[Owasp-board] [Owasp-leaders] Vendor Neutrality

Jim Manico jim.manico at owasp.org
Sat Feb 23 04:53:57 UTC 2013

Thank you for speaking out, Josh.

Switching to the board list. Here is a great ethics resource to consider as board members. To your point, Tom, the takeaway on vendor neutrality here is: "Institute a system of checks and balances to circumvent actual or potential conflict of interest, beginning with well defined operating policies on all matters that might lead to conflict."


How does a nonprofit safeguard against organizational conflict of interest?
When the personal or professional concerns of a board member or a staff member affect his or her ability to put the welfare of the organization before personal benefit, conflict of interest exists. Nonprofit board members are likely to be affiliated with many organizations in their communities, both on a professional and a personal basis, so it is not unusual for actual or potential conflict of interest to arise.

Why must we be concerned about conflict of interest?
Board service in the nonprofit sector carries with it important ethical obligations. Nonprofits serve the broad public good, and when board members fail to exercise reasonable care in their oversight of the organization they are not living up to their public trust. In addition, board members have a legal responsibility to assure the prudent management of an organization's resources. In fact, they may be held liable for the organization's actions. A 1974 court decision known as the "Sibley Hospital case" set a precedent by confirming that board members can be held legally liable for conflict of interest because it constitutes a breach of their fiduciary responsibility.

Does conflict of interest involve only financial accountability?
No. Conflict of interest relates broadly to ethical behavior, which includes not just legal issues but considerations in every aspect of governance. A statement by Independent Sector describes three levels of ethical behavior: obeying the law; decisions where the right action is clear, but one is tempted to take a different course; and decisions that require a choice among competing options.

The third level of behavior can pose especially difficult ethical dilemmas for nonprofit board members.

What can we do to prevent conflict-of-interest situations?
Self monitoring is the best preventative measure. Institute a system of checks and balances to circumvent actual or potential conflict of interest, beginning with well defined operating policies on all matters that might lead to conflict. Most important, create a carefully written conflict-of-interest policy based on the needs and circumstances of the organization. Ask each board and staff member to agree in writing to uphold the policy. A conflict of interest policy should be reviewed regularly as part of board self assessment.

What should be included in a conflict-of-interest policy?
A policy on conflict of interest has three essential elements:

Board members and staff members in decision-making roles should make known their connections with groups doing business with the organization. This information should be provided annually.
Board members who have an actual or potential conflict of interest should not participate in discussions or vote on matters affecting transactions between the organization and the other group.
Staff members who have an actual or potential conflict should not be substantively involved in decision-making affecting such transactions.
For a sample conflict of interest policy and disclosure form, see the BoardSource book, Managing Conflicts of Interest

What are some examples of actual and potential conflict of interest?
Organization policy requires competitive bidding on purchases of more than $1,000, but a printing firm owned by a board member's spouse receives the $25,000 contract for the annual report and no other bids are solicited.
A board member serves on two boards in the community and finds himself in the position of approaching the same donors on behalf of both organizations.
A staff member receives an honorarium for conducting a workshop for another group in the organization's field of interest.
Should an organization contract with a board member for professional services, such as legal counsel or accounting?
Attorneys, accountants, and other professionals can contribute valuable expertise to a board. Due to the potential for conflict of interest, their contributions should be voluntary. At the very least, a board member who is associated with a firm competing for a contract should abstain from discussion and voting in the selection process. If a competitive bidding process results in the selection of that board member's firm, he or she should disclose the affiliation and abstain from voting on future board actions connected with that firm's contract with the organization.

Daniel L. Kurtz and Sarah E. Paul, Managing Conflicts of Interest: A Primer for Nonprofit Boards (BoardSource 2006).

> I guess I'm late to the party, but figured I'd chime in here as well.
> While it can sometimes be uncomfortable when naming specific names in group
> settings, it's these specific topics that enable us to define, as an
> organization, what is and is not appropriate.  I, personally, applaud Jim
> for bringing this issue to the attention of the leaders.  If we truly are
> an "Open" organization as we say we are, then we should have no problems
> with our activities being under the microscope.  Frankly, we should always
> be acting as though our actions are under the scrutiny of others.  In this
> case, I think we can all agree that this communication probably could have
> been worded differently to show an OWASP event from the mouth of an OWASP
> leader, but I see no intentional abuse in this.  It was a mistake.  One
> which, now that it has been brought to light, we can all learn from and aim
> to do better next time.
> I've witnessed far more flagrant abuses since my involvement with OWASP.
> For example, we made the mistake for LASCON 2011 to have an open speaker
> selection process.  It was supposed to allow members to have a voice in the
> topics selected.  It turns out that one company sent four people to that
> meeting in an attempt to sway the results in their favor.  This was a
> blatant abuse by a vendor and was disheartening to say the least.  We
> learned our lesson and created an impartial selection committee separate
> from our planning team for AppSec USA 2012.
> Speaking of AppSec USA 2012, after making our CFT selections by committee
> and being very confident in our selections, our team was approached by a
> well-known member and participant in our community upset that his company's
> training was not selected.  He stated that his company had a long-running
> trend of trainings at AppSec and he thought they should have been
> selected.  They had submitted what was effectively the same training as
> another company and our committee decided on the other.  The fact that
> there was some expectation that he would be selected because of his high
> level involvement with OWASP or his company's sponsorship of OWASP
> activities really rubbed me wrong because of this topic of vendor
> neutrality.
> I think that we can all agree that vendor neutrality is one of the key
> things that makes OWASP what it is.  It's even highlighted in bold text on
> the front page of owasp.org:
> OWASP *does not endorse or recommend commercial products or services*,
>> allowing our community to remain vendor neutral with the collective wisdom
>> of the best minds in software security worldwide.
> I don't think any of us can be so naive as to think that some people and/or
> companies won't or don't use OWASP for personal gain.  For many, OWASP is a
> means to some end and I'm generally OK with that if the relationship is
> still mutually beneficial.  I think that Eric Sheridan said it well.
> "People need the ability to promote themselves or their company to some
> extent, as long as it is not "blatant abuse" of the brand which needs to be
> defined if not done so already."  To me, this says that the Leaders and the
> Board need to keep a watchful eye on what we all say and do to represent
> the organization.  We should never be afraid to call someone (or a company)
> out for their actions just as we should always give them the opportunity to
> justify them.  With a community as small as ours, it's sometimes difficult
> to do this knowing that its often a friend or respected peer that you're
> calling out, but if we remain silent, then the abuses will continue.  Thank
> you Jim for breaking the silence and bringing this to our attention.  Thank
> you Tom for being thick-skinned enough to stand the scrutiny and explaining
> the situation in a rational fashion.  And especially thank you leaders for
> chiming in and voicing your opinions on this matter.  I'd encourage more
> discussions like these as they eventually lead us toward positive change.
> I just wish they could happen on a better suited forum like
> http://my.owasp.org.  Just sayin'.  ;-)
> ~josh
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the Owasp-board mailing list