fact is that the ability is
>>> there and you are an example of it being used.  So, as I said, the system
>>> is working.  Where this is a void in the community wanting to take the
>>> power to make decisions, the Board fills that void.  In other words, if the
>>> community really thinks that they can do something better than the Board,
>>> they can form a Committee (or "Action Team" or "Initiative" or whatever
>>> they want to call it), and do it.
>>>
>>> Projects are global. They promote owasp at a global level. What is OWASP
>>>> known for? for its chapters? Its conferences? I strongly believe OWASP is
>>>> know for its projects, Code Review, Testing guide, the Cheat Sheets, ASVS,
>>>> ZAP... Many references in major publications refer to OWASP top ten and
>>>> respect them because of its projects.PCI  and major vendors use them as
>>>> reference and guidelines.
>>>>
>>>
>>> There is no doubt in my mind that Projects are important for OWASP.
>>> They spread our mission in places where even our Chapters cannot go.  But,
>>> if you want to talk about where most people interface with OWASP, it's not
>>> projects, it's Chapters.  You won't find a reference in a major publication
>>> to the OWASP Austin Chapter, for example, but we held a CryptoParty in
>>> January and invited members of our community, the media, etc to participate
>>> because we wanted to educate others on the importance of privacy.  You're
>>> passionate about OWASP Projects, I get that, and I love it.  I'm passionate
>>> about OWASP Chapters.  Neither should be trivialized as they both play a
>>> very important role within OWASP.
>>>
>>> I would like to see is a better schema for them to get more awareness,
>>>> especially people doing great things and because of lack of funds cannot
>>>> promote their projects. Chapters are rich ,projects are poor. That is in my
>>>> opinion a huge misbalance.
>>>>
>>>
>>> We have many chapters with small bank accounts, some even negative, and
>>> a few with quite large accounts.  Total it all up and it's a pretty decent
>>> sum of money.  But, what you're arguing for here is effectively Socialism.
>>> You're saying that it doesn't matter that the OWASP chapter in Denver
>>> busted their ass (it is over a year's worth of effort by a team of people)
>>> to put on last year's AppSecUSA Conference.  It doesn't matter that it can
>>> cost a chapter hundreds if not thousands of dollars to rent meeting space,
>>> bring in food, fly in speakers, etc.  You only see that they have money,
>>> you do not, and you want it.  Not because you have a plan to spend it
>>> either, because if you did you could simply ask the Foundation for it, but
>>> because it is perceived as being disproportionate.  There is no payoff for
>>> OWASP's mission if we rob from the rich, give to the poor, and at the end
>>> of the day still just have money sitting in a savings account.  This
>>> highlights the underlying issue here.  The issue is not that Chapters or
>>> Projects HAVE money.  The issue is that they have money and are NOT
>>> SPENDING IT to further the OWASP Mission.  Thus, the approach to fix this
>>> issue (and I agree that it's an issue) shouldn't be to take away their
>>> money, it should be to get them to spend it.
>>>
>>> The limit of USD2,000- for supporting a project leader a year is for
>>>> most leaders not enough. If a leader outside US or EU is invited to
>>>> blackhat , that amount is not enough to cover his traveling expenses.  And
>>>> thats the maximum he can have in a year after filling on forms and going
>>>> through some back-and-forth emails with the staff...
>>>>
>>>
>>> Ahhhhh, finally we get to the root of the issue.  The issue isn't that
>>> money isn't available, because, frankly, we had a significant amount of
>>> money budgeted last year that wasn't used.  The issue is that there is a
>>> cap on what any one project leader can request/spend.  My personal opinion
>>> here is that this $2k cap should be treated as a guideline, not a rule.  It
>>> is likely in place to prevent abuse by having a significant amount of money
>>> from the pool go to any one individual.  But, that cap certainly should not
>>> prevent the OWASP Foundation from investing in the projects, and people
>>> behind the projects, to make them better.  The Board entrusts Paul, as
>>> Executive Director, and the OWASP staff to handle the day-to-day operations
>>> of the OWASP Foundation.  Part of their job is to review these types of
>>> requests in order to determine whether they make sense and there are funds
>>> available.  That said, if you get to a point where you feel that they are
>>> being unreasonable, the Board can certainly step in and try to determine if
>>> an exception should be made.  So, net-net, maybe that $2k cap is too low.
>>> Should we raise it?  If so, what should it be?  What amount would be
>>> reasonable for any one individual to consume from that shared pool of
>>> funds?  Guidelines can be changed.  Guidelines can even be overruled for
>>> the right reasons.  This is a relatively minor issue that it sounds like
>>> should be re-evaluated given rising costs, bigger budget pools, unused
>>> funds, etc.  Can you please come up with a reasonable proposal here and I
>>> will take that to the Board for approval to change this guideline?
>>>
>>> Should we scrap projects and focus to be a dedicated conference
>>>> organisation?...thats what  I see is happening whether consciously or not.
>>>>
>>>
>>> Your perception is VERY far from the truth.  I've spent the past 8.5
>>> years working with the OWASP Austin chapter and I've seen it grow from
>>> literally 3 people in a monthly meeting to around 70.  You, yourself, even
>>> said that OWASP is being referenced in major publications and our tools are
>>> being used around the globe.  That said, keep in mind that the OWASP
>>> mission is one of education, and conferences address that mission
>>> directly.  They are also the main fundraiser that helps to make sure that
>>> our chapters and projects have the money that they need in order to be
>>> successful.
>>>
>>> Should we scrap conferences and focus to gather those funds to create a
>>>> better platforms for projects and become the next Apache foundation?
>>>>
>>>
>>> Where do you think those funds would come from?  By far, the majority of
>>> OWASP's annual revenue comes from AppSecUSA and AppSecEU.  To be frank,
>>> OWASP would be VERY different if it weren't for our conferences.
>>>
>>> Should we use crowdsource for gathering funds for projects through the
>>>> OWASP foundation?
>>>>
>>>
>>> This is not a mutually exclusive solution.  Yes, absolutely, use
>>> crowdfunding to gather funds for projects.  Please prove out this model of
>>> bringing another revenue source to OWASP.  I would imagine that this is a
>>> way that projects would be able to get funds that a chapter never could.
>>>
>>> Project summits = events . Thats what I'm proposing. That Summits are
>>>> treated like events to generate money for projects so they have also a fair
>>>> way to generate money as chapters do. They will depend less from sponsors
>>>> with commercial intentions.
>>>>
>>>
>>> OK, but every project summit that we have had thus far has cost OWASP
>>> money, not made it.  Speaking as the former Co-Chair of LASCON and
>>> AppSecUSA, I can tell you that these types of events are a lot of work and
>>> that it is difficult to attract attendees.  Attendees actually barely end
>>> up covering their own costs (food, schwag, etc).  Sponsors and trainings
>>> are usually the ones who generate the profit for these events.  So, let's
>>> say you do a project summit.  How would you intend to attract attendees who
>>> are willing to pay for the content?  If not, how would you intend to
>>> attract sponsors whose sole purpose in being there is to sell product to
>>> the attendees?  Especially if you don't want sponsors with commercial
>>> intentions.  You would be lucky if you get enough sponsors to cover costs.
>>> Or, in the situation of every past project summit that we've had, the
>>> Foundation ends up covering the difference.  I'm not saying that you
>>> shouldn't try to prove out this model.  I'm saying that it hasn't been
>>> proven to date.  Also, it's a bit naive to say that chapters leveraging
>>> their members and holding a conference isn't "fair".  We should be
>>> encouraging as many endeavors as we can at OWASP that spread our mission.
>>> Even more so if they generate additional revenue because that helps to
>>> further our mission even more after the conference is over.  Nothing is
>>> stopping a project from having a conference.  This isn't a matter of "fair"
>>> or "unfair".  It's a matter of a team of people putting in the effort and
>>> making it happen.  Please don't trivialize those efforts.
>>>
>>> Also more focus on crowdsourcing projects. If people finds it a great
>>>> idea they will sponsor it.
>>>>
>>>
>>> As I said above, I think this is a great idea.  Let's do it!
>>>
>>> I will ask the staff to create a survey and ask the community about it.
>>>> This is my proposal and based on those results I hope and expect the board
>>>> to take actions.
>>>
>>>
>>> Ask the staff to create a survey?  Why not make the survey yourself?
>>> What exactly are we surveying and why?  The only thing that I think you've
>>> identified as an actual issue preventing projects from operating
>>> efficiently is a cap on the amount of funding availing.  That doesn't
>>> require a survey to get changed, just a plan and an approval.  I can't
>>> guarantee support or action as it depends on the varying opinions of 7
>>> unique individuals, but the Board would certainly evaluate any proposal
>>> that is put on the table.
>>>
>>> ~josh
>>>
>>> On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Josh,
>>>>
>>>> So far I remember , the idea was proposed to the board by you and the
>>>> board took the decision to implement Committee 2.0. I believe this was done
>>>> with all good intentions but is not working.
>>>> http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>>>
>>>> In this same email Sarah mentions:
>>>>
>>>> The 2008 committees worked, for the most part, independently of each other.
>>>> This often created duplicate or even conflicting efforts leading to frustration.
>>>>
>>>> Results now: I'm the only committee called the Project Task Force.Maybe
>>>> thats why none wants to create anymore committees.
>>>>
>>>> Projects are global. They promote owasp at a global level. What is
>>>> OWASP known for? for its chapters? Its conferences? I strongly believe
>>>> OWASP is know for its projects, Code Review, Testing guide, the Cheat
>>>> Sheets, ASVS, ZAP... Many references in major publications refer to OWASP
>>>> top ten and respect them because of its projects.PCI  and major vendors use
>>>> them as reference and guidelines.
>>>>
>>>> I would like to see is a better schema for them to get more awareness,
>>>> especially people doing great things and because of lack of funds cannot
>>>> promote their projects. Chapters are rich ,projects are poor. That is in my
>>>> opinion a huge misbalance.
>>>>
>>>> The limit of USD2,000- for supporting a project leader a year is for
>>>> most leaders not enough. If a leader outside US or EU is invited to
>>>> blackhat , that amount is not enough to cover his traveling expenses.  And
>>>> thats the maximum he can have in a year after filling on forms and going
>>>> through some back-and-forth emails with the staff...
>>>>
>>>>
>>>>    - Should we scrap projects and focus to be a dedicated conference
>>>>    organisation?...thats what  I see is happening whether consciously or not.
>>>>    - Should we scrap conferences and focus to gather those funds to
>>>>    create a better platforms for projects and become the next Apache
>>>>    foundation?
>>>>    - Should we use crowdsource for gathering funds for projects
>>>>    through the OWASP foundation?
>>>>
>>>>
>>>> I would like to see a solution to this or an action.
>>>>
>>>> Project summits = events . Thats what I'm proposing. That Summits are
>>>> treated like events to generate money for projects so they have also a fair
>>>> way to generate money as chapters do. They will depend less from sponsors
>>>> with commercial intentions.(easier to avoid  Logogate issues and projects
>>>> with the intention to promote apssec companies). Also more focus on
>>>> crowdsourcing projects. If people finds it a great idea they will sponsor
>>>> it.
>>>>
>>>> I will ask the staff to create a survey and ask the community about it.
>>>> This is my proposal and based on those results I hope and expect the board
>>>> to take actions.
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>> On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles <mario.robles at owasp.org>
>>>> wrote:
>>>>
>>>>> Hey Josh,
>>>>>
>>>>> I could be wrong but the term Committee is commonly associated with
>>>>> "bureaucracy" even if it's not what you meant, at least it was the first
>>>>> thing on top of my head, I'm sure if you change the word Committee to
>>>>> something like "Action Team" it would be better accepted
>>>>>
>>>>> Just my point view,
>>>>>
>>>>> Mario
>>>>>
>>>>>
>>>>> <https://www.owasp.org/index.php/Costa_Rica>
>>>>> On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>>>
>>>>> I think we need to create Project Summits in the form of events with
>>>>>> the whole purpose to gather funds for projects
>>>>>>
>>>>>
>>>>> Please forgive my ignorance.  How does a Project Summit generate funds
>>>>> for project?  Every Project Summit that we have had to date has cost the
>>>>> Foundation money, hasn't it?  Can you please elaborate?
>>>>>
>>>>> Look, Denver chapter has around 50K in their bucket. The richest
>>>>>> Project is ZAP with 10k... but thats is the exception. Even worse when you
>>>>>> look at chapters outside US or EU, mine has only USD40 dollars. Most
>>>>>> projects have Zero Dollars.
>>>>>>
>>>>>
>>>>> I'm not sure I understand the fixation on what other chapters have in
>>>>> their bucket.  They have these funds because they worked hard to obtain
>>>>> them.  In the case of Denver, they ran last year's AppSecUSA Conference.
>>>>> Just because they have money in their account, it doesn't mean that you
>>>>> aren't able to do things with the $40 you have in your account.  It just
>>>>> means that they have to use their account funds first before being able to
>>>>> use money from the Foundation pool while you would need to request funds
>>>>> from that pool for anything over $40.  Any sort of reallocation just moves
>>>>> the "ring fenced funds" issue to another account.  The model of chapters
>>>>> and projects having accounts is not what's broken here.  It's the model of
>>>>> chapters and projects saving their funds instead of spending them.  This is
>>>>> why I voted "no" on the Summer of Code initiative.  It was giving money to
>>>>> those who already had it and not forcing them to spend their funds first.
>>>>> In any case, I'm not sure I understand why the amount of money Denver has
>>>>> in their account has any impact on any other chapter or project other than
>>>>> themselves.  We have tens of thousands of dollars allocated by the
>>>>> Foundation to project and chapters on an annual basis, much of which goes
>>>>> completely unused.  There is money available at OWASP for those who need it
>>>>> and I have yet to hear of a situation where someone was told otherwise.
>>>>>
>>>>> Yes but how do they know where to go, that's why the survey. The
>>>>>> survey is the compass. And the leaders are elected to listed to the
>>>>>> community.
>>>>>>
>>>>>
>>>>> I agree with this notion.  The OWASP Board should act in accordance
>>>>> with the desires of the community and should be doing frequent checks to
>>>>> confirm that initiatives are aligned.
>>>>>
>>>>> So the committee concept in theory seemed like a great idea but in
>>>>>> practice is not working because in my eyes, creating a committee is
>>>>>> creating a mini board inside OWASP.
>>>>>>
>>>>>
>>>>> To be honest, I have been surprised by the lack of desire to
>>>>> participate in OWASP Committees.  The community has said that they want
>>>>> empowerment and the goal of the committees was to do that.  But, now that
>>>>> it's there, nobody wants it?  Your example with John Lita follows the
>>>>> Committees 2.0 process almost verbatim.  The only difference is that it
>>>>> provides scoping to ensure that we don't have competing, or even worse,
>>>>> conflicting initiatives and it specifies that the individuals involved need
>>>>> to work within that scope.  Without it, you have a loosely knit group of
>>>>> people running around with their own individual initiatives.  At that
>>>>> level, OWASP is just a funding source for experimentation, not a
>>>>> Foundation.  There is no accountability, but the liability on the
>>>>> Foundation is still there.  Legally, we can't just have people running
>>>>> around spending money without any form of guidance.
>>>>>
>>>>>  Allow me  and let the staff know that they should support me and any
>>>>>> other volunteers seeking for implementing their ideas ;-).
>>>>>> Lets cut the red tape with committees and let people know that if
>>>>>> they want to do something,
>>>>>>
>>>>>>    - Contact the staff.
>>>>>>    - Set a survey and gather support
>>>>>>    - Need more money? Set a crowd funding project @
>>>>>>    <https://www.kickstarter.com>https://www.kickstarter.com under
>>>>>>    OWASP
>>>>>>    - Volunteers implement idea or project with the support of owasp
>>>>>>    staff and other volunteers
>>>>>>
>>>>>> I'm not sure how this is that much different from a Committee.
>>>>> Contact the community via the mailing list and gather support, scope the
>>>>> activities (ie. define the project), Board ensures that there's no
>>>>> conflict, do your thing.  The "red tape" that you keep referring to is just
>>>>> a process document that walks you through how to set up a committee.  After
>>>>> that's done, the idea was to empower you to act within the defined scope
>>>>> without going to the Board.  If we're talking specifically about projects,
>>>>> which it sounds like this is geared towards, then it's even easier.
>>>>> Register as a project (so that staff knows you exist and can support you)
>>>>> and do your thing.  If you need money, ask for it.  I'm not sure I see the
>>>>> problem here.  I'm also not sure what you're asking for as it doesn't seem
>>>>> that different to me than how the status quo is supposed to operate.  Is it
>>>>> operating differently in practice than it should in theory?  I don't have
>>>>> an OWASP project and so perhaps I'm blind to the realities.  If so, then
>>>>> the specific issues need to be addressed by bylaw change, policy change,
>>>>> staff engagement, etc.  So far, all you've said is "projects need money",
>>>>> which you have access to, and "cut the red tape", of which I don't see
>>>>> anything more than a step to say "Hey, I want to be a project".  Please
>>>>> help me to understand.
>>>>> ~josh
>>>>>
>>>>> On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel curiel <
>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>>  >I don't think there is anything preventing a project from doing the
>>>>>> same, but I haven't seen it done at this point.
>>>>>>
>>>>>> I think we need to create Project Summits in the form of events with
>>>>>> the whole purpose to gather funds for projects .Open samm has done this and
>>>>>> I think we can try that. Fo that we need the support of the staff Business
>>>>>> liaison, Event manager, just as they put their work and efforts in Events
>>>>>> and appsecs. Here cut share between OWASp staff time and projects can also
>>>>>> be done.
>>>>>>
>>>>>>  >OWASP has a project funding bucket.
>>>>>> Look, Denver chapter has around 50K in their bucket. The richest
>>>>>> Project is ZAP with 10k... but thats is the exception. Even worse when you
>>>>>> look at chapters outside US or EU, mine has only USD40 dollars. Most
>>>>>> projects have Zero Dollars.
>>>>>> And the limits right now are a support but do not help to get
>>>>>> important things moving like OWASP Academy portal, Leaders like Azzedine
>>>>>> assist and show case his chapter or project or other more complex
>>>>>> initiatives. Or major improvements or promotions to their projects.
>>>>>>
>>>>>>   >Remember that the Board is just a handful of leaders who were
>>>>>> elected to set the compass.
>>>>>>   Yes but how do they know where to go, that's why the survey. The
>>>>>> survey is the compass. And the leaders are elected to listed to the
>>>>>> community.
>>>>>>
>>>>>> And About committees...
>>>>>> The only existing active committee right now is the Project Review
>>>>>> (which I still call myself a taskforce). I haven't see much initiatives or
>>>>>> participation from other committees. So the committee concept in theory
>>>>>> seemed like a great idea but in practice is not working because in my eyes,
>>>>>> creating a committee is creating a mini board inside OWASP. We do not want
>>>>>> to create oligarchies in the end.
>>>>>>
>>>>>>   I thik we should cut off that comitee idea and be more practical.
>>>>>> More like this
>>>>>>
>>>>>>   Example:
>>>>>>
>>>>>>
>>>>>>    - John Lita wants to create an academy portal but developing it
>>>>>>    costs money and resources that volunteers alone cannot be easy pull
>>>>>>    off(owaspa project was the same and died, just like many educational
>>>>>>    initiatives)
>>>>>>    - John must create a proposal with defined goals and how to reach
>>>>>>    them. He joins other volunteers in this effort. No need to be a commitee.
>>>>>>    -  John & Claudia create a survey and seek support of the
>>>>>>    community
>>>>>>    -   If the idea has major feedback and volunteers, then John has
>>>>>>    the support from the staff to execute including looking for sponsors using
>>>>>>    crowdsource funding portals
>>>>>>    - Staff monitors development and results of the actions taken
>>>>>>    - Staff reports results to the community back
>>>>>>
>>>>>> This is in my eyes how I have been working in the end, because , as
>>>>>> volunteers, available time mostly depends on one or 2 passionate
>>>>>> individuals like John-Lita, which are more dedicated and the rest follows...
>>>>>>
>>>>>> Now if we want to change things, don't tell me to set a committee,
>>>>>> because Josh , this has not work so far.
>>>>>>
>>>>>>  Allow me  and let the staff know that they should support me and any
>>>>>> other volunteers seeking for implementing their ideas ;-).
>>>>>> Lets cut the red tape with committees and let people know that if
>>>>>> they want to do something,
>>>>>>
>>>>>>    - Contact the staff.
>>>>>>    - Set a survey and gather support
>>>>>>    - Need more money? Set a crowd funding project @
>>>>>>    <https://www.kickstarter.com>https://www.kickstarter.com under
>>>>>>    OWASP
>>>>>>    - Volunteers implement idea or project with the support of owasp
>>>>>>    staff and other volunteers
>>>>>>
>>>>>> How do we get this idea to action?
>>>>>> Shall we create a survey?
>>>>>> Do you need to discuss this on a board meeting?
>>>>>> How do I get empowered and let the staff know that as a volunteer I
>>>>>> have your support for this?(if I do?
>>>>>>
>>>>>> You see...how dependable I'm from the board to be able to execute?
>>>>>>
>>>>>> Off course I can always do this on my own but them I better do it
>>>>>> without OWASP...
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol < <josh.sokol at owasp.org>
>>>>>> josh.sokol at owasp.org> wrote:
>>>>>>
>>>>>>> Johanna,
>>>>>>>
>>>>>>> Thank you for putting your thoughts out there for everyone.  Silence
>>>>>>> is not good for anyone and OWASP will be far more successful if we know
>>>>>>> what our leaders are struggling with and make a conscious effort to improve
>>>>>>> it.  I think that many of your points are very valid and strongly support
>>>>>>> the idea of polls to gauge community support for actions being taken.  I
>>>>>>> also support the idea that the Board should be making as few of these
>>>>>>> decisions as possible and putting the power back in the hands of the
>>>>>>> community with support from the staff.  The Board should be the "compass"
>>>>>>> making sure that we are moving in the right direction with the community
>>>>>>> and staff being the ones actually pushing us forward.  That's not to say
>>>>>>> that members of the Board won't have their own projects or initiatives, but
>>>>>>> they do so as part of the community, not because of their roles on the
>>>>>>> Board.  The Committees 2.0 framework was a first step in driving this level
>>>>>>> of empowerment back to the community while maintaining accountability and
>>>>>>> providing appropriately scoped actions.  My impression was that the
>>>>>>> Projects Committee was rolling forward quite well under this guidance, but
>>>>>>> it sounds like maybe I was wrong.  Are there specific actions that you have
>>>>>>> tried to take on the committee that got blocked by the Board or hung up in
>>>>>>> "red tape"?  Are there needs for funding that haven't been met?
>>>>>>>
>>>>>>> Regarding the project vs chapter funding schemas, I'm not sure that
>>>>>>> there is a good answer.  Projects are typically made up of a pocket of
>>>>>>> individuals.  Typically one leader with sometimes one or two others
>>>>>>> assisting.  Chapters are typically anywhere from 20 people to hundreds.  We
>>>>>>> provide members with the ability to allocate their funds to either, but
>>>>>>> most associate themselves with a chapter rather than a project because
>>>>>>> that's where they participate.  We also have chapters putting on
>>>>>>> conferences with the goal of raising funds.  I don't think there is
>>>>>>> anything preventing a project from doing the same, but I haven't seen it
>>>>>>> done at this point.  Those are the two main ways that I see chapters
>>>>>>> raising money.  Yes, there is certainly a difference in schemas and
>>>>>>> projects will have a more difficult time, but that's also why OWASP has a
>>>>>>> project funding bucket.  Money from these local events as well as funds
>>>>>>> raised by our AppSec conferences gets budgeted specifically for this
>>>>>>> purpose.  To my knowledge, no reasonable request for funds by projects has
>>>>>>> been denied.  Just because there isn't money sitting "ring fenced" in an
>>>>>>> account for the projects, doesn't mean that there isn't money that can be
>>>>>>> spent.  It just means that it needs to be requested from the pool.  Yes,
>>>>>>> it's a different model of funding, but the end result is the same.  There
>>>>>>> are funds available at OWASP for everyone who needs them.
>>>>>>>
>>>>>>> There are obviously many things that need to be improved at OWASP
>>>>>>> and, unfortunately, the Board has been tied up in rules, events, bylaws,
>>>>>>> etc for a while now.  It's definitely not the "fun" part of the job and it
>>>>>>> is very time consuming.  That said, I would argue that these are the things
>>>>>>> that need to be changed in order for everyone else (staff, community, etc)
>>>>>>> to be able to be better served.  We've made several changes to the Bylaws
>>>>>>> and are working on more.  We've hired an Executive Director (Paul), an
>>>>>>> Event Manager (Laura), a Community Manager (Noreen), and a Project
>>>>>>> Coordinator (Claudia) just in the almost two years that I've been on the
>>>>>>> Board.  The needle on the compass is set and, while it takes some time to
>>>>>>> right the ship, we are getting there by giving our community the support it
>>>>>>> requires to be successful.  So, here's my general thought:
>>>>>>>
>>>>>>> 1) If it's within the scope of a defined Committee, JUST DO IT!
>>>>>>>
>>>>>>> 2) If there's no Committee defined for it, CREATE ONE, then JUST DO
>>>>>>> IT!
>>>>>>>
>>>>>>> 3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!
>>>>>>>
>>>>>>> 4) If asking the staff isn't working or we need to change a policy
>>>>>>> to make it happen, LET THE BOARD KNOW!
>>>>>>>
>>>>>>> The Board should be the last resort, in my opinion, not the first.
>>>>>>> We should be the enabler, not the bottleneck.  I think that our leaders
>>>>>>> make too many assumptions (probably based on past Board actions) about what
>>>>>>> needs to go to the Board and we need to get away from that.  Remember that
>>>>>>> the Board is just a handful of leaders who were elected to set the
>>>>>>> compass.  We have a finite number of things that we can handle and our
>>>>>>> Board meetings are typically overflowing with topics.  So, if something is
>>>>>>> bothering you, I would encourage you to change it.  That's why, with the
>>>>>>> David Rook situation, I encouraged creation of a new Committee to determine
>>>>>>> a reasonable solution.  If it requires a policy change by the Board, then
>>>>>>> we can vote on that, but asking the Board to take action just perpetuates
>>>>>>> the oligarchy that you mention in your e-mail.  Instead of pushing these
>>>>>>> issues up to the Board for action, let's have the community DECIDE what
>>>>>>> they want and have the Board change the compass needle via bylaws,
>>>>>>> policies, and staff discussions, accordingly.  At least, that's my vision
>>>>>>> for OWASP.  Is that something that you can get on board with?
>>>>>>>
>>>>>>> ~josh
>>>>>>>
>>>>>>> On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel <
>>>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>> Members of the board,
>>>>>>>>
>>>>>>>> With the recent issue regarding David Rook, and my latest
>>>>>>>> experience with red-tape, I'm proposing the following.
>>>>>>>>
>>>>>>>> My goals is to call your attention to these issues which I have
>>>>>>>> been observing for a years and not as a critique to your work, but I think
>>>>>>>> if you do not pay attention to these issues and DO something about them,
>>>>>>>> OWASP will loose valuable community participation.
>>>>>>>>
>>>>>>>>    - When an initiative is proposed or launched by a member of the
>>>>>>>>    board, this should be followed up by a survey where the community can
>>>>>>>>    vote.Wether is a rule or money, these decisions should be taken based on
>>>>>>>>    collected data and proper substantiation to avoid oligarchy
>>>>>>>>    - When an initiative is launched by a member of the community,
>>>>>>>>    especially when this initiative cost more than 10k, it should be
>>>>>>>>    substantiated with data how this initiative will benefit the community.
>>>>>>>>    Also should be followed by a survey
>>>>>>>>    - Staff should help creating the survey and analyse the votes
>>>>>>>>    - *In other words: do more survey to find out what the
>>>>>>>>    community needs and wants.*
>>>>>>>>
>>>>>>>> My observations and where I think you need to give more attention:
>>>>>>>>
>>>>>>>>
>>>>>>>>    - Board/Executive director should work closer with the staff
>>>>>>>>    for guidance and empowering their role. I have the feeling that the staff
>>>>>>>>    is paralysed waiting for instructions or following strict rules. The staff
>>>>>>>>    should be motivated to take initiative and implement projects on their own
>>>>>>>>    that can help the community. They should not be too dependent on an
>>>>>>>>    Executive director or member of the board for this part
>>>>>>>>
>>>>>>>> As I see it ,OWASP is known for his Projects & Chapter leaders
>>>>>>>> which as volunteers have contributed the most to set OWASP on the
>>>>>>>> spotlight. Therefore:
>>>>>>>>
>>>>>>>>
>>>>>>>>    - You should determine and implement better ways  to provide
>>>>>>>>    better funding schemas for projects . This is something a volunteer cannot
>>>>>>>>    do. And *nothing* has been done to help  solve this issue
>>>>>>>>    - There is an unfair inequality in the way chapters can
>>>>>>>>    generate funds vs Projects.
>>>>>>>>    - Money is locked down in the chapters budget
>>>>>>>>    - Chapters outside US & EU have more struggles to find support.
>>>>>>>>    You should consider a way to support better these ones since their
>>>>>>>>    countries are not developed in the area of security as countries in EU and
>>>>>>>>    US.
>>>>>>>>    - Follow up: when issues like David Rook or a volunteer
>>>>>>>>    rants(like me or others ) out of frustation, take action. Put it in the
>>>>>>>>    agenda and try to solve and discuss the issues to improve the actual
>>>>>>>>    problems. So far I have seen very little follow up on major issues and
>>>>>>>>    discussions raised in the mailing lists
>>>>>>>>    - Way to much attention to rules, *events* and bylaws etc. Time
>>>>>>>>    to take action and take decisions and propose plans for improvements of the
>>>>>>>>    actual situation above mentioned
>>>>>>>>
>>>>>>>> Being that said, and with all due respect to you, I hope that you
>>>>>>>> can take actions and *execute* improvements that have been an
>>>>>>>> issue since I joined OWASP 3 years ago.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Governance mailing list
>>>>>>>> Governance at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150819/45d845b9/attachment-0001.html>


More information about the Governance mailing list