[Owasp-board] [Governance] [Owasp-leaders] Request - Survey - Implementation process on higher decisions
Jim Manico
jim.manico at owasp.org
Tue Aug 18 18:42:05 UTC 2015
This is a very good summary of this issues Josh, I'm with you.
Shall we initiate a vote and make this happen or is more discussion needed?
- Jim
On 8/18/15 8:37 AM, Josh Sokol wrote:
> One additional thought here as I was about to write something more
> formal up. Officially, the Bylaws state:
>
> /Failure by a board member to meet the 75% attendance requirement
> after any tabulation will cause a mandatory vote of confidence by the
> remaining board members, whose votes will be publicly recorded. An
> overall vote of "no confidence" is recorded if half or more of the
> board members vote for it, which causes the board member in question
> to be instantly removed from their seat on the board./
>
> I think that the key here is failure after _*ANY TABULATION*_.
> Personally, I think this is a flaw in the Bylaws. For one, we do not
> ever specify what the timeframe for tabulation is. Is it over the two
> years that you are elected as a Board member? Is it per year? That
> really needs to be clarified. Secondly, let's say the timeframe is a
> calendar year for the sake of argument and we are doing monthly
> meetings, do we really want a situation where if someone misses any
> one of the first, second, or third Board meetings of the year a vote
> of no confidence is automatically triggered because they are at 0%,
> 50%, or 66%? That seems unreasonable to me and is an unintended
> side-effect of how this is worded. In light of that, I don't think
> there is any way that I could, in good conscience, actually vote to
> remove Fabio, but I still think that we need to adhere to the Bylaws
> as written and have a formal vote. Once we do that, we should
> probably consider changing the verbiage to reflect what I think we
> actually want here which is that if someone is on the Board, but not
> doing their job, they are removed. My $0.02.
>
> ~josh
>
> On Tue, Aug 18, 2015 at 1:24 PM, Eoin Keary <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
>
> Wise words Josh. That's why you're a great board member and OWASP
> leader!!
> Thanks for understanding.
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 18 Aug 2015, at 19:22, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>
>> I agree 100% Eoin. The rule is there for a reason. Voting to
>> change it is one thing, but that change cannot be applied
>> retroactively to the present situation. The Bylaws are very
>> clear in that this should trigger a Board vote to determine
>> whether they should be removed. I am absolutely pushing for that
>> vote to happen, regardless of whether it actually results in a
>> removal. If the Board wants to evaluate a change to the Bylaws
>> at a later date, then so be it, but I will not support it. The
>> Board is a commitment. When you run, you are doing so knowing
>> that meetings will not always happen when convenient and that you
>> are expected to attend 75% of them. There are certainly
>> extenuating circumstances where a case could be made here, but I
>> don't think I've heard any thus far.
>>
>> ~josh
>>
>> On Tue, Aug 18, 2015 at 1:04 PM, Eoin Keary <eoin.keary at owasp.org
>> <mailto:eoin.keary at owasp.org>> wrote:
>>
>> Sorry I have to write this email....but...
>>
>> I hope you don't change the rules just because certain
>> members have not complied by them....
>>
>> I was forwarded some emails regarding board attendance today
>> which appear that the 75% rule of board meeting attendance is
>> now going to be changed because some folks on the board have
>> issue with it.
>>
>> This is like turkeys voting for Christmas.
>>
>> I respectfully hope the board abides by its owen guidelines,
>> if not I have great issue with the foundations governance.
>>
>> Respect, for the good guys in OWASP.
>>
>>
>> Eoin Keary
>> OWASP Volunteer
>> @eoinkeary
>>
>>
>>
>> On 18 Aug 2015, at 17:08, Josh Sokol <josh.sokol at owasp.org
>> <mailto:josh.sokol at owasp.org>> wrote:
>>
>>> Johanna,
>>>
>>> So far I remember , the idea was proposed to the board
>>> by you and the board took the decision to implement
>>> Committee 2.0. I believe this was done with all good
>>> intentions but is not working.
>>>
>>>
>>> Actually, I would argue that even though there's only a
>>> single committee right now, it is working exactly as
>>> intended. The truth is that OWASP's leadership sits
>>> somewhere in-between an Oligarchy (as you describe it) and
>>> an Anarchy. We're currently somewhere between Democracy and
>>> Ochlocracy depending on the topic if you really want to get
>>> technical. In any case, what you need to realize is that
>>> somebody needs to have the power to make decisions or
>>> decisions will never get made and we veer into Anarchy. What
>>> Committees 2.0 did is specify that decision making power
>>> starts with the Board as they have the fiduciary
>>> responsibility for the OWASP Foundation in all legal sense.
>>> What it also did is allow any of our leaders to carve out a
>>> piece of that power that they are passionate about and run
>>> with it, just as you did with projects. I really thought
>>> that we would see some other committees pop up similar to
>>> what we had before in other core areas of OWASP like
>>> Governance or Chapters, but the fact that there isn't just
>>> tells me that as of yet, no leader is passionate enough
>>> about it to carve out that power. Maybe it's because of
>>> time commitments or because of some perceived "red tape" or
>>> even (I hope) because most people think the Board is doing
>>> an OK job making decisions, but the fact is that the ability
>>> is there and you are an example of it being used. So, as I
>>> said, the system is working. Where this is a void in the
>>> community wanting to take the power to make decisions, the
>>> Board fills that void. In other words, if the community
>>> really thinks that they can do something better than the
>>> Board, they can form a Committee (or "Action Team" or
>>> "Initiative" or whatever they want to call it), and do it.
>>>
>>> Projects are global. They promote owasp at a global
>>> level. What is OWASP known for? for its chapters? Its
>>> conferences? I strongly believe OWASP is know for its
>>> projects, Code Review, Testing guide, the Cheat Sheets,
>>> ASVS, ZAP... Many references in major publications refer
>>> to OWASP top ten and respect them because of its
>>> projects.PCI and major vendors use them as reference
>>> and guidelines.
>>>
>>>
>>> There is no doubt in my mind that Projects are important for
>>> OWASP. They spread our mission in places where even our
>>> Chapters cannot go. But, if you want to talk about where
>>> most people interface with OWASP, it's not projects, it's
>>> Chapters. You won't find a reference in a major publication
>>> to the OWASP Austin Chapter, for example, but we held a
>>> CryptoParty in January and invited members of our community,
>>> the media, etc to participate because we wanted to educate
>>> others on the importance of privacy. You're passionate
>>> about OWASP Projects, I get that, and I love it. I'm
>>> passionate about OWASP Chapters. Neither should be
>>> trivialized as they both play a very important role within
>>> OWASP.
>>>
>>> I would like to see is a better schema for them to get
>>> more awareness, especially people doing great things and
>>> because of lack of funds cannot promote their projects.
>>> Chapters are rich ,projects are poor. That is in my
>>> opinion a huge misbalance.
>>>
>>>
>>> We have many chapters with small bank accounts, some even
>>> negative, and a few with quite large accounts. Total it all
>>> up and it's a pretty decent sum of money. But, what you're
>>> arguing for here is effectively Socialism. You're saying
>>> that it doesn't matter that the OWASP chapter in Denver
>>> busted their ass (it is over a year's worth of effort by a
>>> team of people) to put on last year's AppSecUSA Conference.
>>> It doesn't matter that it can cost a chapter hundreds if not
>>> thousands of dollars to rent meeting space, bring in food,
>>> fly in speakers, etc. You only see that they have money, you
>>> do not, and you want it. Not because you have a plan to
>>> spend it either, because if you did you could simply ask the
>>> Foundation for it, but because it is perceived as being
>>> disproportionate. There is no payoff for OWASP's mission if
>>> we rob from the rich, give to the poor, and at the end of
>>> the day still just have money sitting in a savings account.
>>> This highlights the underlying issue here. The issue is not
>>> that Chapters or Projects HAVE money. The issue is that
>>> they have money and are NOT SPENDING IT to further the OWASP
>>> Mission. Thus, the approach to fix this issue (and I agree
>>> that it's an issue) shouldn't be to take away their money,
>>> it should be to get them to spend it.
>>>
>>> The limit of USD2,000- for supporting a project leader a
>>> year is for most leaders not enough. If a leader outside
>>> US or EU is invited to blackhat , that amount is not
>>> enough to cover his traveling expenses. And thats the
>>> maximum he can have in a year after filling on forms and
>>> going through some back-and-forth emails with the staff...
>>>
>>>
>>> Ahhhhh, finally we get to the root of the issue. The issue
>>> isn't that money isn't available, because, frankly, we had a
>>> significant amount of money budgeted last year that wasn't
>>> used. The issue is that there is a cap on what any one
>>> project leader can request/spend. My personal opinion here
>>> is that this $2k cap should be treated as a guideline, not a
>>> rule. It is likely in place to prevent abuse by having a
>>> significant amount of money from the pool go to any one
>>> individual. But, that cap certainly should not prevent the
>>> OWASP Foundation from investing in the projects, and people
>>> behind the projects, to make them better. The Board
>>> entrusts Paul, as Executive Director, and the OWASP staff to
>>> handle the day-to-day operations of the OWASP Foundation.
>>> Part of their job is to review these types of requests in
>>> order to determine whether they make sense and there are
>>> funds available. That said, if you get to a point where you
>>> feel that they are being unreasonable, the Board can
>>> certainly step in and try to determine if an exception
>>> should be made. So, net-net, maybe that $2k cap is too
>>> low. Should we raise it? If so, what should it be? What
>>> amount would be reasonable for any one individual to consume
>>> from that shared pool of funds? Guidelines can be changed.
>>> Guidelines can even be overruled for the right reasons.
>>> This is a relatively minor issue that it sounds like should
>>> be re-evaluated given rising costs, bigger budget pools,
>>> unused funds, etc. Can you please come up with a reasonable
>>> proposal here and I will take that to the Board for approval
>>> to change this guideline?
>>>
>>> Should we scrap projects and focus to be a dedicated
>>> conference organisation?...thats what I see is
>>> happening whether consciously or not.
>>>
>>>
>>> Your perception is VERY far from the truth. I've spent the
>>> past 8.5 years working with the OWASP Austin chapter and
>>> I've seen it grow from literally 3 people in a monthly
>>> meeting to around 70. You, yourself, even said that OWASP is
>>> being referenced in major publications and our tools are
>>> being used around the globe. That said, keep in mind that
>>> the OWASP mission is one of education, and conferences
>>> address that mission directly. They are also the main
>>> fundraiser that helps to make sure that our chapters and
>>> projects have the money that they need in order to be
>>> successful.
>>>
>>> Should we scrap conferences and focus to gather those
>>> funds to create a better platforms for projects and
>>> become the next Apache foundation?
>>>
>>>
>>> Where do you think those funds would come from? By far, the
>>> majority of OWASP's annual revenue comes from AppSecUSA and
>>> AppSecEU. To be frank, OWASP would be VERY different if it
>>> weren't for our conferences.
>>>
>>> Should we use crowdsource for gathering funds for
>>> projects through the OWASP foundation?
>>>
>>>
>>> This is not a mutually exclusive solution. Yes, absolutely,
>>> use crowdfunding to gather funds for projects. Please prove
>>> out this model of bringing another revenue source to OWASP.
>>> I would imagine that this is a way that projects would be
>>> able to get funds that a chapter never could.
>>>
>>> Project summits = events . Thats what I'm proposing.
>>> That Summits are treated like events to generate money
>>> for projects so they have also a fair way to generate
>>> money as chapters do. They will depend less from
>>> sponsors with commercial intentions.
>>>
>>>
>>> OK, but every project summit that we have had thus far has
>>> cost OWASP money, not made it. Speaking as the former
>>> Co-Chair of LASCON and AppSecUSA, I can tell you that these
>>> types of events are a lot of work and that it is difficult
>>> to attract attendees. Attendees actually barely end up
>>> covering their own costs (food, schwag, etc). Sponsors and
>>> trainings are usually the ones who generate the profit for
>>> these events. So, let's say you do a project summit. How
>>> would you intend to attract attendees who are willing to pay
>>> for the content? If not, how would you intend to attract
>>> sponsors whose sole purpose in being there is to sell
>>> product to the attendees? Especially if you don't want
>>> sponsors with commercial intentions. You would be lucky if
>>> you get enough sponsors to cover costs. Or, in the
>>> situation of every past project summit that we've had, the
>>> Foundation ends up covering the difference. I'm not saying
>>> that you shouldn't try to prove out this model. I'm saying
>>> that it hasn't been proven to date. Also, it's a bit naive
>>> to say that chapters leveraging their members and holding a
>>> conference isn't "fair". We should be encouraging as many
>>> endeavors as we can at OWASP that spread our mission. Even
>>> more so if they generate additional revenue because that
>>> helps to further our mission even more after the conference
>>> is over. Nothing is stopping a project from having a
>>> conference. This isn't a matter of "fair" or "unfair". It's
>>> a matter of a team of people putting in the effort and
>>> making it happen. Please don't trivialize those efforts.
>>>
>>> Also more focus on crowdsourcing projects. If people
>>> finds it a great idea they will sponsor it.
>>>
>>>
>>> As I said above, I think this is a great idea. Let's do it!
>>>
>>> I will ask the staff to create a survey and ask the
>>> community about it. This is my proposal and based on
>>> those results I hope and expect the board to take actions.
>>>
>>>
>>> Ask the staff to create a survey? Why not make the survey
>>> yourself? What exactly are we surveying and why? The only
>>> thing that I think you've identified as an actual issue
>>> preventing projects from operating efficiently is a cap on
>>> the amount of funding availing. That doesn't require a
>>> survey to get changed, just a plan and an approval. I can't
>>> guarantee support or action as it depends on the varying
>>> opinions of 7 unique individuals, but the Board would
>>> certainly evaluate any proposal that is put on the table.
>>>
>>> ~josh
>>>
>>> On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel
>>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>> wrote:
>>>
>>> Josh,
>>>
>>> So far I remember , the idea was proposed to the board
>>> by you and the board took the decision to implement
>>> Committee 2.0. I believe this was done with all good
>>> intentions but is not working.
>>> http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>>
>>> In this same email Sarah mentions:
>>>
>>> The 2008 committees worked, for the most part, independently of each other.
>>> This often created duplicate or even conflicting efforts leading to frustration.
>>>
>>> Results now: I'm the only committee called the Project
>>> Task Force.Maybe thats why none wants to create anymore
>>> committees.
>>>
>>> Projects are global. They promote owasp at a global
>>> level. What is OWASP known for? for its chapters? Its
>>> conferences? I strongly believe OWASP is know for its
>>> projects, Code Review, Testing guide, the Cheat Sheets,
>>> ASVS, ZAP... Many references in major publications refer
>>> to OWASP top ten and respect them because of its
>>> projects.PCI and major vendors use them as reference
>>> and guidelines.
>>>
>>> I would like to see is a better schema for them to get
>>> more awareness, especially people doing great things and
>>> because of lack of funds cannot promote their projects.
>>> Chapters are rich ,projects are poor. That is in my
>>> opinion a huge misbalance.
>>>
>>> The limit of USD2,000- for supporting a project leader a
>>> year is for most leaders not enough. If a leader outside
>>> US or EU is invited to blackhat , that amount is not
>>> enough to cover his traveling expenses. And thats the
>>> maximum he can have in a year after filling on forms and
>>> going through some back-and-forth emails with the staff...
>>>
>>> * Should we scrap projects and focus to be a dedicated
>>> conference organisation?...thats what I see is
>>> happening whether consciously or not.
>>> * Should we scrap conferences and focus to gather
>>> those funds to create a better platforms for
>>> projects and become the next Apache foundation?
>>> * Should we use crowdsource for gathering funds for
>>> projects through the OWASP foundation?
>>>
>>>
>>> I would like to see a solution to this or an action.
>>>
>>> Project summits = events . Thats what I'm proposing.
>>> That Summits are treated like events to generate money
>>> for projects so they have also a fair way to generate
>>> money as chapters do. They will depend less from
>>> sponsors with commercial intentions.(easier to avoid
>>> Logogate issues and projects with the intention to
>>> promote apssec companies). Also more focus on
>>> crowdsourcing projects. If people finds it a great idea
>>> they will sponsor it.
>>>
>>> I will ask the staff to create a survey and ask the
>>> community about it. This is my proposal and based on
>>> those results I hope and expect the board to take actions.
>>>
>>> regards
>>>
>>> Johanna
>>>
>>>
>>>
>>> On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles
>>> <mario.robles at owasp.org <mailto:mario.robles at owasp.org>>
>>> wrote:
>>>
>>> Hey Josh,
>>>
>>> I could be wrong but the term Committee is commonly
>>> associated with "bureaucracy" even if it's not what
>>> you meant, at least it was the first thing on top of
>>> my head, I'm sure if you change the word Committee
>>> to something like "Action Team" it would be better
>>> accepted
>>>
>>> Just my point view,
>>>
>>> Mario
>>>
>>>
>>>
>>>
>>> On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>>
>>>> I think we need to create Project Summits in
>>>> the form of events with the whole purpose to
>>>> gather funds for projects
>>>>
>>>>
>>>> Please forgive my ignorance. How does a Project
>>>> Summit generate funds for project? Every Project
>>>> Summit that we have had to date has cost the
>>>> Foundation money, hasn't it? Can you please elaborate?
>>>>
>>>> Look, Denver chapter has around 50K in their
>>>> bucket. The richest Project is ZAP with 10k...
>>>> but thats is the exception. Even worse when you
>>>> look at chapters outside US or EU, mine has
>>>> only USD40 dollars. Most projects have Zero
>>>> Dollars.
>>>>
>>>>
>>>> I'm not sure I understand the fixation on what
>>>> other chapters have in their bucket. They have
>>>> these funds because they worked hard to obtain
>>>> them. In the case of Denver, they ran last year's
>>>> AppSecUSA Conference. Just because they have money
>>>> in their account, it doesn't mean that you aren't
>>>> able to do things with the $40 you have in your
>>>> account. It just means that they have to use their
>>>> account funds first before being able to use money
>>>> from the Foundation pool while you would need to
>>>> request funds from that pool for anything over
>>>> $40. Any sort of reallocation just moves the "ring
>>>> fenced funds" issue to another account. The model
>>>> of chapters and projects having accounts is not
>>>> what's broken here. It's the model of chapters and
>>>> projects saving their funds instead of spending
>>>> them. This is why I voted "no" on the Summer of
>>>> Code initiative. It was giving money to those who
>>>> already had it and not forcing them to spend their
>>>> funds first. In any case, I'm not sure I understand
>>>> why the amount of money Denver has in their account
>>>> has any impact on any other chapter or project
>>>> other than themselves. We have tens of thousands of
>>>> dollars allocated by the Foundation to project and
>>>> chapters on an annual basis, much of which goes
>>>> completely unused. There is money available at
>>>> OWASP for those who need it and I have yet to hear
>>>> of a situation where someone was told otherwise.
>>>>
>>>> Yes but how do they know where to go, that's
>>>> why the survey. The survey is the compass. And
>>>> the leaders are elected to listed to the community.
>>>>
>>>>
>>>> I agree with this notion. The OWASP Board should
>>>> act in accordance with the desires of the community
>>>> and should be doing frequent checks to confirm that
>>>> initiatives are aligned.
>>>>
>>>> So the committee concept in theory seemed like
>>>> a great idea but in practice is not working
>>>> because in my eyes, creating a committee is
>>>> creating a mini board inside OWASP.
>>>>
>>>>
>>>> To be honest, I have been surprised by the lack of
>>>> desire to participate in OWASP Committees. The
>>>> community has said that they want empowerment and
>>>> the goal of the committees was to do that. But, now
>>>> that it's there, nobody wants it? Your example
>>>> with John Lita follows the Committees 2.0 process
>>>> almost verbatim. The only difference is that it
>>>> provides scoping to ensure that we don't have
>>>> competing, or even worse, conflicting initiatives
>>>> and it specifies that the individuals involved need
>>>> to work within that scope. Without it, you have a
>>>> loosely knit group of people running around with
>>>> their own individual initiatives. At that level,
>>>> OWASP is just a funding source for experimentation,
>>>> not a Foundation. There is no accountability, but
>>>> the liability on the Foundation is still there.
>>>> Legally, we can't just have people running around
>>>> spending money without any form of guidance.
>>>>
>>>> Allow me and let the staff know that they
>>>> should support me and any other volunteers
>>>> seeking for implementing their ideas ;-).
>>>> Lets cut the red tape with committees and let
>>>> people know that if they want to do something,
>>>>
>>>> * Contact the staff.
>>>> * Set a survey and gather support
>>>> * Need more money? Set a crowd funding
>>>> project @ https://www.kickstarter.com under
>>>> OWASP
>>>> * Volunteers implement idea or project with
>>>> the support of owasp staff and other volunteers
>>>>
>>>> I'm not sure how this is that much different from a
>>>> Committee. Contact the community via the mailing
>>>> list and gather support, scope the activities (ie.
>>>> define the project), Board ensures that there's no
>>>> conflict, do your thing. The "red tape" that you
>>>> keep referring to is just a process document that
>>>> walks you through how to set up a committee. After
>>>> that's done, the idea was to empower you to act
>>>> within the defined scope without going to the
>>>> Board. If we're talking specifically about
>>>> projects, which it sounds like this is geared
>>>> towards, then it's even easier. Register as a
>>>> project (so that staff knows you exist and can
>>>> support you) and do your thing. If you need money,
>>>> ask for it. I'm not sure I see the problem here.
>>>> I'm also not sure what you're asking for as it
>>>> doesn't seem that different to me than how the
>>>> status quo is supposed to operate. Is it operating
>>>> differently in practice than it should in theory?
>>>> I don't have an OWASP project and so perhaps I'm
>>>> blind to the realities. If so, then the specific
>>>> issues need to be addressed by bylaw change, policy
>>>> change, staff engagement, etc. So far, all you've
>>>> said is "projects need money", which you have
>>>> access to, and "cut the red tape", of which I don't
>>>> see anything more than a step to say "Hey, I want
>>>> to be a project". Please help me to understand.
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel
>>>> curiel <johanna.curiel at owasp.org
>>>> <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>> >I don't think there is anything preventing a
>>>> project from doing the same, but I haven't seen
>>>> it done at this point.
>>>>
>>>> I think we need to create Project Summits in
>>>> the form of events with the whole purpose to
>>>> gather funds for projects .Open samm has done
>>>> this and I think we can try that. Fo that we
>>>> need the support of the staff Business liaison,
>>>> Event manager, just as they put their work and
>>>> efforts in Events and appsecs. Here cut share
>>>> between OWASp staff time and projects can also
>>>> be done.
>>>>
>>>> >OWASP has a project funding bucket.
>>>> Look, Denver chapter has around 50K in their
>>>> bucket. The richest Project is ZAP with 10k...
>>>> but thats is the exception. Even worse when you
>>>> look at chapters outside US or EU, mine has
>>>> only USD40 dollars. Most projects have Zero
>>>> Dollars.
>>>> And the limits right now are a support but do
>>>> not help to get important things moving like
>>>> OWASP Academy portal, Leaders like Azzedine
>>>> assist and show case his chapter or project or
>>>> other more complex initiatives. Or major
>>>> improvements or promotions to their projects.
>>>>
>>>> >Remember that the Board is just a handful of
>>>> leaders who were elected to set the compass.
>>>> Yes but how do they know where to go, that's
>>>> why the survey. The survey is the compass. And
>>>> the leaders are elected to listed to the community.
>>>>
>>>> And About committees...
>>>> The only existing active committee right now is
>>>> the Project Review (which I still call myself a
>>>> taskforce). I haven't see much initiatives or
>>>> participation from other committees. So the
>>>> committee concept in theory seemed like a great
>>>> idea but in practice is not working because in
>>>> my eyes, creating a committee is creating a
>>>> mini board inside OWASP. We do not want to
>>>> create oligarchies in the end.
>>>>
>>>> I thik we should cut off that comitee idea
>>>> and be more practical. More like this
>>>>
>>>> Example:
>>>>
>>>> * John Lita wants to create an academy portal
>>>> but developing it costs money and resources
>>>> that volunteers alone cannot be easy pull
>>>> off(owaspa project was the same and died,
>>>> just like many educational initiatives)
>>>> * John must create a proposal with defined
>>>> goals and how to reach them. He joins other
>>>> volunteers in this effort. No need to be a
>>>> commitee.
>>>> * John & Claudia create a survey and seek
>>>> support of the community
>>>> * If the idea has major feedback and
>>>> volunteers, then John has the support from
>>>> the staff to execute including looking for
>>>> sponsors using crowdsource funding portals
>>>> * Staff monitors development and results of
>>>> the actions taken
>>>> * Staff reports results to the community back
>>>>
>>>> This is in my eyes how I have been working in
>>>> the end, because , as volunteers, available
>>>> time mostly depends on one or 2 passionate
>>>> individuals like John-Lita, which are more
>>>> dedicated and the rest follows...
>>>>
>>>> Now if we want to change things, don't tell me
>>>> to set a committee, because Josh , this has not
>>>> work so far.
>>>>
>>>> Allow me and let the staff know that they
>>>> should support me and any other volunteers
>>>> seeking for implementing their ideas ;-).
>>>> Lets cut the red tape with committees and let
>>>> people know that if they want to do something,
>>>>
>>>> * Contact the staff.
>>>> * Set a survey and gather support
>>>> * Need more money? Set a crowd funding
>>>> project @ https://www.kickstarter.com under
>>>> OWASP
>>>> * Volunteers implement idea or project with
>>>> the support of owasp staff and other volunteers
>>>>
>>>> How do we get this idea to action?
>>>> Shall we create a survey?
>>>> Do you need to discuss this on a board meeting?
>>>> How do I get empowered and let the staff know
>>>> that as a volunteer I have your support for
>>>> this?(if I do?
>>>>
>>>> You see...how dependable I'm from the board to
>>>> be able to execute?
>>>>
>>>> Off course I can always do this on my own but
>>>> them I better do it without OWASP...
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>> On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol
>>>> <josh.sokol at owasp.org
>>>> <mailto:josh.sokol at owasp.org>> wrote:
>>>>
>>>> Johanna,
>>>>
>>>> Thank you for putting your thoughts out
>>>> there for everyone. Silence is not good for
>>>> anyone and OWASP will be far more
>>>> successful if we know what our leaders are
>>>> struggling with and make a conscious effort
>>>> to improve it. I think that many of your
>>>> points are very valid and strongly support
>>>> the idea of polls to gauge community
>>>> support for actions being taken. I also
>>>> support the idea that the Board should be
>>>> making as few of these decisions as
>>>> possible and putting the power back in the
>>>> hands of the community with support from
>>>> the staff. The Board should be the
>>>> "compass" making sure that we are moving in
>>>> the right direction with the community and
>>>> staff being the ones actually pushing us
>>>> forward. That's not to say that members of
>>>> the Board won't have their own projects or
>>>> initiatives, but they do so as part of the
>>>> community, not because of their roles on
>>>> the Board. The Committees 2.0 framework was
>>>> a first step in driving this level of
>>>> empowerment back to the community while
>>>> maintaining accountability and providing
>>>> appropriately scoped actions. My
>>>> impression was that the Projects Committee
>>>> was rolling forward quite well under this
>>>> guidance, but it sounds like maybe I was
>>>> wrong. Are there specific actions that you
>>>> have tried to take on the committee that
>>>> got blocked by the Board or hung up in "red
>>>> tape"? Are there needs for funding that
>>>> haven't been met?
>>>>
>>>> Regarding the project vs chapter funding
>>>> schemas, I'm not sure that there is a good
>>>> answer. Projects are typically made up of a
>>>> pocket of individuals. Typically one leader
>>>> with sometimes one or two others assisting.
>>>> Chapters are typically anywhere from 20
>>>> people to hundreds. We provide members
>>>> with the ability to allocate their funds to
>>>> either, but most associate themselves with
>>>> a chapter rather than a project because
>>>> that's where they participate. We also have
>>>> chapters putting on conferences with the
>>>> goal of raising funds. I don't think there
>>>> is anything preventing a project from doing
>>>> the same, but I haven't seen it done at
>>>> this point. Those are the two main ways
>>>> that I see chapters raising money. Yes,
>>>> there is certainly a difference in schemas
>>>> and projects will have a more difficult
>>>> time, but that's also why OWASP has a
>>>> project funding bucket. Money from these
>>>> local events as well as funds raised by our
>>>> AppSec conferences gets budgeted
>>>> specifically for this purpose. To my
>>>> knowledge, no reasonable request for funds
>>>> by projects has been denied. Just because
>>>> there isn't money sitting "ring fenced" in
>>>> an account for the projects, doesn't mean
>>>> that there isn't money that can be spent.
>>>> It just means that it needs to be requested
>>>> from the pool. Yes, it's a different model
>>>> of funding, but the end result is the same.
>>>> There are funds available at OWASP for
>>>> everyone who needs them.
>>>>
>>>> There are obviously many things that need
>>>> to be improved at OWASP and, unfortunately,
>>>> the Board has been tied up in rules,
>>>> events, bylaws, etc for a while now. It's
>>>> definitely not the "fun" part of the job
>>>> and it is very time consuming. That said, I
>>>> would argue that these are the things that
>>>> need to be changed in order for everyone
>>>> else (staff, community, etc) to be able to
>>>> be better served. We've made several
>>>> changes to the Bylaws and are working on
>>>> more. We've hired an Executive Director
>>>> (Paul), an Event Manager (Laura), a
>>>> Community Manager (Noreen), and a Project
>>>> Coordinator (Claudia) just in the almost
>>>> two years that I've been on the Board. The
>>>> needle on the compass is set and, while it
>>>> takes some time to right the ship, we are
>>>> getting there by giving our community the
>>>> support it requires to be successful. So,
>>>> here's my general thought:
>>>>
>>>> 1) If it's within the scope of a defined
>>>> Committee, JUST DO IT!
>>>>
>>>> 2) If there's no Committee defined for it,
>>>> CREATE ONE, then JUST DO IT!
>>>>
>>>> 3) If a Committee doesn't make sense, ASK
>>>> THE STAFF FOR IT!
>>>>
>>>> 4) If asking the staff isn't working or we
>>>> need to change a policy to make it happen,
>>>> LET THE BOARD KNOW!
>>>>
>>>> The Board should be the last resort, in my
>>>> opinion, not the first. We should be the
>>>> enabler, not the bottleneck. I think that
>>>> our leaders make too many assumptions
>>>> (probably based on past Board actions)
>>>> about what needs to go to the Board and we
>>>> need to get away from that. Remember that
>>>> the Board is just a handful of leaders who
>>>> were elected to set the compass. We have a
>>>> finite number of things that we can handle
>>>> and our Board meetings are typically
>>>> overflowing with topics. So, if something
>>>> is bothering you, I would encourage you to
>>>> change it. That's why, with the David Rook
>>>> situation, I encouraged creation of a new
>>>> Committee to determine a reasonable
>>>> solution. If it requires a policy change
>>>> by the Board, then we can vote on that, but
>>>> asking the Board to take action just
>>>> perpetuates the oligarchy that you mention
>>>> in your e-mail. Instead of pushing these
>>>> issues up to the Board for action, let's
>>>> have the community DECIDE what they want
>>>> and have the Board change the compass
>>>> needle via bylaws, policies, and staff
>>>> discussions, accordingly. At least, that's
>>>> my vision for OWASP. Is that something
>>>> that you can get on board with?
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Aug 17, 2015 at 8:11 AM, johanna
>>>> curiel curiel <johanna.curiel at owasp.org
>>>> <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>> Members of the board,
>>>>
>>>> With the recent issue regarding David
>>>> Rook, and my latest experience with
>>>> red-tape, I'm proposing the following.
>>>>
>>>> My goals is to call your attention to
>>>> these issues which I have been
>>>> observing for a years and not as a
>>>> critique to your work, but I think if
>>>> you do not pay attention to these
>>>> issues and DO something about them,
>>>> OWASP will loose valuable community
>>>> participation.
>>>>
>>>> * When an initiative is proposed or
>>>> launched by a member of the board,
>>>> this should be followed up by a
>>>> survey where the community can
>>>> vote.Wether is a rule or money,
>>>> these decisions should be taken
>>>> based on collected data and proper
>>>> substantiation to avoid oligarchy
>>>> * When an initiative is launched by a
>>>> member of the community, especially
>>>> when this initiative cost more than
>>>> 10k, it should be substantiated
>>>> with data how this initiative will
>>>> benefit the community. Also should
>>>> be followed by a survey
>>>> * Staff should help creating the
>>>> survey and analyse the votes
>>>> * *In other words: do more survey to
>>>> find out what the community needs
>>>> and wants.*
>>>>
>>>> My observations and where I think you
>>>> need to give more attention:
>>>>
>>>> * Board/Executive director should
>>>> work closer with the staff for
>>>> guidance and empowering their role.
>>>> I have the feeling that the staff
>>>> is paralysed waiting for
>>>> instructions or following strict
>>>> rules. The staff should be
>>>> motivated to take initiative and
>>>> implement projects on their own
>>>> that can help the community. They
>>>> should not be too dependent on an
>>>> Executive director or member of the
>>>> board for this part
>>>>
>>>> As I see it ,OWASP is known for his
>>>> Projects & Chapter leaders which as
>>>> volunteers have contributed the most to
>>>> set OWASP on the spotlight. Therefore:
>>>>
>>>> * You should determine and implement
>>>> better ways to provide better
>>>> funding schemas for projects . This
>>>> is something a volunteer cannot do.
>>>> And /nothing/ has been done to help
>>>> solve this issue
>>>> * There is an unfair inequality in
>>>> the way chapters can generate funds
>>>> vs Projects.
>>>> * Money is locked down in the
>>>> chapters budget
>>>> * Chapters outside US & EU have more
>>>> struggles to find support. You
>>>> should consider a way to support
>>>> better these ones since their
>>>> countries are not developed in the
>>>> area of security as countries in EU
>>>> and US.
>>>> * Follow up: when issues like David
>>>> Rook or a volunteer rants(like me
>>>> or others ) out of frustation, take
>>>> action. Put it in the agenda and
>>>> try to solve and discuss the issues
>>>> to improve the actual problems. So
>>>> far I have seen very little follow
>>>> up on major issues and discussions
>>>> raised in the mailing lists
>>>> * Way to much attention to rules,
>>>> /events/ and bylaws etc. Time to
>>>> take action and take decisions and
>>>> propose plans for improvements of
>>>> the actual situation above mentioned
>>>>
>>>> Being that said, and with all due
>>>> respect to you, I hope that you can
>>>> take actions and /execute/ improvements
>>>> that have been an issue since I joined
>>>> OWASP 3 years ago.
>>>>
>>>>
>>>> Regards
>>>>
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> <mailto:Governance at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150818/aa8f4382/attachment-0001.html>
More information about the Owasp-board
mailing list