[Owasp-board] Removal of Regional/Local event oversight from Conferences Committee

Jeff Williams jeff.williams at owasp.org
Mon Jun 20 20:13:48 UTC 2011

Hi Mark,


Congrats on the newborn - I understand those things can be time consuming J


I support the board's decision today because we want the Global Chapters
Committee to grow into supporting the needs of chapters that want to put on
local events.  I think there's a good argument that these events *are*
different than global events, and have different support needs.


We want the Global Conferences Committee to focus on large-scale
international events - can you support an AppSec for every development
platform?  On every continent?  With thousands of attendees?  How about new
kinds of events - open-space conferences, more OWASP Summits, training
events, college events, etc. There are 15 million developers in the world
and we are only reaching a few hundred of them today.  You've done a great
job with our existing style of conference.  Can you take it to the next


I think you're exactly right that over time we will have to work out which
are "Global" events and "Local" events. To me, the decision should be made
by the folks organizing the conference - in collaboration with folks on both
the Chapters and Conferences committees.  I hope that they'll get different
support and the event will come out differently.


I'd like to make it perfectly clear that this vote wasn't a referendum on
the performance of the Global Conferences Committee by any means.  You and
your team have done a great job of establishing infrastructure and managing
all sorts of events.  The financial information you provided was greatly
appreciated and is a perfect example of the work you've done.


Thank you for all your hard work!





From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Mark Bristow
Sent: Monday, June 20, 2011 2:50 PM
To: OWASP Foundation Board List
Cc: owasp-global-chapter-committee; global_conference_committee;
owasp-leaders at lists.owasp.org
Subject: [Owasp-board] Removal of Regional/Local event oversight from
Conferences Committee


OWASP Board,

I apologize for not being able to make the meeting today but having a
newborn at home simply had to take priority.  After reviewing the meeting
TAhSSnQhiFXYkJ7I/edit?hl=en_US&authkey=CIavkP4B>  I was very sorry to see
that you decided to take up this very important topic without my
participation despite my request not to do so, I had made arrangements to
attend the original meeting on June 6th but unfortunately the board
postponed and I could not attend today.   I was very troubled to see the
results of your decision to "Move local and regional events from umbrella of
conferences committee to chapters committee, effective July 31, 2011"
supported by "Tom, Seba, Eoin, Jeff, Dave" and frankly am somewhat
bewildered at this change.  

Over the past 2 years under the Conferences Committee's leadership, we've
seen OWASP grow from having one, perhaps two global events each year to
having a Global AppSec Conference in North America, South America, Europe
and Asia every year in addition to increasing the number of regional and
local events we participate in worldwide. In the last year the GCC has
instituted clear, concise policies to govern events that were previously in
a state of disarray causing significant internal conflict, developed a
system for managing events automatically as well as streamline the event
management process, and launched a new Global Sponsorship initiative to help
OWASP better attract sponsors to events.   We have instituted new programs
to better support events, streamline processes for getting promotional
merchandise and booth support to non-OWASP events, attempted to streamline
the contracting process and purchased common equipment to save OWASP money
in running events.  The committee has grown from 3 to 11 members, and hired
part time operations support giving us the additional bandwidth and support
we need to get all of these done and done well.  While we are not perfect
I'd argue you'd be hard pressed to find a more ambitious and successful
global committee at OWASP.  

I don't know if this was discussed but it's not clear to me that the board
has a full understanding of the financial implications that this change may
reflect for OWASP.  Last year conference income accounted for 77% of OWASP's
annual income and brought in a total profit of $240,399.71 (up 151% from
2009 under the conferences committee's oversight).  Regional and local event
income totaled $295,845.52 representing 40% of OWASP's conference income.
Moving these responsibilities to an untested committee who is not focused on
or experienced in running events could put OWASP in significant financial
jeopardy.  To give you some perspective the regional and local event income
is 149% more than the $198,620.74 that the foundation spent on the Summit
last year.  Despite these operational, support and financial sucesses, it's
unfortunate that the board has obviously lost confidence in our ability
manage OWASP Events, by reducing our oversight, as was defined in our
recently re-approved (by the board) mission statement

I will not pretend that there are not some areas where the Conferences
Committee needs to improve. I agree with the sentiment that we do not
clearly define the differences between the "type" of event or level support
between Global AppSec, Regional and Local events. We also need to continue
our work of spreading out the OWASP Global Event Calendar as we are still
very heavy in the second part of the year. I will also admit that not every
decision the Global Conferences Committee has made has been popular however
sometimes unpopular or difficult decisions need to be made for the greater
good, this is why the committees exist. I will say that all of the decisions
made by the conferences committee have been conducted in the most open and
democratic way possible. We conduct almost all of our business on the
mailing list for all to see and contribute and we vote on almost every
decision so that those who have been validated by their peers to serve on
the committee can have their say in the process. The conferences committee
was even the first to develop a self governance document which was adopted
in part or in whole by several of the other committees, including chapters.
Considering the massive responsibility placed on the conferences committee
in both leading the outreach effort and in ensure the foundation has
sufficient operating income to continue it's existence I'd say the Global
Conferences Committee is doing a great job and don't see the reason or
rationale for making any move that would obstruct them from continuing to do
great work on behalf of OWASP. 

I will concede however that if the board feels that local events, involving
only 1 or 2 chapters or under a certain size, would be better served under
the responsibility of the Chapters Committee, I would understand that.  To
support these smaller events we mostly provide foundation funds, guidance
when asked and leave the vast majority of the planning to the local team,
something that the Chapters Committee could take on.  Additionally these
events have a less significant impact to the foundation as a whole and in
general do not generate significant income (last year they represented 0.88%
or $2065.07 of total event income, many local events don't charge and we
think that's GREAT!). However, the Conferences Committee has the experts for
running larger events such as Regional (such as AppSec DC and LASCON, which
can have hundreds of attendees) and Global AppSec events and I'm not sure I
see the wisdom or logic in moving their oversight, especially for Regional
events, to a committee who is not focused on events and does not have the
expertise in this area. 

I have a suspicious feeling that this initiative is really a different venue
for a small number of individuals who object to one and only one of the GCC
policies on profit sharing (see
for some hard facts on that issue) what was voted on by the GCC
Cv-QgnFAGq_zj510/edit?hl=en_US>  and ratified by the board
<https://www.owasp.org/index.php/Minutes_March_8,_2011> .  If so, then this
entire issue should be dropped and those individuals should challenge the
policy not the committee that oversees events.  The committees are there to
make tough decisions and this decision was based on significant community
input, conducted in a fair and open manor, and was set specifically to allow
the most OWASP outreach possible, be fiscally responsible for OWASP as a
whole and eliminate the creation of rich/poor OWASP chapters.  Opponents of
the policy suggest a system that last year would have allocated an
additional $35,976 to only 2 chapters leaving almost every other chapter

Again I apologize for not being able to make the meeting, however if someone
could outline the board's rationale for this decision I would certainly
appreciate it.


Mark Bristow
(703) 596-5175 <tel:%28703%29%20596-5175> 
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org <https://www.appsecdc.org/>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110620/80533552/attachment-0002.html>

More information about the Owasp-board mailing list