[Owasp-board] Chapter Revenue Share From OWASP events

Kate Hartmann kate.hartmann at owasp.org
Wed Dec 22 16:10:22 UTC 2010


I have pulled this discussion off of most of the mailing lists and dropped
it back on Conferences' plate.  I am really trying to be objective here, but
honestly, I'm getting frustrated by the comments I'm reading.  I really try
in most situations to allow the community to be the driver, but as this
topic will affect the viability of the foundation (mothership), 160+ local
chapters, and 20,000+ members of the owasp all mailing list I need to try to
get EVERYONE to think globally on this issue.  We are, after all, the
conference committee.  According to the Conference committee website:  The
Global Conferences Committee was created during the OWASP EU Summit in
Portugal 2008. The primary purpose of this Global Conferences Committee is:
determine location, frequency and to oversee and direct global conferences,
speakers and training. 

It says nothing about allowing chapters build their revenue through hosting
OWASP GLOBAL APP SEC EVENTS.

 

Please, guys, let's stay focused on what we need to do.  If chapters feel
they need more funding, then they should go through the Global chapter
committee to make that happen.

 

Richard, my comments on your email are below:

 

As both an LA Chapter Board Member and GCC member, I am well positioned (I'd
better be) to weigh in on this passionate discussion.

 

I am not discounting your efforts, but as the Operational director of OWASP,
I have been involved with EVERY chapter Globally and every committee for the
past two years.Your activity has been within the past 6 months, limited to
LA, and 6 weeks on the GCC.  I have seen new chapters grow from 1 or 2
dedicated, passionate chapter leaders to participation of hundreds.  In this
discussion, I think that your role as a chapter leader is actually a
conflict of interest.  

 

Look at the success New York OWASP has been having. LA needs to be at that
level!

 

New York had been successful without AppSec funding.  They drive the mission
with membership.  AppSec US 2008 was held in NYC and the local chapter did
not receive any of those profits.  They finance with energy directed towards
corporate memberships ($2,000 each to the local chapter).

 

Let's remember not to covet others riches, but to respect the capacity of
each Chapter to build and spread the OWASP concepts to as many
people/companies as possible.

Let's not hoard either, but help the organization as a whole to succeed.

 

Richard, I'm not suggesting elimination of the share, but am trying to help
drive the organization as a whole.  I agree that LA is a metropolis, and if
the goal is to become as active as NY, then great!  

 

I am trying to point out that a chapter's longevity will be with membership.
AppSec should be viewed as an energy boost for an already active chapter,
not as a mechanism to start a dead battery.

 

 

Kate Hartmann

Operations Director

301-275-9403

 <http://www.owasp.org/> www.owasp.org 

Skype:  Kate.hartmann1

 

From: Richard Greenberg [mailto:richard.greenberg at owasp.org] 
Sent: Wednesday, December 22, 2010 10:00 AM
To: Kate Hartmann
Cc: Tin Zaw; global_conference_committee;
global_chapter_committee at lists.owasp.org; Lucas Ferreira;
Global_membership_committee at lists.owasp.org; Eoin
Subject: Re: [Global_conference_committee] [Global_chapter_committee]
[Global_membership_committee] Conference/Chapter Revenue Splitting

 

As both an LA Chapter Board Member and GCC member, I am well positioned (I'd
better be) to weigh in on this passionate discussion. I have not yet read a
false statement from anyone, which means we are all speaking at a high
level. Of course, there must be some resolution to this hot issue, so here
are my thoughts.

Any local chapter that takes on the responsibility for a local hosting of a
Global AppSec conference does so with the understanding that they are the
ones who are in charge and must bear the responsibility for the success or
failure of the conference, both in terms of content and financially. We in
SoCal spent countless hours on all the conference planning tasks, from venue
issues to reception planning, from spreading the word for and vetting
speakers to getting sponsorships (and I personally got a number of these).
We are not paid OWASP employees, but of course all have other jobs, that we
put in much more than a 40 hour work week to be successful. Yet we still all
found the time to indeed make the conference a success. Why did we do this?
No, it was never directly about the money. Yes, it involved the money, but
solely to build the LA Chapter. LA is the largest megalopolis in the
country, yet its participation at OWASP meetings is not proportional to
this. We are using AppSec as a beacon to light the way for the development
and appsec community to come into the OWASP fold. Word of mouth is
important, but much of the efforts require cold hard cash, the kind that was
brought in from AppSec. Los Angeles is often looked at as a driving force in
initiatives for the rest of the country, and we are setting our goals
appropriately. Look at the success New York OWASP has been having. LA needs
to be at that level!

Stepping up a level, any local chapter that takes on the hosting
responsibility should receive the funding it needs for it's initiatives,
provided it has generated that income for both OWASP and the chapter itself.
It should not be the role of OWASP to dictate what the chapter must do with
its money, unless there is a clear misuse or poorly chosen direction. We
have highly motivated , intelligent, and resourceful Chapter Leaders that
have that responsibility. Let's remember not to covet others riches, but to
respect the capacity of each Chapter to build and spread the OWASP concepts
to as many people/companies as possible.

On Wed, Dec 22, 2010 at 9:26 AM, Kate Hartmann <kate.hartmann at owasp.org>
wrote:

Tin, I am really not picking on you, individually, but need to really speak
up on this subject since it is a very critical one for the foundation as an
organization.

 

Tin, please be careful when you bring in phrases like, "this is the core of
the matter here."  Really, I disagree with that statement.  The idea is not
that simple - guilt.

We are working on a global solutions to the chapter funding.  Not every
chapter can host an AppSec and the regional events do not bring in that much
revenue.  We need to think about the message we send to EVERYONE.

Hosting an AppSec or any conference should really not be about the money.
In fact, until very recently, the local chapter did not receive ANY split
and we still had lots of chapters asking to host the conference.  In 2008,
as a result of the first Summit, the Membership model was modified to
provide local chapter's a 40% share of incoming membership fees.  This means
that a corporate supporter attached to a local chapter would generate $2K.
There are many chapters who have used this "seed money" to drive membership,
participation, and bring in additional chapter revenue through corporate
supporters.  

 

Looking  at the first paragraph about OWASP on the website, at the mission
of OWASP, it reads:  

 

"The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit
worldwide charitable organization focused on improving the security of
application software. Our mission is to make application security visible,
so that people and organizations can make informed decisions about true
application security risks. Everyone is free to participate in OWASP and all
of our materials are available under a free and open software license. "

 

It is MY OPINION based on what I have seen Globally, energy spent on
Membership is more financially rewarding in the long term, and, hour for
hour, provides a greater return on investment.  The profits for an AppSec
conference are really the result of turning the membership relationships
into sponsorships.  

 

Tin, really, I challenge you to look at the sponsorship revenue from AppSec
US and point to the local companies that stepped up to sponsor the event.
Most of them are Corporate sponsors at the foundation level that I was able
to connect with to generate sponsorship for the event.  Additionally, it was
the mailing lists created by the foundation and the blasts that generated a
good portion of the attendance for the conference. 

 

The conferences committee is debating an opportunity to essentially reward
the local chapter for their investment in time with the equivalent of 2 or 3
corporate membership splits as funds to continue the efforts in that region.
One of the proposals on the table is to use the remaining split of the
profits to assist other, smaller, newer chapters who otherwise would not
have the funds to secure a venue, print flyers, bring in speakers, or find
other ways to promote OWASP.

I am sorry if it seem like I'm being harsh on you.  I see OWASP from the
center and therefore very often try to find a compromise that benefits the
entire organization.

 

Kate Hartmann

Operations Director

301-275-9403

www.owasp.org <http://www.owasp.org/>  

Skype:  Kate.hartmann1

 

From: global_conference_committee-bounces at lists.owasp.org
[mailto:global_conference_committee-bounces at lists.owasp.org] On Behalf Of
Tin Zaw
Sent: Tuesday, December 21, 2010 10:47 PM
To: Mark Bristow
Cc: global_chapter_committee at lists.owasp.org; Eoin; Lucas Ferreira;
Global_membership_committee at lists.owasp.org; global_conference_committee
Subject: Re: [Global_conference_committee] [Global_chapter_committee]
[Global_membership_committee] Conference/Chapter Revenue Splitting

 

Mark, you do not need to snip anything. I said it on the record and I stand
by it.

 

And I agree, OWASP's needs come first, hence 75% of the proceeds, and the
local chapter's needs come second, hence 25% of the proceeds. In this case,
the local chapters over-fund OWASP, not the other way around.

 

After such split, with OWASP being first, local chapters should have certain
freedom, within OWASP guidelines, on how they allocate their funds. They
should not feel guilty for it. In case it is not noticed, this is the core
of the matter here. 

 

As I mentioned for the Summit cost, I am willing to negotiate, and I believe
Kate and Dinis have made some good arguments on why spending chapter funds
for the Summit is a good idea.

We could go a long way if we all collaborate.

 

Cheers!

 

 

On Tue, Dec 21, 2010 at 6:52 PM, Mark Bristow <mark.bristow at owasp.org>
wrote:

This to me is a great example of why we should not over-fund chapters....

 

Some context, this chapter is proposing that, even tho they have ample funds
to send some of their leaders to the summit, that they split the cost 50/50
with the foundation even after Tom's call for "donations" to the summit fund
from local chapter funds.  Clearly the summit is a huge priority for OWASP,
however in the isolation of this chapter, it's not as important.

 

<snip>

As for local chapter funds, I have not been informed of, nor do I subscribe
to the notion that funds are to be used for next calendar year. Our plans
for chapter funds are for 2011 and beyond, with recognition that we will not
be hosting AppSec -- and enjoy its proceeds -- anytime soon. Our current
plans include more local outreach, support for local university chapters,
and potential rental expenses for chapter meetings or mini-conferences when
we outgrow space. In addition, I plan to leave the chapter in a better
financial shape when I step down one day.

 

I hope my points are understandable. I also understand that OWASP plans to
bring as many people as possible, and if and when it comes down to financial
necessity, I am willing to negotiate other options.

</snip>

 

While I've snipped out the bits that identify the chapter, the message is
almost perfectly intact.  It's pretty clear to me that the foundation could
really use some of these funds currently, however the chapter disagrees and
therefore we have to hunt for funds elsewhere.

 

I agree it's a TON of work to organize a conference, I've done it directly 2
years in a row.  But the motivation for doing so should not be a financial
one and the needs of the foundation should always come first, because in the
end, it was an OWASP event, not a chapter one.

 

On Sun, Dec 19, 2010 at 2:58 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

The Samy tour is a great example of what happens when you remove from the
Chapters the responsibility to make the initial decision (and some of the
financial cost).

 

John's email below is spot on, when I talk about 'financial paralysis' and
the inability from our chapter leaders to spend (or ask) for money, that is
exactly what I'm talking about. If (in the curent model) John W. doesn't
feel confortable in asking for money, then who is?


Our current OWASP culture, doesn't promote a 'spending proactivity' of our
projects and chapter leaders. In fact, it is not even enough to say 'here is
money, we trust you, go and spend it' (as we see with the 30k allocated to
Projects, Committees and Chapters which has barely been used). 

 

I think that this is a reflection of the normal non-OWASP world where there
are always very strong controls on the use of financial resources.

 

Add to that a "I don't need the headache of having to justify why I need the
money" to a "If I'm doing this for OWASP and I have the track record, why
should I even have to justify it" to a "I really like OWASP and don't want
to spend the resources badly"  to a "What are the rules for engagement if it
doesn't work out as well as I would like it to?" you have a perfect storm
for inaction

Dinis Cruz

 

On 17 December 2010 12:21, John Wilander <john.wilander at owasp.org> wrote:

Gosh, some heavy emailing going on here.

 

Just a short one to answer Mark's request for examples of chapters being
denies funding.

 

I think this is not a case of chapters asking for money and being denied. No
such examples to my knowledge. I think the case is "we have no money so we
don't do X and Y". Chapters don't feel empowered or comfortable to write an
email to Mark or Kate and ask for $. Instead they strive in mediocracy and
skip doing better events.

 

In concrete terms ... Samy Kamkar's talks at several European chapters were
a huge success. But they were not initiated by empowered chapters. It was a
central OWASP initiative with a central funding solution in place. Now OWASP
Sweden wants to pursue this path and invite Mario Heiderich, Gareth Heyes,
Dinis Cruz etc. Great! But have we written an email to Mark yet? No. Not
even I, being a member of the GCC, feel comfortable asking for the
foundation's money to run a local event.

 

In this case OWASP Sweden actually has money. Why? Because we got a share of
the revenue from OWASP AppSec in Stockholm. So we're going to fly Mario
Heiderich in and build upon the success with Samy. We already have more than
500 members and we asked them what we should use the chapter's money for.
Answer: More international experts giving talks and tutorials. This is what
the chapter members want.

(Of course we will try to find sponsors to lower the chapter's costs and we
will try to cooperate with OWASP Finland and Norway so we can share travel
costs.)

 

   Regards, John

 

 

2010/12/16 L. Gustavo C. Barbato <lgbarbato at owasp.org>

 


I also defend the idea of collaboration between chapters in order to achieve
great conferences results - when I say collaboration I do mean collaborate
<http://dictionary.reference.com/browse/collaborate>  (to work, one with
another; cooperate, as on a literary work), in other words, without having
profits in mind. 

However, aiming to compensate the collaboration on conferences and have a
fair support of OWASP, I do defend the idea of having conferences in
different cities yearly according to local chapters locations. Nevertheless,
we can't forget the hard work necessary of local chapters to host a
conference -- I know that because after the AppSec Brazil 2010 (last month),
I don't stop thinking and working on AppSec 2011 -- it's already being
time-consuming.

L. Gustavo C. Barbato, Ph.D.
Chapter Leader, OWASP Porto Alegre / Brazil 
Global Chapter Committee Member
http://www.owasp.org/index.php/User:Gustavo_Barbato 


On 12/15/2010 12:29 PM, Mark Bristow wrote: 

Comments forwarded on Lucas's behalf (he's on vacation and can't send as the
right user.....) 

 

=======

I don't like the idea of having one chapter getting so more funds then
others. For AppSec Brasil, we will have people from multiple chapters
involved and it would not be nice to have one chapter getting all the
money. Having to decide a split amongst chapters would need energy
that could be better used somewhere else.

In principle, I don't like the idea of having chapters "fighting" for
money, and we may have this in the future if the chapter split is too
high. I'm afraid collaboration may decrease in the long run. On the
oher hand, I'd like to see a solution that increases the involvement
of chapter leader in our conferences, specially to have people from
different chpaters to collaborate in conference teams.

I think that having many chapters with some money is better than
having a few chapters with a lot of money. I think we should invest
more in getting more active chapters than making a few chapters more
active.

The fund idea seams a good solution to me.

Regards,

Lucas

On Tue, Dec 14, 2010 at 7:19 PM, Neil Matatall <neil at owasp.org> wrote:

Well this thread has become epic and unfortunately I haven't been able
to catch all of the ideas.  I really hope I can catch up, but why
don't we have a conference call or discuss this at the summit (those
not in attendance will have to be accommodated somehow)?

Times like these make me wish my phone has an "threaded" email view :(


On Tue, Dec 14, 2010 at 12:13 PM, Jason Li <jason.li at owasp.org> wrote:
> So taking Michael's suggestion of starting fresh, I've cleared the long
> quote of the thread.
> As an observer to the thread, I'm going to capture what I think has been
> mentioned so far on the thread.
>
> And then I'll weigh in with my humble opinion, keeping in mind that I am
not
> involved in the Conferences Committee, Membership Committee, Chapter
> Committee, or the Board (in other words, I'm a nobody in this conversation
> :)).
> ----
> Summary of Problem:
> Where does Conference revenue go?
> Points of Concern:
> 1) Conferences are put on with the assistance of local chapters and
> coordination/support from the OWASP mothership
> 2) We want a way to reward local chapters for their help with
> running/coordinating a conference
> 3) We want conference attendees the option to get OWASP Memberships
bundled
> in with the conference
> 4) Chapters need money to do things
> -------
> Now with that out of the way, my personal thoughts:
> #4 is completely independent of Conference revenue. There are lots of
other
> OWASP sectors that also need money to do things (Projects and Summits for
> example). If there is a need for Chapters to do something, then this
should
> be allocated out of the main OWASP mothership budget and not out of
> Conference revenue.
> In my view, conference revenue should go to one of three places:
> 1) OWASP Mothership fund (where the Board can then re-allocate as needed
to
> support Chapters or other initiatives as appropriate)
> 2) Local Chapter(s) supporting the conference (in order to recognize their
> support)
> 3) Conferences fund managed by the Conferences Committee
> I'm not even sure if #3 is really necessary as that could also fall under
> #1.
> The only real debate is what proportion of the revenue should go into
which
> bucket. That's where I believe this debate originally started. All this
> other talk about chapter needs and a chapter fund has clouded the
> discussion.
> -Jason

> _______________________________________________
> Global_conference_committee mailing list
> Global_conference_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>
>



--

--

Neil




-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org

 
_______________________________________________
Global_chapter_committee mailing list
Global_chapter_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_chapter_committee


_______________________________________________
Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_conference_committee




-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com

Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011

Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee

 


_______________________________________________
Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_conference_committee

 


_______________________________________________
Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_conference_committee




-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org


_______________________________________________
Global_chapter_committee mailing list
Global_chapter_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_chapter_committee




-- 
Tin Zaw, CISSP, CSSLP
Chapter Leader and President, OWASP Los Angeles Chapter
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw


_______________________________________________
Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_conference_committee




-- 
Richard Greenberg, CISSP
Board of Directors, OWASP Los Angeles, www.owaspla.org
<http://www.appsecusa.org/> 
Board of Directors, ISSA Los Angeles, www.issa-la.org
<http://www.appsecusa.org/> 
OWASP Global Conference Committee
LinkedIn:  http://www.linkedin.com/in/richardagreenberg


  <sacore:empty.gif> 



 

 

  <sacore:empty.gif> 


	

 


  <sacore:empty.gif> 

 

  <sacore:empty.gif> 

 

 

 

  <sacore:empty.gif> 

  <sacore:empty.gif> 



  <sacore:empty.gif> 


  <sacore:empty.gif> 


  <sacore:empty.gif> 


  


  

	

  <sacore:empty.gif> 

  <sacore:empty.gif> 


  <sacore:empty.gif> 



  <sacore:empty.gif> 

  <sacore:empty.gif> 


  <sacore:empty.gif> 

  <sacore:empty.gif> 


  <sacore:empty.gif> 

  <sacore:empty.gif> 

	
  <sacore:empty.gif> 

	

  <sacore:empty.gif> 

  <sacore:empty.gif> 


  <sacore:empty.gif> 

  <sacore:empty.gif> 


  <sacore:empty.gif> 

  <sacore:empty.gif> 

	
  <sacore:empty.gif> 


  <sacore:empty.gif> 


  <sacore:empty.gif> 

  <sacore:empty.gif> 



  <sacore:empty.gif> 

  <sacore:empty.gif> 

  <sacore:empty.gif> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20101222/5a495481/attachment-0002.html>


More information about the Owasp-board mailing list