[Governance] [Owasp-board] Bylaw Update Discussion - Board Member Confidence

Jim Manico jim.manico at owasp.org
Wed Aug 26 12:53:25 UTC 2015


Josh,

+1 on both accounts. I am personally very grateful for your many and 
regular contributions on the board, even when we disagree on occasion. I 
think you handle conflict extremely well and I appreciate your strong 
sense of ethics.

Keep on rockin' in the free world.

Aloha,
Jim

On 8/26/15 7:13 AM, Josh Sokol wrote:
> Fabio,
>
> I did not express any concern about the 75% requirement.  I think it 
> is a very reasonable expectation to have a Board member not miss more 
> than 3 meetings a year.  Even that number seems high to me.  I don't 
> see any issue if Michael or Andrew were to trigger a vote of 
> confidence if they were to miss another meeting.  In all likelihodd, 
> if that were to happen, we would just handle it exactly as we handled 
> your situation.  We recognize contributions outside of the meetings 
> and move on.  That said, if a Board member got elected, and simply 
> wasn't attending meetings, or wasn't putting in any effort, would you 
> really want to wait longer than 3 months to have the OPTION to remove 
> them?  This process is working exactly as it was designed to.  Why 
> would we want to change it all of a sudden now that someone was 
> falling below the bar?
>
> With respect to changing the in-person Board meeting requirements, I 
> strongly object.  I was the one who petitioned the Board to have this 
> requirement changed from MUST to SHOULD in the first place.  While my 
> family and work obligations make travel quite difficult for me, I 
> don't think it has sacrificed my participation in the Board at all.  
> And in terms of interaction with the community, I was out at both 
> BSides Las Vegas and BlackHat where OWASP had a presence at both.  
> Were you?  I participate in the MONTHLY OWASP Austin chapter meetings, 
> MONTHLY happy hours, and LASCON.  I attend many other local and 
> regional security events such as BSides Austin and HouSecCon.  So, 
> there are MANY other ways for a Board member to meet with the 
> community, talk about their needs, and help them progress their 
> projects without an in-person Board meeting.  With OWASP having a 
> highly-distributed global Board, and in this age of technology, the 
> idea that we all have to be in the same place to get something done is 
> ludicrous.  Is it more ideal?  Absolutely.  Should it be a 
> requirement? Absolutely not.
>
> ~josh
>
> On Tue, Aug 25, 2015 at 5:08 AM, Fabio Cerullo <fcerullo at owasp.org 
> <mailto:fcerullo at owasp.org>> wrote:
>
>     Bill,
>
>     Thanks for updating the wording in the clause below. I have some
>     comments regarding the 75% attendance requirement.
>
>     Besides Josh, several board members already expressed a concern
>     about this requirement and are willing to lower/eliminate it.
>
>     Just to give you an example: Michael and Andrew will trigger a
>     vote of CONFIDENCE if they miss another meeting during the
>     calendar year.
>
>     https://docs.google.com/spreadsheets/d/1wpaOCBP-qrnde0sLiglDMJOUCtse6oB-zf3ONCkWgZk/edit?pli=1#gid=6
>
>     I think that is counterproductive and will send us in a spiral of
>     votes of CONFIDENCE at every Board meeting. I would suggest to
>     lower that requirement or NOT making the vote of CONFIDENCE a
>     requirement for meetings attendance. The vote of CONFIDENCE should
>     be a mechanism to expel a Board member if they don’t fulfil their
>     duties, misbehave with other members/staff of the community, or
>     they significantly do not show up at the Board meetings (e.g.
>     attendance less than 50%).
>
>     Also, I believe the requirement to meet in person is quite vague
>     as per current statement below. I attended all in person meetings
>     at AppSec USA & AppSec EU and think they are very valuable. You
>     have a chance to meet with the community, talk about their needs,
>     help them progress their projects, and meet face-to-face with your
>     fellow Board members. So if we are going to change the Bylaws, I
>     think we need to put a requirement for Board members to meet in
>     person at least ONCE a year. I will appreciate your feedback and
>     from the rest of the Governance list regarding this matter.
>>
>>     Attendance in person or virtually by board members is required at
>>     no less than 75% of the total meetings each year and *shall be
>>     highly encouraged to meet in person at least once annually* at a
>>     date to be announced and agreed upon.
>>
>     Thanks,
>
>     Fabio Cerullo
>     Global Board Member
>     OWASP Foundation
>     https://www.owasp.org
>     Join me at AppSecUSA 2015 <https://2015.appsecusa.org> in
>     San Francisco!
>
>>     On 25 Aug 2015, at 10:22, Bil Corry <bil.corry at owasp.org
>>     <mailto:bil.corry at owasp.org>> wrote:
>>
>>     Hi Josh,
>>
>>     Tabulation is described as thus (emphasis is mine):
>>
>>     "Attendance is tabulated after every scheduled meeting for the
>>     purpose of determining if the 75% attendance requirement has been
>>     met, and the tabulation is *based upon the entire calendar year.*"
>>
>>     That means if there are 12 meetings during the year and you miss
>>     the first meeting, your attendance is 11/12 or 92%. No vote required.
>>
>>     As far as your other concerns, I've updated the text below,
>>     hopefully I've covered it all?  I pulled deadlines out of thin
>>     air, so feel free to tweak the numbers and method of voting.
>>
>>
>>     *SECTION 3.03 Regular Meetings.* The Board of Directors shall
>>     have regular meetings as needed.  A link to the board meeting
>>     agenda’s and the historical minutes is here:
>>     https://www.owasp.org/index.php/OWASP_Board_Meetings.  Meetings
>>     shall be at such dates, times, and places as the Board shall
>>     determine in December of the preceding year and as amended by the
>>     Board. In no event will there be less than one meeting per
>>     quarter.  These meetings will be open to public attendance,
>>     however, certain portions of the meeting may be closed to board
>>     members and their delegates when required for legal reasons, or
>>     to shield liability, or to handle personnel issues, or similar. 
>>     Attendance in person or virtually by board members is required at
>>     no less than 75% of the total meetings each year and shall be
>>     highly encouraged to meet in person at least once annually at a
>>     date to be announced and agreed upon.  Attendance is tabulated by
>>     the Executive Director or delegate within seven days after every
>>     scheduled meeting for the purpose of determining if the 75%
>>     attendance requirement has been met, and the tabulation is based
>>     upon the entire calendar year.  Cancelled meetings are considered
>>     attended for the purposes of the tabulation.  Failure by a board
>>     member to meet the 75% attendance requirement after any
>>     tabulation will cause a mandatory vote of confidence by the
>>     remaining board members, whose votes will be publicly recorded. 
>>     The vote of confidence is to take place within 21 days, but not
>>     sooner than 7 days, of notification by the Executive Director or
>>     delegate that a board member has not met the attendance
>>     threshold. During the first seven days, the board member in
>>     question will have an opportunity to make their case to their
>>     fellow board members.  The vote of confidence will take place on
>>     the OWASP Board of Directors email list, unless the Board votes
>>     to review the matter at their next meeting, so long as the next
>>     meeting occurs within the 21-day window.  An overall vote of
>>     "confidence" is record if half or more of the board members vote
>>     for it and it will prevent further votes of confidence for the
>>     remainder of the year so long as the board member in question
>>     does not miss any further meetings.  An overall vote of "no
>>     confidence" is recorded if more than half of the board members
>>     vote for it, which causes the board member in question to be
>>     instantly removed from their seat on the board. Vacancies on the
>>     board are handled as per Section 3.10.
>>
>>     _
>>     _
>>
>>     2 OWASP Board of Directors will hold quarterly board meetings
>>     lasting 4­6 hours each. The schedule of meetings will be set by
>>     the board in December before the year. It is likely the the board
>>     meetings will take place on Saturdays or on a dedicated day
>>     before a large OWASP conference. This change is a result of the
>>     success of the longer format board meeting and also a result of
>>     the Executive Director role that has enabled full time
>>     involvement and focus on OWASP operations. Board members must
>>     attend (in person or virtually) 3 of the 4 meetings to fulfill
>>     the attendance requirements. This will take effect in January,
>>     2014. Changes passed August 19, 2013.
>>
>>     3 “and shall be highly encouraged to meet in person at least once
>>     annually at a date to be announced and agreed upon” amendment to
>>     document passed June 10, 2013.
>>
>>
>>
>>
>>     - Bil
>>
>>
>>     On Mon, Aug 24, 2015 at 2:31 PM, Josh Sokol <josh.sokol at owasp.org
>>     <mailto:josh.sokol at owasp.org>> wrote:
>>
>>         Bil,
>>
>>         I initiated a Board vote on the new text that you had
>>         proposed back in April or May this year and the Board
>>         unanimously voted to approve.  Paul has been working to try
>>         to identify all of the changes that have been made (there's
>>         only been one or two this year) in order to get a new version
>>         of the Bylaws on the website.  Regardless, the one that is
>>         there is definitely out-of-date.
>>
>>         With respect to your update, thank you, I was thinking
>>         something similar as well, but this doesn't address a few of
>>         my bullet points:
>>
>>           * The method of tabulation is unspecified.  If we are
>>             tabulating sequentially, then we have a situation where
>>             if a Board member missed their first meeting, a vote is
>>             required to be held for three tabulations (0%, 50%, and
>>             66%) until they make it up over 75%.  I am guessing that
>>             the intent is for this to be tabulated assuming
>>             attendance for all future meetings and action would be
>>             taken if the person would be unable to maintain 75%
>>             attendance, but if anyone disagrees and has a different
>>             interpretation, please let me know.
>>           * The timeframe for the vote is unspecified.  It just says
>>             that it will cause a mandatory vote of confidence, but
>>             never says when that vote is supposed to take place or
>>             who is supposed to initiate it.  Is it to be handled
>>             immediately at the time of tabulation?  Is it handled
>>             offline over e-mail as we recently did?  Is it handled at
>>             the next Board meeting?  Based on the current verbiage,
>>             technically the Board could drag it's heels on it
>>             indefinitely. I would think that something reasonable
>>             would be having the vote initiated by our Executive
>>             Director within two weeks of the tabulation that found
>>             them to be not meeting their attendance requirements.  If
>>             there is a Board meeting during that window, then it
>>             could be handled then, or handled via the mailing list
>>             otherwise.  That provides time to handle the situation
>>             and removes any Board member bias from the initiation of
>>             the vote.
>>           * This does not offer the offender an opportunity to
>>             explain why they failed to meet their attendance
>>             requirement.  I think that a reasonable process would
>>             assume that there is a rational explanation for why they
>>             did not attend.  Maybe it's because all of the meetings
>>             were being held at 2 AM in their timezone.  Maybe it's
>>             because of a death in the family.  I think this process
>>             should take the personal factor into consideration.
>>
>>         Would you care to take a stab at addressing these?  If not, I
>>         can certainly take a shot at it as well.
>>
>>         ~josh
>>
>>
>>         On Mon, Aug 24, 2015 at 2:07 AM, Bil Corry
>>         <bil.corry at owasp.org <mailto:bil.corry at owasp.org>> wrote:
>>
>>             Hi Josh,
>>
>>             The current bylaw I see is from last year, which doesn't
>>             have the text you quoted.  It's here:
>>
>>             https://www.owasp.org/index.php/OWASP_Foundation_ByLaws
>>
>>             I know we discussed changing the bylaws, but I don't know
>>             what was ultimately adopted.  FWIW, this is the wording
>>             from last proposed text, which is very clear on how
>>             tabulation is calculated, although it doesn't give
>>             strict time limes for tabulation and confidence voting. 
>>             The thought was to allow the Board some flexibility in
>>             how they want to execute it.  But if you'd like it to be
>>             formally incorporated into the bylaws, then please
>>             proposed some text.
>>
>>
>>             *SECTION 3.03 Regular Meetings.* The Board of Directors
>>             shall have regular meetings as needed.  A link to the
>>             board meeting agenda’s and the historical minutes is
>>             here:
>>             https://www.owasp.org/index.php/OWASP_Board_Meetings.
>>              Meetings shall be at such dates, times, and places as
>>             the Board shall determine in December of the preceding
>>             year and as amended by the Board. In no event will there
>>             be less than one meeting per quarter.  These meetings
>>             will be open to public attendance, however, certain
>>             portions of the meeting may be closed to board members
>>              and their delegates when required for legal reasons, or
>>             to shield liability, or to handle personnel issues, or
>>             similar.  Attendance in person or virtually by board
>>             members is required at no less than 75% of the total
>>             meetings each year and shall be highly encouraged to meet
>>             in person at least once annually at a date to be
>>             announced and agreed upon.  Attendance is tabulated after
>>             every scheduled meeting for the purpose of determining if
>>             the 75% attendance requirement has been met, and the
>>             tabulation is based upon the entire calendar year. 
>>             Cancelled meetings are considered attended for the
>>             purposes of the tabulation.  Failure by a board member to
>>             meet the 75% attendance requirement after any tabulation
>>             will cause a mandatory vote of confidence by the
>>             remaining board members, whose votes will be publicly
>>             recorded.  An overall vote of "no confidence" is recorded
>>             if half or more of the board members vote for it, which
>>             causes the board member in question to be instantly
>>             removed from their seat on the board.  Vacancies on the
>>             board are handled as per Section 3.10.
>>
>>             2 OWASP Board of Directors will hold quarterly board
>>             meetings lasting 4­6 hours each. The schedule of meetings
>>             will be set by the board in December before the year. It
>>             is likely the the board meetings will take place on
>>             Saturdays or on a dedicated day before a large OWASP
>>             conference. This change is a result of the success of the
>>             longer format board meeting and also a result of the
>>             Executive Director role that has enabled full time
>>             involvement and focus on OWASP operations. Board members
>>             must attend (in person or virtually) 3 of the 4 meetings
>>             to fulfill the attendance requirements. This will take
>>             effect in January, 2014. Changes passed August 19, 2013.
>>
>>             3 “and shall be highly encouraged to meet in person at
>>             least once annually at a date to be announced and agreed
>>             upon” amendment to document passed June 10, 2013.
>>
>>
>>
>>
>>             - Bil
>>
>>
>>             On Sat, Aug 22, 2015 at 6:01 PM, Josh Sokol
>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>
>>                 Board,
>>
>>                 As recently discussed and voted on in a separate
>>                 thread, our current Bylaws state as follows:
>>
>>                 /Failure by a board member to meet the 75% attendance
>>                 requirement after any tabulation will cause a
>>                 mandatory vote of confidence by the remaining board
>>                 members, whose votes will be publicly recorded.  An
>>                 overall vote of "no confidence" is recorded if half
>>                 or more of the board members vote for it, which
>>                 causes the board member in question to be instantly
>>                 removed from their seat on the board./
>>
>>                 I see a few issues with this:
>>
>>                   * The timeframe that this applies to is
>>                     unspecified. Is it per quarter?  Per calendar
>>                     year?  Over the two year duration of a Board
>>                     member term?  Over the cumulative time that a
>>                     Board member is in office? I'm guessing that the
>>                     intent is for this to be over the calendar year,
>>                     but if anyone disagrees and has a different
>>                     interpretation, please let me know.
>>                   * The definition of "tabulation" is unspecified.
>>                     Who is doing the tabulation? Is there a certain
>>                     time that this tabulation is conducted? I'm
>>                     guessing that the intent is for this to be based
>>                     on the attendance role that is captured during
>>                     the Board meeting, but if anyone disagrees and
>>                     has a different interpretation, please let me know.
>>                   * The method of tabulation is unspecified. If we
>>                     are tabulating sequentially, then we have a
>>                     situation where if a Board member missed their
>>                     first meeting, a vote is required to be held for
>>                     three tabulations (0%, 50%, and 66%) until they
>>                     make it up over 75%. I am guessing that the
>>                     intent is for this to be tabulated assuming
>>                     attendance for all future meetings and action
>>                     would be taken if the person would be unable to
>>                     maintain 75% attendance, but if anyone disagrees
>>                     and has a different interpretation, please let me
>>                     know.
>>                   * The timeframe for the vote is unspecified. It
>>                     just says that it will cause a mandatory vote of
>>                     confidence, but never says when that vote is
>>                     supposed to take place or who is supposed to
>>                     initiate it. Is it to be handled immediately at
>>                     the time of tabulation? Is it handled offline
>>                     over e-mail as we recently did? Is it handled at
>>                     the next Board meeting? Based on the current
>>                     verbiage, technically the Board could drag it's
>>                     heels on it indefinitely. I would think that
>>                     something reasonable would be having the vote
>>                     initiated by our Executive Director within two
>>                     weeks of the tabulation that found them to be not
>>                     meeting their attendance requirements. If there
>>                     is a Board meeting during that window, then it
>>                     could be handled then, or handled via the mailing
>>                     list otherwise. That provides time to handle the
>>                     situation and removes any Board member bias from
>>                     the initiation of the vote.
>>                   * This does not offer the offender an opportunity
>>                     to explain why they failed to meet their
>>                     attendance requirement. I think that a reasonable
>>                     process would assume that there is a rational
>>                     explanation for why they did not attend.  Maybe
>>                     it's because all of the meetings were being held
>>                     at 2 AM in their timezone. Maybe it's because of
>>                     a death in the family.  I think this process
>>                     should take the personal factor into consideration.
>>
>>                 With the above in mind, I don't see a reason to lower
>>                 the bar from 75%.  My thinking is that this is a
>>                 reasonable expectation to have of a Board member with
>>                 all things being equal.  It may not be the best
>>                 measure of engagement, but it is still a
>>                 responsibility that all Board members are aware of
>>                 going into it, and I am not aware of it having been
>>                 an issue in the past (until now), so I'm not sure why
>>                 we would change it now that one Board member had a
>>                 vote initiated for it.  I would propose that we
>>                 update the language in order to better clarify my
>>                 bullet points above, but leave the requirement itself
>>                 in place.  Please provide your thoughts regarding
>>                 each of these bullet points (or any other issues that
>>                 you think need to be addressed here).  Once we have
>>                 some level of agreement with these, I can take the
>>                 action item of re-writing this section of the Bylaws
>>                 in order to incorporate these changes. Thanks.
>>
>>                 ~josh
>>
>>
>>                 _______________________________________________
>>                 Owasp-board mailing list
>>                 Owasp-board at lists.owasp.org
>>                 <mailto:Owasp-board at lists.owasp.org>
>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>>     _______________________________________________
>>     Governance mailing list
>>     Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/governance
>
>
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150826/5e1c63dd/attachment-0001.html>


More information about the Governance mailing list