[Owasp-board] Profit Sharing Discussion

Tom Brennan tomb at owasp.org
Tue Nov 20 03:07:03 UTC 2012


This needs to go for comment to 200+ chapters. Especially chapters that would be leveraged for international locations around the world for AppSec events. Since the recent announcement neutering committees the only active volunteers are the chapters that need to have a clear understanding of this shift.

As a chapter leader we will see this year how appsec2013 works out now that we have a employee based primary team with local volunteer support. 

The first call it upcoming 

If anyone else wants to roll up sleeves the action/planning calls are ongoing see; http://www.meetup.com/OWASP-NYC/events/86936002/

I prefer a flat % 75/25 after expenditures and no caps - chapters earning should have simple split not complex that does not translate well or allow the system to be gamed rather quickly.

As far as our chapter is concerned we need to generate 25k from appsecUSA or its not worth the effort.

Tom Brennan
973-202-0122


On Nov 19, 2012, at 9:45 PM, Michael Coates <michael.coates at owasp.org> wrote:

> Board,
> 
> Any other thoughts on the proposed model?  The feedback is all positive with a few wording clarifications.  The bigger picture issue that Sarah has mentioned is also a good item to consider.
> 
> Regarding the profit sharing proposal, I don't see any major concerns either.  This item will be up for vote during our next meeting. Please make sure to familiarize yourself with the details.  I'd like to get any concerns out for discussion now so we can dig into these ideas before the next board meeting.
> 
> 
> 
> Sarah - thanks for the financial analysis and thoughts. Very helpful.
> 
> 
> 
> 
> --
> Michael Coates | OWASP | @_mwc
> michael-coates.blogspot.com
> 
> 
> 
> On Wed, Nov 14, 2012 at 10:09 AM, Sarah Baso <sarah.baso at owasp.org> wrote:
>> Board Members -
>> 
>> My thoughts on the new proposed policy and long term success of the Foundation and Global AppSec "brand":
>> 
>> Overall - I think the new policy is ok, as currently drafted. 
>> I would recommend a modification similar to what Josh and Dave discussed in their comments.  "2.  All other events not classified as one of the Global AppSec Events will realize a 10/90 revenue split (Foundation/chapter) up to $5,000 USD.  Any profits above the $5K will recognize the standard 60/40 split. (Foundation/Chapter)." 
>>              For larger chapters that want to run a local or regional event on a yearly basis, we should have an avenue for them to recognize a larger profit. Also, they are doing all (or  
>>              most of) the work then they should be able to get most of the profits.  I would say that a chapter can request up to an additional $5000 by submitting both a chapter budget 
>>             and event budget to be approved by staff.
>> 
>> 
>> 
>> Bigger picture issues:
>> 
>> As we look at the need for the Global AppSecs to serve as major fundraisers to support the other goals/initiatives of the foundation - I think we need to consider the possibility of a different approach to the model.  Many of the issues with the funding & conference planning model(s) that have been used in the past and proposed for the future surround the dichotomy that 1) we need a model that will raise money for the foundation and support our GLOBAL initiatives (i.e. Money generated from AppSec USA supports outreach in APAC, Latam, and Europe), 2) chapters/volunteers want proper control, recognition and "funds" for their input and efforts in creating and driving the conference.
>> 
>> A few  examples:
>> Profit distribution: What portion of the profits should a chapter get that raises almost $150,000 for the foundation and has MANY volunteers dedicating their nights and weekends for months to make a successful event?  How should the profits differ for  another chapter that only has 2 volunteers that contribute all of their time, but only raise $5000 for the foundation?  What about a third scenario where there is virtually no help from the local chapter and the event raises $10,000 due to contributions of a global volunteer base and OWASP Staff efforts?
>> Content: How do we build a professional call for papers or call for training system that gives local volunteers the control and input they want but also accommodates regional needs (Standard conference vs. Research driven conference), building the OWASP Brand (promoting OWASP Projects), and maintains a professional selection process that is communicated to the larger community and pool of applicants? 
>> Sponsorships: While moving locations from year to year brings in a new crowd of attendees local to that area, this also comes with many "unknowns" for sponsors.  What will the vendor space look like, what will the sponsor's availability to attendees be, how will their sales team generate leads?  From the perspective of building relationships with the sponsors and giving them a consistent expectation from year to year - it would be best for us to be able to lay out specifications/guidelines for the global event planners (and clearly outline to the sponsors what they can expect for their money).  This sometimes runs in conflict with what the local event planners think would be best for their individual event.
>> 
>> A suggestion for 2014 that Kate and I have discussed is to move the the Global AppSecs to a static location from year to year. In this model, the employees would work with a team of volunteers (not necessarily local) to plan an implement the conference. The model would change from one that is trying to make money for one chapter and control of the decisions for that chapter to one that is more global.  I think creating an event template with many re-usable parts (not to mention service providers - venue, catering, AV, etc) would be much easier and allow us to focus on things like content and the OWASP message rather than logistics.   Additionally, I think this type of model is more sustainable and scale-able for long term growth for our brand and fundraising objectives.  
>> 
>> A static location would also allow for more planning in advance.  Right now we do the call for conferences a year out. The idea that these events (especially as they grow in size) should start planning more than a year in advance has come up a few different times on conference committee calls and discussions.  The problem remains that the submissions/location proposals are driven by local chapter leaders (ideally teams), and planning a global app sec is a large investment in time an energy.  Many people would probably argue "too large" which is one of the reasons we don't get more proposals in our call for locations.  To ask conference planners to submit even more in advance is often difficult as they don't know their schedule or where there life will be that far in advance.  Once again, having static locations and planning process that is more centralized will help overcome these obstacles.
>> 
>> If others are in support of considering this new static location model, there are certainly a lot of details to work out including: where will these static locations be, how do we solicit and reward volunteers (especially if we aren't allowing the chapter in the static location to reap profits), etc.
>> 
>> I certainly don't think this is the ONLY option for us, but it is something to consider as our events and organizational needs continue to grow. I wasn't "sold" on this idea initially, but the more I think about it, the more it seems like plausible option for us.  Consider that as we are able to do more fundraising centrally, we also can empower local/regional event planners to focus on outreach rather than income... which also supports our community and the mission.
>> 
>> 
>> Looking forward to hearing thoughts and input on this new model.
>> 
>> Regards,
>> Sarah Baso
>> 
>> 
>> 
>> 
>> 
>> On Wed, Nov 14, 2012 at 9:11 AM, Sarah Baso <sarah.baso at owasp.org> wrote:
>>> Michael et al -
>>> 
>>> First for reference, here is the current policy in place:
>>> 
>>> Local host chapters will share in OWASP event profits under the following schedule. In the case of multiple host chapters, the host chapters will be responsible for determining the division before the event.
>>> Global AppSec Conference - 25% of event profits with a $5,000 USD cap ($10,000 for multi-chapter events)
>>> Regional/Theme Events - 30% of event profits with a $4,000 USD cap
>>> Local Events - 50% of profits with a $3000 USD cap
>>> 
>>> 
>>> Budgeting Implications
>>> Under the new plan, there is a opportunity for the local chapter to earn much more than that listed below if they surpass the profit target, but just using the profit target as a guideline... here are the numbers....
>>> 
>>> <image.png>
>>> 
>>> 
>>> Comments from Conferences Committee Call & Mailing List Thread
>>> From July 18, 2012 Conference Committee Call:
>>> 
>>> Request for Comment: proposed policy for profit sharing and financial oversight of future OWASP events:  https://docs.google.com/a/owasp.org/document/d/159bD2oeAmM2yfPNeq5wHvIvHcl10Hl-c3Um2GXAW81Y/edit 
>>> 
>>> The Board intends to finalize this policy at their next meeting (scheduled for August 13, 2012), and have requested that you submit any comments, questions, or concerns for their consideration by that time.
>>> 
>>> “Any amount above the profit target will be allocated 60/40 to the local chapter.” Need to clarify that 60 is to Foundation and  40 is to local chapter.
>>> Should we have different policies for different areas of the world to reflect the different culture/mindset in different areas (US, Europe, etc.)
>>> No perspective on how we continuously evolve and better the Global AppSec Conference in that region next year.  For instance, how can we use the profits from AppSec EU research this year to benefit AppSec EU (and the European region) next year.
>>> Current policy is focused 2 things: on local chapter and foundation as a whole.  However there are other considerations such as regional development/outreach.
>>> Are we adjusting the policy to only accommodate needs in the US, but not the rest of the world?
>>> This policy also doesn’t take into account any corporate supporters/membership dues that come in during a conference.
>>> What are chapters doing with their conference proceeds? What is their motivation for keeping a “stock pile” in their chapter accounts?
>>> Ralph - “The current proposed model is great!”
>>> 
>>> Email Request to Conference Committee mailing list
>>> Response from Josh Sokol
>>> 1. The point about when the profit target is determined is unclear.  Does
>>> this mean for the US event that we are determining the target after the
>>> event has taken place or is this for the next year's event?  Why are we
>>> using the US event to determine the timing for other events.  IMHO, we
>>> should be able to set the profit target for the following year's event
>>> within 60 days of the completion of the current year's event.
>>> 
>>> 2. I am fine with the percentage splits here, but do not agree with the
>>> $5,000 value at which they happen.  This is more than enough for a smaller
>>> chapter holding an event, but for a larger chapter, such as my Austin
>>> chapter, our event would have to profit $18,750 in order for us to raise
>>> our annual budget of roughly $10,000.  In other words, this $5,000 number
>>> does not allow us to scale profit splits well as chapter sizes grow.  My
>>> suggestion would be to make $5,000 the base number here UNLESS a chapter
>>> running an event has submitted a budget showing annual expenses greater
>>> than that amount, in which case they are allowed up to that amount at the
>>> 10/90 split.  A subtle change, but one which I believe is necessary in
>>> order for this policy to scale appropriately.
>>> 
>>> 3. I agree that the Chapters committee should be responsible for monitoring
>>> chapter accounts, budgets, and expenses as necessary.
>>> 
>>> 4. I agree that the Chapters committee will need to establish new
>>> guidelines similar to those of the Conferences committee for local and
>>> regional events held by the chapters.
>>> Response from Mark Bristow
>>> I agree with josh on #1.  The profit targets should be set in outyear
>>> budget planning with it locked in at the beginning of each OWASP FY.  The
>>> mechanics of this as proposed are a bit odd.  My only point is that the
>>> targets should be set BEFORE the CFP goes out so applicants have clear
>>> expectations set.
>>> 
>>> Otherwise I'm personally fine with this as written.  I'm not in favor of
>>> Josh's proposed changes in #2.  As written this provides an avenue for
>>> chapters to raise significant funds from events while ensuring that the
>>> foundation also recovers it's capital investments/costs in a "chapters
>>> first" model.  IMO this is a good balance of the priorities.
>>> 
>>> Response from Dave Wichers
>>> 
>>> 
>>> 
>>> 
>>> 
>>> The target is done in advance, not after the event. We use the U.S. event as
>>> the date after which we figure out next year's targets because it is the
>>> biggest single revenue source for OWASP, so it affects the entire next
>>> year's budget in a significant way.
>>> 
>>>  
>>> 
>>> However, I could see that we could come with an estimate for each event
>>> right after the previous event, and then potentially adjust it right after
>>> OWASP AppSec USA, with the goal that it NOT be adjusted if possible. That
>>> way conference planning generally know almost a year in advance the revenue
>>> target primarily based on the revenue generated the previous year.
>>> 
>>>  
>>> 
>>> Regarding the $5K threshold, I think some potential for adjustment above $5K
>>> is reasonable to consider for the larger chapters. I might not agree to have
>>> the 10/90 go up to their entire target budget, because chapters raise
>>> revenue in other ways  too, like encouraging memberships, etc. And if they
>>> go way over their target, then the chapter could be significantly overfunded
>>> because they get 40% of the overage too. And we should also consider the
>>> amount of $ the chapter already has in their account as well. I.e., if you
>>> plan to spend $10K but have $5K already there, then maybe $5K is a more
>>> appropriate target. 
>>> 
>>>  
>>> 
>>> The good news, from your reply is that you seem to be OK with the entire
>>> policy except for this one specific point, which I think is BIG progress.
>>> Hopefully others feel similar so we are approaching closure on this.
>>> 
>>>  
>>> 
>>> Thanks for reviewing this.
>>> 
>>> Again from Josh Sokol
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Sure there are other ways to raise revenue, but that's not really the
>>> point.  The point is that a chapter should be able to raise the operational
>>> funds it needs via whichever method it desires.  Membership revenue is
>>> limited and will in all likelihood not make up that gap.  And not every
>>> chapter is fortunate to be able to land a big company to sponsor them.
>>> Also, chapters having a little bit more money than they need is not
>>> necessarily a bad thing and is a reward for running a successful event.
>>> Having some extra funds available also breeds innovation.  As an example,
>>> it's having extra funds that got the Austin Chapter to start doing these
>>> monthly webinars as part of our meetings and that translates directly to a
>>> wider reach for the OWASP organization.  Perhaps the compromise here is to
>>> take the chapters annual budget minus the money currently in the chapters
>>> account?
>>> From Tin Zaw
>>> First of all, thank you for all who worked on this draft proposal. I
>>> think we are getting somewhere with this.
>>> 
>>> Secondly, thank you Sarah for kindly attaching the document for those
>>> of us who cannot access Google Docs (at work).
>>> 
>>> 1. I understand Dave's explanation. I would suggest we make it clear
>>> that such number is communicated well in above so that event planners
>>> (the host chapter) know what they need to deliver, preferably before
>>> submitting a proposal.
>>> 
>>> 2. I am OK with $5000 limit before 60/40 split kicks in, assuming that
>>> $5000 is the profit that goes to the chapter under 10/90. I would like
>>> to see it states explicitly that $5000 is the profit portion for the
>>> chapter, not overall profit or income.
>>> 
>>> The rest, I agree.
>>> 
>>> Great job guys!
>>> 
>>> My comments/input... coming up next in a separate email.
>>> 
>>> 
>>> 
>>> 
>>> Regards,
>>> Sarah Baso
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Mon, Nov 12, 2012 at 1:19 PM, Michael Coates <michael.coates at owasp.org> wrote:
>>>> Board,
>>>> 
>>>> As a reminder from our public board meeting today (https://www.owasp.org/index.php/Nov_12,_2012), we're going to continue discussing the profit sharing proposal in this thread.  
>>>> 
>>>> I want to be sure we thoroughly consider edge cases (what about training?), overall messaging, the impacts of this policy (e.g. what kind of organization is this encouraging?) and simplicity (straightforward is better).
>>>> 
>>>> In addition we need to ensure we've properly considered the following:
>>>> 
>>>> 2013 Budgeting Impacts
>>>> Sarah's Anaylsis (being closely integrated with conferences)
>>>> Other Feedback from conference & chapters committees - I believe this was already solicited, just need to copy in the feedback.
>>>> 
>>>> Link to proposal:
>>>> https://docs.google.com/a/owasp.org/document/d/159bD2oeAmM2yfPNeq5wHvIvHcl10Hl-c3Um2GXAW81Y/edit
>>>> 
>>>>  
>>>> 
>>>> --
>>>> Michael Coates | OWASP | @_mwc
>>>> michael-coates.blogspot.com
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> 
>>> 
>>> -- 
>>> Director
>>> OWASP Foundation
>>> 
>>> sarah.baso at owasp.org
>>> +1.312.869.2779
>> 
>> 
>> 
>> -- 
>> Director
>> OWASP Foundation
>> 
>> sarah.baso at owasp.org
>> +1.312.869.2779
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20121119/35bcb211/attachment-0001.html>


More information about the Owasp-board mailing list