[Owasp-board] [Governance] Request - Survey - Implementation process on higher decisions

Josh Sokol josh.sokol at owasp.org
Mon Aug 17 14:55:06 UTC 2015


Thank you for putting your thoughts out there for everyone.  Silence is not
good for anyone and OWASP will be far more successful if we know what our
leaders are struggling with and make a conscious effort to improve it.  I
think that many of your points are very valid and strongly support the idea
of polls to gauge community support for actions being taken.  I also
support the idea that the Board should be making as few of these decisions
as possible and putting the power back in the hands of the community with
support from the staff.  The Board should be the "compass" making sure that
we are moving in the right direction with the community and staff being the
ones actually pushing us forward.  That's not to say that members of the
Board won't have their own projects or initiatives, but they do so as part
of the community, not because of their roles on the Board.  The Committees
2.0 framework was a first step in driving this level of empowerment back to
the community while maintaining accountability and providing appropriately
scoped actions.  My impression was that the Projects Committee was rolling
forward quite well under this guidance, but it sounds like maybe I was
wrong.  Are there specific actions that you have tried to take on the
committee that got blocked by the Board or hung up in "red tape"?  Are
there needs for funding that haven't been met?

Regarding the project vs chapter funding schemas, I'm not sure that there
is a good answer.  Projects are typically made up of a pocket of
individuals.  Typically one leader with sometimes one or two others
assisting.  Chapters are typically anywhere from 20 people to hundreds.  We
provide members with the ability to allocate their funds to either, but
most associate themselves with a chapter rather than a project because
that's where they participate.  We also have chapters putting on
conferences with the goal of raising funds.  I don't think there is
anything preventing a project from doing the same, but I haven't seen it
done at this point.  Those are the two main ways that I see chapters
raising money.  Yes, there is certainly a difference in schemas and
projects will have a more difficult time, but that's also why OWASP has a
project funding bucket.  Money from these local events as well as funds
raised by our AppSec conferences gets budgeted specifically for this
purpose.  To my knowledge, no reasonable request for funds by projects has
been denied.  Just because there isn't money sitting "ring fenced" in an
account for the projects, doesn't mean that there isn't money that can be
spent.  It just means that it needs to be requested from the pool.  Yes,
it's a different model of funding, but the end result is the same.  There
are funds available at OWASP for everyone who needs them.

There are obviously many things that need to be improved at OWASP and,
unfortunately, the Board has been tied up in rules, events, bylaws, etc for
a while now.  It's definitely not the "fun" part of the job and it is very
time consuming.  That said, I would argue that these are the things that
need to be changed in order for everyone else (staff, community, etc) to be
able to be better served.  We've made several changes to the Bylaws and are
working on more.  We've hired an Executive Director (Paul), an Event
Manager (Laura), a Community Manager (Noreen), and a Project Coordinator
(Claudia) just in the almost two years that I've been on the Board.  The
needle on the compass is set and, while it takes some time to right the
ship, we are getting there by giving our community the support it requires
to be successful.  So, here's my general thought:

1) If it's within the scope of a defined Committee, JUST DO IT!

2) If there's no Committee defined for it, CREATE ONE, then JUST DO IT!

3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!

4) If asking the staff isn't working or we need to change a policy to make
it happen, LET THE BOARD KNOW!

The Board should be the last resort, in my opinion, not the first.  We
should be the enabler, not the bottleneck.  I think that our leaders make
too many assumptions (probably based on past Board actions) about what
needs to go to the Board and we need to get away from that.  Remember that
the Board is just a handful of leaders who were elected to set the
compass.  We have a finite number of things that we can handle and our
Board meetings are typically overflowing with topics.  So, if something is
bothering you, I would encourage you to change it.  That's why, with the
David Rook situation, I encouraged creation of a new Committee to determine
a reasonable solution.  If it requires a policy change by the Board, then
we can vote on that, but asking the Board to take action just perpetuates
the oligarchy that you mention in your e-mail.  Instead of pushing these
issues up to the Board for action, let's have the community DECIDE what
they want and have the Board change the compass needle via bylaws,
policies, and staff discussions, accordingly.  At least, that's my vision
for OWASP.  Is that something that you can get on board with?


On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Members of the board,
> With the recent issue regarding David Rook, and my latest experience with
> red-tape, I'm proposing the following.
> My goals is to call your attention to these issues which I have been
> observing for a years and not as a critique to your work, but I think if
> you do not pay attention to these issues and DO something about them, OWASP
> will loose valuable community participation.
>    - When an initiative is proposed or launched by a member of the board,
>    this should be followed up by a survey where the community can vote.Wether
>    is a rule or money, these decisions should be taken based on collected data
>    and proper substantiation to avoid oligarchy
>    - When an initiative is launched by a member of the community,
>    especially when this initiative cost more than 10k, it should be
>    substantiated with data how this initiative will benefit the community.
>    Also should be followed by a survey
>    - Staff should help creating the survey and analyse the votes
>    - *In other words: do more survey to find out what the community needs
>    and wants.*
> My observations and where I think you need to give more attention:
>    - Board/Executive director should work closer with the staff for
>    guidance and empowering their role. I have the feeling that the staff is
>    paralysed waiting for instructions or following strict rules. The staff
>    should be motivated to take initiative and implement projects on their own
>    that can help the community. They should not be too dependent on an
>    Executive director or member of the board for this part
> As I see it ,OWASP is known for his Projects & Chapter leaders which as
> volunteers have contributed the most to set OWASP on the spotlight.
> Therefore:
>    - You should determine and implement better ways  to provide better
>    funding schemas for projects . This is something a volunteer cannot do. And
>    *nothing* has been done to help  solve this issue
>    - There is an unfair inequality in the way chapters can generate funds
>    vs Projects.
>    - Money is locked down in the chapters budget
>    - Chapters outside US & EU have more struggles to find support. You
>    should consider a way to support better these ones since their countries
>    are not developed in the area of security as countries in EU and US.
>    - Follow up: when issues like David Rook or a volunteer rants(like me
>    or others ) out of frustation, take action. Put it in the agenda and try to
>    solve and discuss the issues to improve the actual problems. So far I have
>    seen very little follow up on major issues and discussions raised in the
>    mailing lists
>    - Way to much attention to rules, *events* and bylaws etc. Time to
>    take action and take decisions and propose plans for improvements of the
>    actual situation above mentioned
> Being that said, and with all due respect to you, I hope that you can take
> actions and *execute* improvements that have been an issue since I joined
> OWASP 3 years ago.
> Regards
> Johanna
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150817/e489f01e/attachment-0001.html>

More information about the Owasp-board mailing list