[Owasp-board] Fwd: [IMPORTANT] GCC Discussion - New dirrection from the board

Mark Bristow mark.bristow at owasp.org
Thu Feb 23 17:43:54 UTC 2012


Josh and Michael,

Just FYI I'm starting a discussion within the GCC (but on our public list)
to meet the direction you prescribed and start formulating a new policies.
I just wanted to give you all a preview of that conversation and welcome
you to join in!  (please don't reply here, reply to the main thread on the
GCC list so as not to have the same conversation in two places)

Josh,

You are of course welcome to join in as well and immediately if you'd like,
but I'd like the GCC to have a day or two before our two committess
"officially" engage just to give my people some time to formulate
thoughts/opinions.  Perhaps we should setup a call next week between the
two committees to get the ball rolling.  Also I look at many of these
requirements as for the chapters committee to deal with alone.  If you'd
like conferences input on that too we'd welcome the inviation to
participate.

Regards,
-Mark
---------- Forwarded message ----------
From: Mark Bristow <mark.bristow at owasp.org>
Date: Thu, Feb 23, 2012 at 12:39 PM
Subject: [IMPORTANT] GCC Discussion - New dirrection from the board
To: global_conference_committee <global_conference_committee at lists.owasp.org
>
Cc: conference at owasp.org


GCC,

As you can see from the message the board set out last night they have
requested that we re-examine some of our policies regarding events.  Most
of the items the board set forth are really chapters issues but I'd like to
kick off a discussion about how the Conferences Committee wants to address
these issues.  The below are just my opinions on how to meet these needs
and are designed to be the starting point for the discussions not the end.
I hope to get varied and passionate participation from all.

*• We would like a dedicated committee with continual and significant
control over the core OWASP global events (i.e. conference committee)
*
So I'm starting with this recommendation because it will help frame my
thoughts for the other discussions.  The way I read this, the Board would
like us to be more involved with the actual planning of the Global AppSec
Conferences hence their usage of  "continual and significant control".  In
the past we have really left the local planning team a TON of flexibility
in running and conducting these events, and for the most part provided only
and advisory/supportive role but it looks like the board would like us to
be more directly involved.  So I propose we update our event definitions to
the following:

The Global Conferences Committee is responsible for coordinating all
non-Chapter meeting events which will fall into one of the following
categories based on scope:

   - *OWASP Global AppSec Conference -* These events are directly planned
   and managed by the Global Conferences Committee with the support of a local
   chapter planning team.  There are four Global AppSec Conferences per year,
   one in North America, Latin America, Asia-Pacific and Europe.
   - *OWASP AppSec Conferences -* These events are planned primarily by
   local planning teams with significant support from the Global Conferences
   Committee and OWASP Staff.  These events have multiple tracks of talks over
   multiple days of conference and include training.  These events also
   represent significant investment for the foundation and include all events
   in excess of $50,000 in anticipated expenditures that are not global
   AppSecs.  AppSec events must charge a fee.
   - *OWASP Regional Events -* These events are planned primarily by local
   planning teams with support from the Global Conferences Committee and OWASP
   Staff.  These events have multiple tracks of talks over multiple days of
   conference and include training.  These events are a more moderate
   financial risk for the foundation and include events in excess of $10,000
   in anticipated expenditures.  Regional events must charge a fee.
   - *OWASP Large Local Events* - Single day events planned primarily by
   the local chapter/planning team and limited support from the
   foundation with anticipated expenditures under $10,000.  These events may
   or may not charge fees.
   - *OWASP Small Local Events* - Single day events planned exclusively by
   the local chapter/planning team and limited support from the
   foundation with anticipated expenditures under $1000.  These events may or
   may not charge fees.
   - *Training Events -* These are events at which there are no plenary
   sessions/talks however OWASP is either providing or orchestrating training
   sessions.  These may be free or for fee training.  These events are
   primarily managed by the Global Education Committee and are included here
   for reference  the Global Conferences Committee is only responsible for
   coordinating the scheduling of these events and providing logistical
   support/experience as needed.
   - *Chapter Meetings - *These free events are not managed by the Global
   Conferences Committee and are only included here for reference.  For
   details please see the Global Chapters Committee and the Chapter Handbook.

 So a couple of things here.  As Josh has pointed out before, we need to
clearly define which "services" are included in the various event types tht
the GCC will provide.  Some will be common (accounting, regonline,
inclusion in marketing......) some will only apply to one or two even
types.  Also, with the exception of Training Events (Clearly Education
Committee) and Chapter meetings (Clearly chapters committee) I think we
should do away with the confusing committee responsibility splits as the
principle objection (the profit sharing policy) is also going to be changed
and it really confuses event planners as it's not clear who the "go to"
people are with event issues/concerns/questions.  Speaking of the
profit sharing
policy.......

*               • We would like to see chapter empowerment through a profit
sharing model that is in line with our core value of Innovation
               • We have concerns over the use of profit caps on gains from
specific events
*

Based on this the board would like us to revisit our profit sharing policy
and ditch the caps (I know some of you will be happy, and some very upset
over this new direction, but let's look past this and just see if we can
develop a no-cap policy that still addresses the issues of the cap
proponents).  The foundation needs a certain level of income from events in
order to meet our large scale goals, chapters need funds to conduct local
operations.  While the chapter level goals are hard to plan, the foundation
needs are not (in fact we already do this by setting GCC revenue targets in
our GCC goals every year.  Over the last year I've done a lot of thinking
on this policy and want to put forward this proposal as a discussion point
(based on the new event titles/definitions, hence why I did them first).

   - Global AppSec Conferences - 100% of the profit is retained by the
   foundation
   - AppSec Conference - 10% split of the profits will go to the chapter
   until the event profit target is met, after which profits will be split
   equally at 50/50.
   - Regional Events - 20% split of the profits will go to the chapter
   until the event profit target is met, after which profits will be split
   equally at 50/50.
   - Large Local Events - Profits are split 50/50
   - Small Local Events - Chapters retain 100% of event profit
   - Training Events - Not sure what a good answer is here as we really
   don't hold these often.  50/50?
   - Losses - The OWASP Foundation will accept all losses for approved
   events who comply with Global Conferences Committee budgetary policies
   (yeah, we need to write these too, basically you'll have to submit budgets
   with x frequency for AppSec, Regional and Large Local)

So in this system there are no caps.  However the GCC will set a profit
target for AppSec and Regional events as determined by the needs of the
overall foundation budget.  As an example, lets say that AppSec DC (which
would now be classified as an AppSec Event as it's large but not a marquee
event) might get a profit target of $50,000 USD (a reasonable target based
on past performance/foundation needs for this income).  Lets say AppSec DC
makes $75,000.  So from $0 - $50,000 the chapter would earn at 10% of
revenue and get $5,000.  However since AppSec DC made $75,000 the next $25k
would be split 50/50 with the foundation with the chapter receiving a total
of $17,500 and $57,500 for the foundation.  This enables the foundation to
plan their income from these large investments and events that don't hit
their targets to still get money for the chapter.  However it incentives
planners to exceed the target profits so they get into the "high" split
zones and as a result benefit.  This is similar to how sales people are
compensated in the US.  They earn "good" money until they hit the quota
(what the organization needs them to get), then if they surpass
expectations they are rewarded handsomely.  Personally I think this is a
good balance.  I'm sure someone will disagree strongly.

*               • We recognize there could be concerns over conflicting
large chapter events and our core global conferences. Controls should be
added to prevent this conflict (perhaps CFP blackout periods in regions
within X months of a global event)*

We should be using OCMS to it's fullest capacity.  Currently we generally
approve events as they come up without really planning our events.  With
the GCC taking a more active role in Global AppSec Events (and in theory
being able to plan farther out) we can institute a month long "blackout"
window around the event for any AppSec, Regional, or Large Chapter events
to ensure the global AppSec's have the highes probability of success.

Regarding CFP announcements, it may be worthwhile to create a
CFP at owasp.orggroup that allows us to push out ALL CFPs to one
distribution channel.
That way if people want to get OWASP CFP announcements, they can just join
the group, and cancel their membership if they arn't interested.  We could
also then do monthly CFP pushes in the newsletter and have a section for
all CFPs on the website.  Related to this, we need to find a single
platform to use for all OWASP CFPs so we can track who's presenting where
more easily and use that data for feedback/rating metrics.

*                • Final policy and structure created by the committees
should ensure, as much as is possible, that there is no incentive for
chapters to form legal entities in their own countries.  Any such activity
has significant implications for the foundation and must be discussed and
coordinated  with the Foundation Board.*

This is already a requirement but it needs to be called out more directly.
It should be made clear that ALL events process funds through the
foundation.  Perhaps sending an email on event approval to the accounting
staff and the planner outlining this message is needed.  Just a thougth to
drive this message home.

*       • Branding*
*               • Naming standard enforced for all events (e.g. OWASP X)*
*               • Logo standards that includes OWASP on all logos, event
sites, collateral, etc*

This is an easy one but looking at our policies we don't clearly spell out
event branding.  I think we can just turn these statements into
event policies, vote, and call it a day.

So I know this was a long email, but the board somewhat hit us with a tall
order on a number of fronts that necessitates several changes in how we do
business.  I think these can be some really positive changes and really "up
our game" at both the foundation and local levels.  These are just my
thoughts/opinions to get us started.  I'd like us to discuss for a day or
so just to take the temperature of how the committee feels about all of
this and then engage the chapters committee and get their thoughts (I'm
hoping Josh has initiated a similar conversation within chapters) so we can
meet the 45 day deadline.

All that said.  Questions/Comments/Clarifications/Rotten Tomatoes?

Regards,
-Mark

---------- Forwarded message ----------
From: Michael Coates <michael.coates at owasp.org>
Date: Wed, Feb 22, 2012 at 8:24 PM
Subject: LASCON Exception - Board Vote
To: Josh Sokol <josh.sokol at ni.com>, Mark Bristow <mark.bristow at owasp.org>
Cc: OWASP Foundation Board List <owasp-board at lists.owasp.org>,
global_chapter_committee at lists.owasp.org,
global_conference_committee at lists.owasp.org, Sarah Baso <
sarah.baso at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>


We wanted to thank everyone for the open, honest, and respectful discussion
of the Lascon exception issue.  The board has considered the information
provided by all parties as well as the principles and mission of OWASP.
 After discussion and deliberation we've reached the following decision:


The OWASP Board has voted to approve the following:
=
Approve LASCON Exception per current chapter & committee rules with the
recommendation that LASCON considers the objectives provided by the Board
for the new policy. Further, this is the second and final exception for
LASCON.

The updated chapter/conference policy must be approved within 45 days or
LASCON exception is revoked.
=


Recommendations for the New Policy

The OWASP board would like the conferences and chapters committees to work
together to jointly draft and approve an update to the policies governing
chapters and conference events. We appreciate all the hard work that the
committees have put forth to grow our chapters and conferences to its
current state.  We've accomplished some great things and this is another
situation where we have to review and adjust as a result of our continued
growth and success as an organization (a good problem to have).

As global committee members you are in the best place to determine the
specifics of this policy; however, we would like to set an overall
direction that will be worked towards and we’ve outlined the following
objectives that should be considered for the updated chapter and conference
policies.


We encourage the committees to review these guiding objectives and work to
build a structure that will encourage the growth of OWASP and our mission.

       • Guiding Objectives
               • We would like to see chapter empowerment through a profit
sharing model that is in line with our core value of Innovation
               • We have concerns over the use of profit caps on gains from
specific events
               • We would like some sort of annual review, requirements, or
rules to address the issue of stale chapter funds in excessive amounts
               • We would like some periodic recap on funds spent by
chapters to help ensure funds are appointed on items aligned with the
“OWASP Mission”.
               • We recognize there could be concerns over conflicting
large chapter events and our core global conferences. Controls should be
added to prevent this conflict (perhaps CFP blackout periods in regions
within X months of a global event)
               • We would like a dedicated committee with continual and
significant control over the core OWASP global events (i.e. conference
committee)
               • Foundation has resources that can be are being provided to
local chapter events but we need these costs to be accounted for in the
chapter's event planning
               • Controls are needed to prevent chapters from
over-committing on financial costs
               • Final policy and structure created by the committees
should ensure, as much as is possible, that there is no incentive for
chapters to form legal entities in their own countries.  Any such activity
has significant implications for the foundation and must be discussed and
coordinated  with the Foundation Board.
       • Infrastructure
               • Chapters must use established technology methods (such as
regonline) any time money is handled
               • CFPs need to use established OWASP procedures
               • A single “source of truth” is needed for all events so
that OWASP employees can best assist all events.  These include events
under either  committee’s purview.
       • Branding
               • Naming standard enforced for all events (e.g. OWASP X)
               • Logo standards that includes OWASP on all logos, event
sites, collateral, etc


Thanks for the significant efforts that have been made thus far and we look
forward to the updated policy/policies that can take OWASP and our growing
member and chapter base to the next level.


Lastly, Kate will update the official vote record to reflect our vote and
capture the above guiding objectives on the wiki.





-The OWASP Board

Michael Coates
michael.coates at owasp.org






-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org





-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20120223/673ba1a1/attachment-0001.html>


More information about the Owasp-board mailing list