[Owasp-board] [Governance] [Owasp-leaders] Request - Survey - Implementation process on higher decisions
Jim Manico
jim.manico at owasp.org
Tue Aug 18 18:55:29 UTC 2015
Sorry all, I changed my mind mid email and meant to delete this.
I support following the bylaws and triggered a vote. I personally am
voting "no" to remove Fabio.
Aloha,
Jim
On 8/18/15 8:35 AM, Jim Manico wrote:
> Josh,
>
> First of all I have good attendance and my comments are not for
> personal benefit.
>
> Since the board is globally distributed, I think we should be more
> forgiving. To penalize a board member because they missed two meetings
> that were held at Midnight is not at all reasonable to me. I'm all
> about fiduciary duty and commitment and all that - but I'm also about
> sleep and Maslow's hierarchy of needs. I consider sleeping to be a
> Physiological need, the more core need from Maslow. I place attending
> OWASP Board meetings at the "Self actualization" portions of Maslows
> hierarchy. So while
>
> - Jim
>
> On 8/18/15 8:22 AM, Josh Sokol wrote:
>> I agree 100% Eoin. The rule is there for a reason. Voting to change
>> it is one thing, but that change cannot be applied retroactively to
>> the present situation. The Bylaws are very clear in that this should
>> trigger a Board vote to determine whether they should be removed. I
>> am absolutely pushing for that vote to happen, regardless of whether
>> it actually results in a removal. If the Board wants to evaluate a
>> change to the Bylaws at a later date, then so be it, but I will not
>> support it. The Board is a commitment. When you run, you are doing
>> so knowing that meetings will not always happen when convenient and
>> that you are expected to attend 75% of them. There are certainly
>> extenuating circumstances where a case could be made here, but I
>> don't think I've heard any thus far.
>>
>> ~josh
>>
>> On Tue, Aug 18, 2015 at 1:04 PM, Eoin Keary <eoin.keary at owasp.org
>> <mailto:eoin.keary at owasp.org>> wrote:
>>
>> Sorry I have to write this email....but...
>>
>> I hope you don't change the rules just because certain members
>> have not complied by them....
>>
>> I was forwarded some emails regarding board attendance today
>> which appear that the 75% rule of board meeting attendance is now
>> going to be changed because some folks on the board have issue
>> with it.
>>
>> This is like turkeys voting for Christmas.
>>
>> I respectfully hope the board abides by its owen guidelines, if
>> not I have great issue with the foundations governance.
>>
>> Respect, for the good guys in OWASP.
>>
>>
>> Eoin Keary
>> OWASP Volunteer
>> @eoinkeary
>>
>>
>>
>> On 18 Aug 2015, at 17:08, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>> Johanna,
>>>
>>> So far I remember , the idea was proposed to the board by
>>> you and the board took the decision to implement Committee
>>> 2.0. I believe this was done with all good intentions but is
>>> not working.
>>>
>>>
>>> Actually, I would argue that even though there's only a single
>>> committee right now, it is working exactly as intended. The
>>> truth is that OWASP's leadership sits somewhere in-between an
>>> Oligarchy (as you describe it) and an Anarchy. We're currently
>>> somewhere between Democracy and Ochlocracy depending on the
>>> topic if you really want to get technical. In any case, what
>>> you need to realize is that somebody needs to have the power to
>>> make decisions or decisions will never get made and we veer into
>>> Anarchy. What Committees 2.0 did is specify that decision making
>>> power starts with the Board as they have the fiduciary
>>> responsibility for the OWASP Foundation in all legal sense.
>>> What it also did is allow any of our leaders to carve out a
>>> piece of that power that they are passionate about and run with
>>> it, just as you did with projects. I really thought that we
>>> would see some other committees pop up similar to what we had
>>> before in other core areas of OWASP like Governance or Chapters,
>>> but the fact that there isn't just tells me that as of yet, no
>>> leader is passionate enough about it to carve out that power.
>>> Maybe it's because of time commitments or because of some
>>> perceived "red tape" or even (I hope) because most people think
>>> the Board is doing an OK job making decisions, but the fact is
>>> that the ability is there and you are an example of it being
>>> used. So, as I said, the system is working. Where this is a
>>> void in the community wanting to take the power to make
>>> decisions, the Board fills that void. In other words, if the
>>> community really thinks that they can do something better than
>>> the Board, they can form a Committee (or "Action Team" or
>>> "Initiative" or whatever they want to call it), and do it.
>>>
>>> Projects are global. They promote owasp at a global level.
>>> What is OWASP known for? for its chapters? Its conferences?
>>> I strongly believe OWASP is know for its projects, Code
>>> Review, Testing guide, the Cheat Sheets, ASVS, ZAP... Many
>>> references in major publications refer to OWASP top ten and
>>> respect them because of its projects.PCI and major vendors
>>> use them as reference and guidelines.
>>>
>>>
>>> There is no doubt in my mind that Projects are important for
>>> OWASP. They spread our mission in places where even our
>>> Chapters cannot go. But, if you want to talk about where most
>>> people interface with OWASP, it's not projects, it's Chapters.
>>> You won't find a reference in a major publication to the OWASP
>>> Austin Chapter, for example, but we held a CryptoParty in
>>> January and invited members of our community, the media, etc to
>>> participate because we wanted to educate others on the
>>> importance of privacy. You're passionate about OWASP Projects,
>>> I get that, and I love it. I'm passionate about OWASP
>>> Chapters. Neither should be trivialized as they both play a
>>> very important role within OWASP.
>>>
>>> I would like to see is a better schema for them to get more
>>> awareness, especially people doing great things and because
>>> of lack of funds cannot promote their projects. Chapters are
>>> rich ,projects are poor. That is in my opinion a huge
>>> misbalance.
>>>
>>>
>>> We have many chapters with small bank accounts, some even
>>> negative, and a few with quite large accounts. Total it all up
>>> and it's a pretty decent sum of money. But, what you're arguing
>>> for here is effectively Socialism. You're saying that it
>>> doesn't matter that the OWASP chapter in Denver busted their ass
>>> (it is over a year's worth of effort by a team of people) to put
>>> on last year's AppSecUSA Conference. It doesn't matter that it
>>> can cost a chapter hundreds if not thousands of dollars to rent
>>> meeting space, bring in food, fly in speakers, etc. You only
>>> see that they have money, you do not, and you want it. Not
>>> because you have a plan to spend it either, because if you did
>>> you could simply ask the Foundation for it, but because it is
>>> perceived as being disproportionate. There is no payoff for
>>> OWASP's mission if we rob from the rich, give to the poor, and
>>> at the end of the day still just have money sitting in a savings
>>> account. This highlights the underlying issue here. The issue
>>> is not that Chapters or Projects HAVE money. The issue is that
>>> they have money and are NOT SPENDING IT to further the OWASP
>>> Mission. Thus, the approach to fix this issue (and I agree that
>>> it's an issue) shouldn't be to take away their money, it should
>>> be to get them to spend it.
>>>
>>> The limit of USD2,000- for supporting a project leader a
>>> year is for most leaders not enough. If a leader outside US
>>> or EU is invited to blackhat , that amount is not enough to
>>> cover his traveling expenses. And thats the maximum he can
>>> have in a year after filling on forms and going through some
>>> back-and-forth emails with the staff...
>>>
>>>
>>> Ahhhhh, finally we get to the root of the issue. The issue
>>> isn't that money isn't available, because, frankly, we had a
>>> significant amount of money budgeted last year that wasn't
>>> used. The issue is that there is a cap on what any one project
>>> leader can request/spend. My personal opinion here is that this
>>> $2k cap should be treated as a guideline, not a rule. It is
>>> likely in place to prevent abuse by having a significant amount
>>> of money from the pool go to any one individual. But, that cap
>>> certainly should not prevent the OWASP Foundation from investing
>>> in the projects, and people behind the projects, to make them
>>> better. The Board entrusts Paul, as Executive Director, and the
>>> OWASP staff to handle the day-to-day operations of the OWASP
>>> Foundation. Part of their job is to review these types of
>>> requests in order to determine whether they make sense and there
>>> are funds available. That said, if you get to a point where you
>>> feel that they are being unreasonable, the Board can certainly
>>> step in and try to determine if an exception should be made.
>>> So, net-net, maybe that $2k cap is too low. Should we raise
>>> it? If so, what should it be? What amount would be reasonable
>>> for any one individual to consume from that shared pool of
>>> funds? Guidelines can be changed. Guidelines can even be
>>> overruled for the right reasons. This is a relatively minor
>>> issue that it sounds like should be re-evaluated given rising
>>> costs, bigger budget pools, unused funds, etc. Can you please
>>> come up with a reasonable proposal here and I will take that to
>>> the Board for approval to change this guideline?
>>>
>>> Should we scrap projects and focus to be a dedicated
>>> conference organisation?...thats what I see is happening
>>> whether consciously or not.
>>>
>>>
>>> Your perception is VERY far from the truth. I've spent the past
>>> 8.5 years working with the OWASP Austin chapter and I've seen it
>>> grow from literally 3 people in a monthly meeting to around 70.
>>> You, yourself, even said that OWASP is being referenced in major
>>> publications and our tools are being used around the globe.
>>> That said, keep in mind that the OWASP mission is one of
>>> education, and conferences address that mission directly. They
>>> are also the main fundraiser that helps to make sure that our
>>> chapters and projects have the money that they need in order to
>>> be successful.
>>>
>>> Should we scrap conferences and focus to gather those funds
>>> to create a better platforms for projects and become the
>>> next Apache foundation?
>>>
>>>
>>> Where do you think those funds would come from? By far, the
>>> majority of OWASP's annual revenue comes from AppSecUSA and
>>> AppSecEU. To be frank, OWASP would be VERY different if it
>>> weren't for our conferences.
>>>
>>> Should we use crowdsource for gathering funds for projects
>>> through the OWASP foundation?
>>>
>>>
>>> This is not a mutually exclusive solution. Yes, absolutely, use
>>> crowdfunding to gather funds for projects. Please prove out
>>> this model of bringing another revenue source to OWASP. I would
>>> imagine that this is a way that projects would be able to get
>>> funds that a chapter never could.
>>>
>>> Project summits = events . Thats what I'm proposing. That
>>> Summits are treated like events to generate money for
>>> projects so they have also a fair way to generate money as
>>> chapters do. They will depend less from sponsors with
>>> commercial intentions.
>>>
>>>
>>> OK, but every project summit that we have had thus far has cost
>>> OWASP money, not made it. Speaking as the former Co-Chair of
>>> LASCON and AppSecUSA, I can tell you that these types of events
>>> are a lot of work and that it is difficult to attract attendees.
>>> Attendees actually barely end up covering their own costs (food,
>>> schwag, etc). Sponsors and trainings are usually the ones who
>>> generate the profit for these events. So, let's say you do a
>>> project summit. How would you intend to attract attendees who
>>> are willing to pay for the content? If not, how would you
>>> intend to attract sponsors whose sole purpose in being there is
>>> to sell product to the attendees? Especially if you don't want
>>> sponsors with commercial intentions. You would be lucky if you
>>> get enough sponsors to cover costs. Or, in the situation of
>>> every past project summit that we've had, the Foundation ends up
>>> covering the difference. I'm not saying that you shouldn't try
>>> to prove out this model. I'm saying that it hasn't been proven
>>> to date. Also, it's a bit naive to say that chapters leveraging
>>> their members and holding a conference isn't "fair". We should
>>> be encouraging as many endeavors as we can at OWASP that spread
>>> our mission. Even more so if they generate additional revenue
>>> because that helps to further our mission even more after the
>>> conference is over. Nothing is stopping a project from having a
>>> conference. This isn't a matter of "fair" or "unfair". It's a
>>> matter of a team of people putting in the effort and making it
>>> happen. Please don't trivialize those efforts.
>>>
>>> Also more focus on crowdsourcing projects. If people finds
>>> it a great idea they will sponsor it.
>>>
>>>
>>> As I said above, I think this is a great idea. Let's do it!
>>>
>>> I will ask the staff to create a survey and ask the
>>> community about it. This is my proposal and based on those
>>> results I hope and expect the board to take actions.
>>>
>>>
>>> Ask the staff to create a survey? Why not make the survey
>>> yourself? What exactly are we surveying and why? The only
>>> thing that I think you've identified as an actual issue
>>> preventing projects from operating efficiently is a cap on the
>>> amount of funding availing. That doesn't require a survey to
>>> get changed, just a plan and an approval. I can't guarantee
>>> support or action as it depends on the varying opinions of 7
>>> unique individuals, but the Board would certainly evaluate any
>>> proposal that is put on the table.
>>>
>>> ~josh
>>>
>>> On Mon, Aug 17, 2015 at 8:31 PM, johanna curiel curiel
>>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>> Josh,
>>>
>>> So far I remember , the idea was proposed to the board by
>>> you and the board took the decision to implement Committee
>>> 2.0. I believe this was done with all good intentions but is
>>> not working.
>>> http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html
>>>
>>> In this same email Sarah mentions:
>>>
>>> The 2008 committees worked, for the most part, independently of each other.
>>> This often created duplicate or even conflicting efforts leading to frustration.
>>>
>>> Results now: I'm the only committee called the Project Task
>>> Force.Maybe thats why none wants to create anymore committees.
>>>
>>> Projects are global. They promote owasp at a global level.
>>> What is OWASP known for? for its chapters? Its conferences?
>>> I strongly believe OWASP is know for its projects, Code
>>> Review, Testing guide, the Cheat Sheets, ASVS, ZAP... Many
>>> references in major publications refer to OWASP top ten and
>>> respect them because of its projects.PCI and major vendors
>>> use them as reference and guidelines.
>>>
>>> I would like to see is a better schema for them to get more
>>> awareness, especially people doing great things and because
>>> of lack of funds cannot promote their projects. Chapters are
>>> rich ,projects are poor. That is in my opinion a huge
>>> misbalance.
>>>
>>> The limit of USD2,000- for supporting a project leader a
>>> year is for most leaders not enough. If a leader outside US
>>> or EU is invited to blackhat , that amount is not enough to
>>> cover his traveling expenses. And thats the maximum he can
>>> have in a year after filling on forms and going through some
>>> back-and-forth emails with the staff...
>>>
>>> * Should we scrap projects and focus to be a dedicated
>>> conference organisation?...thats what I see is
>>> happening whether consciously or not.
>>> * Should we scrap conferences and focus to gather those
>>> funds to create a better platforms for projects and
>>> become the next Apache foundation?
>>> * Should we use crowdsource for gathering funds for
>>> projects through the OWASP foundation?
>>>
>>>
>>> I would like to see a solution to this or an action.
>>>
>>> Project summits = events . Thats what I'm proposing. That
>>> Summits are treated like events to generate money for
>>> projects so they have also a fair way to generate money as
>>> chapters do. They will depend less from sponsors with
>>> commercial intentions.(easier to avoid Logogate issues and
>>> projects with the intention to promote apssec companies).
>>> Also more focus on crowdsourcing projects. If people finds
>>> it a great idea they will sponsor it.
>>>
>>> I will ask the staff to create a survey and ask the
>>> community about it. This is my proposal and based on those
>>> results I hope and expect the board to take actions.
>>>
>>> regards
>>>
>>> Johanna
>>>
>>>
>>>
>>> On Mon, Aug 17, 2015 at 7:41 PM, Mario Robles
>>> <mario.robles at owasp.org> wrote:
>>>
>>> Hey Josh,
>>>
>>> I could be wrong but the term Committee is commonly
>>> associated with "bureaucracy" even if it's not what you
>>> meant, at least it was the first thing on top of my
>>> head, I'm sure if you change the word Committee to
>>> something like "Action Team" it would be better accepted
>>>
>>> Just my point view,
>>>
>>> Mario
>>>
>>>
>>>
>>>
>>> On 17/08/2015 04:21 p.m., Josh Sokol wrote:
>>>>
>>>> I think we need to create Project Summits in the
>>>> form of events with the whole purpose to gather
>>>> funds for projects
>>>>
>>>>
>>>> Please forgive my ignorance. How does a Project Summit
>>>> generate funds for project? Every Project Summit that
>>>> we have had to date has cost the Foundation money,
>>>> hasn't it? Can you please elaborate?
>>>>
>>>> Look, Denver chapter has around 50K in their
>>>> bucket. The richest Project is ZAP with 10k... but
>>>> thats is the exception. Even worse when you look at
>>>> chapters outside US or EU, mine has only USD40
>>>> dollars. Most projects have Zero Dollars.
>>>>
>>>>
>>>> I'm not sure I understand the fixation on what other
>>>> chapters have in their bucket. They have these funds
>>>> because they worked hard to obtain them. In the case
>>>> of Denver, they ran last year's AppSecUSA Conference.
>>>> Just because they have money in their account, it
>>>> doesn't mean that you aren't able to do things with the
>>>> $40 you have in your account. It just means that they
>>>> have to use their account funds first before being able
>>>> to use money from the Foundation pool while you would
>>>> need to request funds from that pool for anything over
>>>> $40. Any sort of reallocation just moves the "ring
>>>> fenced funds" issue to another account. The model of
>>>> chapters and projects having accounts is not what's
>>>> broken here. It's the model of chapters and projects
>>>> saving their funds instead of spending them. This is
>>>> why I voted "no" on the Summer of Code initiative. It
>>>> was giving money to those who already had it and not
>>>> forcing them to spend their funds first. In any case,
>>>> I'm not sure I understand why the amount of money
>>>> Denver has in their account has any impact on any other
>>>> chapter or project other than themselves. We have tens
>>>> of thousands of dollars allocated by the Foundation to
>>>> project and chapters on an annual basis, much of which
>>>> goes completely unused. There is money available at
>>>> OWASP for those who need it and I have yet to hear of a
>>>> situation where someone was told otherwise.
>>>>
>>>> Yes but how do they know where to go, that's why
>>>> the survey. The survey is the compass. And the
>>>> leaders are elected to listed to the community.
>>>>
>>>>
>>>> I agree with this notion. The OWASP Board should act
>>>> in accordance with the desires of the community and
>>>> should be doing frequent checks to confirm that
>>>> initiatives are aligned.
>>>>
>>>> So the committee concept in theory seemed like a
>>>> great idea but in practice is not working because
>>>> in my eyes, creating a committee is creating a mini
>>>> board inside OWASP.
>>>>
>>>>
>>>> To be honest, I have been surprised by the lack of
>>>> desire to participate in OWASP Committees. The
>>>> community has said that they want empowerment and the
>>>> goal of the committees was to do that. But, now that
>>>> it's there, nobody wants it? Your example with John
>>>> Lita follows the Committees 2.0 process almost
>>>> verbatim. The only difference is that it provides
>>>> scoping to ensure that we don't have competing, or even
>>>> worse, conflicting initiatives and it specifies that
>>>> the individuals involved need to work within that
>>>> scope. Without it, you have a loosely knit group of
>>>> people running around with their own individual
>>>> initiatives. At that level, OWASP is just a funding
>>>> source for experimentation, not a Foundation. There is
>>>> no accountability, but the liability on the Foundation
>>>> is still there. Legally, we can't just have people
>>>> running around spending money without any form of
>>>> guidance.
>>>>
>>>> Allow me and let the staff know that they should
>>>> support me and any other volunteers seeking for
>>>> implementing their ideas ;-).
>>>> Lets cut the red tape with committees and let
>>>> people know that if they want to do something,
>>>>
>>>> * Contact the staff.
>>>> * Set a survey and gather support
>>>> * Need more money? Set a crowd funding project @
>>>> https://www.kickstarter.com under OWASP
>>>> * Volunteers implement idea or project with the
>>>> support of owasp staff and other volunteers
>>>>
>>>> I'm not sure how this is that much different from a
>>>> Committee. Contact the community via the mailing list
>>>> and gather support, scope the activities (ie. define
>>>> the project), Board ensures that there's no conflict,
>>>> do your thing. The "red tape" that you keep referring
>>>> to is just a process document that walks you through
>>>> how to set up a committee. After that's done, the idea
>>>> was to empower you to act within the defined scope
>>>> without going to the Board. If we're talking
>>>> specifically about projects, which it sounds like this
>>>> is geared towards, then it's even easier. Register as a
>>>> project (so that staff knows you exist and can support
>>>> you) and do your thing. If you need money, ask for
>>>> it. I'm not sure I see the problem here. I'm also not
>>>> sure what you're asking for as it doesn't seem that
>>>> different to me than how the status quo is supposed to
>>>> operate. Is it operating differently in practice than
>>>> it should in theory? I don't have an OWASP project and
>>>> so perhaps I'm blind to the realities. If so, then the
>>>> specific issues need to be addressed by bylaw change,
>>>> policy change, staff engagement, etc. So far, all
>>>> you've said is "projects need money", which you have
>>>> access to, and "cut the red tape", of which I don't see
>>>> anything more than a step to say "Hey, I want to be a
>>>> project". Please help me to understand.
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Aug 17, 2015 at 12:04 PM, johanna curiel curiel
>>>> <johanna.curiel at owasp.org> wrote:
>>>>
>>>> >I don't think there is anything preventing a
>>>> project from doing the same, but I haven't seen it
>>>> done at this point.
>>>>
>>>> I think we need to create Project Summits in the
>>>> form of events with the whole purpose to gather
>>>> funds for projects .Open samm has done this and I
>>>> think we can try that. Fo that we need the support
>>>> of the staff Business liaison, Event manager, just
>>>> as they put their work and efforts in Events and
>>>> appsecs. Here cut share between OWASp staff time
>>>> and projects can also be done.
>>>>
>>>> >OWASP has a project funding bucket.
>>>> Look, Denver chapter has around 50K in their
>>>> bucket. The richest Project is ZAP with 10k... but
>>>> thats is the exception. Even worse when you look at
>>>> chapters outside US or EU, mine has only USD40
>>>> dollars. Most projects have Zero Dollars.
>>>> And the limits right now are a support but do not
>>>> help to get important things moving like OWASP
>>>> Academy portal, Leaders like Azzedine assist and
>>>> show case his chapter or project or other more
>>>> complex initiatives. Or major improvements or
>>>> promotions to their projects.
>>>>
>>>> >Remember that the Board is just a handful of
>>>> leaders who were elected to set the compass.
>>>> Yes but how do they know where to go, that's why
>>>> the survey. The survey is the compass. And the
>>>> leaders are elected to listed to the community.
>>>>
>>>> And About committees...
>>>> The only existing active committee right now is the
>>>> Project Review (which I still call myself a
>>>> taskforce). I haven't see much initiatives or
>>>> participation from other committees. So the
>>>> committee concept in theory seemed like a great
>>>> idea but in practice is not working because in my
>>>> eyes, creating a committee is creating a mini board
>>>> inside OWASP. We do not want to create oligarchies
>>>> in the end.
>>>>
>>>> I thik we should cut off that comitee idea and be
>>>> more practical. More like this
>>>>
>>>> Example:
>>>>
>>>> * John Lita wants to create an academy portal but
>>>> developing it costs money and resources that
>>>> volunteers alone cannot be easy pull off(owaspa
>>>> project was the same and died, just like many
>>>> educational initiatives)
>>>> * John must create a proposal with defined goals
>>>> and how to reach them. He joins other
>>>> volunteers in this effort. No need to be a
>>>> commitee.
>>>> * John & Claudia create a survey and seek
>>>> support of the community
>>>> * If the idea has major feedback and
>>>> volunteers, then John has the support from the
>>>> staff to execute including looking for sponsors
>>>> using crowdsource funding portals
>>>> * Staff monitors development and results of the
>>>> actions taken
>>>> * Staff reports results to the community back
>>>>
>>>> This is in my eyes how I have been working in the
>>>> end, because , as volunteers, available time mostly
>>>> depends on one or 2 passionate individuals like
>>>> John-Lita, which are more dedicated and the rest
>>>> follows...
>>>>
>>>> Now if we want to change things, don't tell me to
>>>> set a committee, because Josh , this has not work
>>>> so far.
>>>>
>>>> Allow me and let the staff know that they should
>>>> support me and any other volunteers seeking for
>>>> implementing their ideas ;-).
>>>> Lets cut the red tape with committees and let
>>>> people know that if they want to do something,
>>>>
>>>> * Contact the staff.
>>>> * Set a survey and gather support
>>>> * Need more money? Set a crowd funding project @
>>>> https://www.kickstarter.com under OWASP
>>>> * Volunteers implement idea or project with the
>>>> support of owasp staff and other volunteers
>>>>
>>>> How do we get this idea to action?
>>>> Shall we create a survey?
>>>> Do you need to discuss this on a board meeting?
>>>> How do I get empowered and let the staff know that
>>>> as a volunteer I have your support for this?(if I do?
>>>>
>>>> You see...how dependable I'm from the board to be
>>>> able to execute?
>>>>
>>>> Off course I can always do this on my own but them
>>>> I better do it without OWASP...
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>> On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol
>>>> <josh.sokol at owasp.org> wrote:
>>>>
>>>> Johanna,
>>>>
>>>> Thank you for putting your thoughts out there
>>>> for everyone. Silence is not good for anyone
>>>> and OWASP will be far more successful if we
>>>> know what our leaders are struggling with and
>>>> make a conscious effort to improve it. I think
>>>> that many of your points are very valid and
>>>> strongly support the idea of polls to gauge
>>>> community support for actions being taken. I
>>>> also support the idea that the Board should be
>>>> making as few of these decisions as possible
>>>> and putting the power back in the hands of the
>>>> community with support from the staff. The
>>>> Board should be the "compass" making sure that
>>>> we are moving in the right direction with the
>>>> community and staff being the ones actually
>>>> pushing us forward. That's not to say that
>>>> members of the Board won't have their own
>>>> projects or initiatives, but they do so as part
>>>> of the community, not because of their roles on
>>>> the Board. The Committees 2.0 framework was a
>>>> first step in driving this level of empowerment
>>>> back to the community while maintaining
>>>> accountability and providing appropriately
>>>> scoped actions. My impression was that the
>>>> Projects Committee was rolling forward quite
>>>> well under this guidance, but it sounds like
>>>> maybe I was wrong. Are there specific actions
>>>> that you have tried to take on the committee
>>>> that got blocked by the Board or hung up in
>>>> "red tape"? Are there needs for funding that
>>>> haven't been met?
>>>>
>>>> Regarding the project vs chapter funding
>>>> schemas, I'm not sure that there is a good
>>>> answer. Projects are typically made up of a
>>>> pocket of individuals. Typically one leader
>>>> with sometimes one or two others assisting.
>>>> Chapters are typically anywhere from 20 people
>>>> to hundreds. We provide members with the
>>>> ability to allocate their funds to either, but
>>>> most associate themselves with a chapter rather
>>>> than a project because that's where they
>>>> participate. We also have chapters putting on
>>>> conferences with the goal of raising funds. I
>>>> don't think there is anything preventing a
>>>> project from doing the same, but I haven't seen
>>>> it done at this point. Those are the two main
>>>> ways that I see chapters raising money. Yes,
>>>> there is certainly a difference in schemas and
>>>> projects will have a more difficult time, but
>>>> that's also why OWASP has a project funding
>>>> bucket. Money from these local events as well
>>>> as funds raised by our AppSec conferences gets
>>>> budgeted specifically for this purpose. To my
>>>> knowledge, no reasonable request for funds by
>>>> projects has been denied. Just because there
>>>> isn't money sitting "ring fenced" in an account
>>>> for the projects, doesn't mean that there isn't
>>>> money that can be spent. It just means that it
>>>> needs to be requested from the pool. Yes, it's
>>>> a different model of funding, but the end
>>>> result is the same. There are funds available
>>>> at OWASP for everyone who needs them.
>>>>
>>>> There are obviously many things that need to be
>>>> improved at OWASP and, unfortunately, the Board
>>>> has been tied up in rules, events, bylaws, etc
>>>> for a while now. It's definitely not the "fun"
>>>> part of the job and it is very time consuming.
>>>> That said, I would argue that these are the
>>>> things that need to be changed in order for
>>>> everyone else (staff, community, etc) to be
>>>> able to be better served. We've made several
>>>> changes to the Bylaws and are working on more.
>>>> We've hired an Executive Director (Paul), an
>>>> Event Manager (Laura), a Community Manager
>>>> (Noreen), and a Project Coordinator (Claudia)
>>>> just in the almost two years that I've been on
>>>> the Board. The needle on the compass is set
>>>> and, while it takes some time to right the
>>>> ship, we are getting there by giving our
>>>> community the support it requires to be
>>>> successful. So, here's my general thought:
>>>>
>>>> 1) If it's within the scope of a defined
>>>> Committee, JUST DO IT!
>>>>
>>>> 2) If there's no Committee defined for it,
>>>> CREATE ONE, then JUST DO IT!
>>>>
>>>> 3) If a Committee doesn't make sense, ASK THE
>>>> STAFF FOR IT!
>>>>
>>>> 4) If asking the staff isn't working or we need
>>>> to change a policy to make it happen, LET THE
>>>> BOARD KNOW!
>>>>
>>>> The Board should be the last resort, in my
>>>> opinion, not the first. We should be the
>>>> enabler, not the bottleneck. I think that our
>>>> leaders make too many assumptions (probably
>>>> based on past Board actions) about what needs
>>>> to go to the Board and we need to get away from
>>>> that. Remember that the Board is just a handful
>>>> of leaders who were elected to set the
>>>> compass. We have a finite number of things
>>>> that we can handle and our Board meetings are
>>>> typically overflowing with topics. So, if
>>>> something is bothering you, I would encourage
>>>> you to change it. That's why, with the David
>>>> Rook situation, I encouraged creation of a new
>>>> Committee to determine a reasonable solution.
>>>> If it requires a policy change by the Board,
>>>> then we can vote on that, but asking the Board
>>>> to take action just perpetuates the oligarchy
>>>> that you mention in your e-mail. Instead of
>>>> pushing these issues up to the Board for
>>>> action, let's have the community DECIDE what
>>>> they want and have the Board change the compass
>>>> needle via bylaws, policies, and staff
>>>> discussions, accordingly. At least, that's my
>>>> vision for OWASP. Is that something that you
>>>> can get on board with?
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel
>>>> curiel <johanna.curiel at owasp.org> wrote:
>>>>
>>>> Members of the board,
>>>>
>>>> With the recent issue regarding David Rook,
>>>> and my latest experience with red-tape, I'm
>>>> proposing the following.
>>>>
>>>> My goals is to call your attention to these
>>>> issues which I have been observing for a
>>>> years and not as a critique to your work,
>>>> but I think if you do not pay attention to
>>>> these issues and DO something about them,
>>>> OWASP will loose valuable community
>>>> participation.
>>>>
>>>> * When an initiative is proposed or
>>>> launched by a member of the board, this
>>>> should be followed up by a survey where
>>>> the community can vote.Wether is a rule
>>>> or money, these decisions should be
>>>> taken based on collected data and
>>>> proper substantiation to avoid oligarchy
>>>> * When an initiative is launched by a
>>>> member of the community, especially
>>>> when this initiative cost more than
>>>> 10k, it should be substantiated with
>>>> data how this initiative will benefit
>>>> the community. Also should be followed
>>>> by a survey
>>>> * Staff should help creating the survey
>>>> and analyse the votes
>>>> * *In other words: do more survey to find
>>>> out what the community needs and wants.*
>>>>
>>>> My observations and where I think you need
>>>> to give more attention:
>>>>
>>>> * Board/Executive director should work
>>>> closer with the staff for guidance and
>>>> empowering their role. I have the
>>>> feeling that the staff is paralysed
>>>> waiting for instructions or following
>>>> strict rules. The staff should be
>>>> motivated to take initiative and
>>>> implement projects on their own that
>>>> can help the community. They should not
>>>> be too dependent on an Executive
>>>> director or member of the board for
>>>> this part
>>>>
>>>> As I see it ,OWASP is known for his
>>>> Projects & Chapter leaders which as
>>>> volunteers have contributed the most to set
>>>> OWASP on the spotlight. Therefore:
>>>>
>>>> * You should determine and implement
>>>> better ways to provide better funding
>>>> schemas for projects . This is
>>>> something a volunteer cannot do. And
>>>> /nothing/ has been done to help solve
>>>> this issue
>>>> * There is an unfair inequality in the
>>>> way chapters can generate funds vs
>>>> Projects.
>>>> * Money is locked down in the chapters budget
>>>> * Chapters outside US & EU have more
>>>> struggles to find support. You should
>>>> consider a way to support better these
>>>> ones since their countries are not
>>>> developed in the area of security as
>>>> countries in EU and US.
>>>> * Follow up: when issues like David Rook
>>>> or a volunteer rants(like me or others
>>>> ) out of frustation, take action. Put
>>>> it in the agenda and try to solve and
>>>> discuss the issues to improve the
>>>> actual problems. So far I have seen
>>>> very little follow up on major issues
>>>> and discussions raised in the mailing lists
>>>> * Way to much attention to rules,
>>>> /events/ and bylaws etc. Time to take
>>>> action and take decisions and propose
>>>> plans for improvements of the actual
>>>> situation above mentioned
>>>>
>>>> Being that said, and with all due respect
>>>> to you, I hope that you can take actions
>>>> and /execute/ improvements that have been
>>>> an issue since I joined OWASP 3 years ago.
>>>>
>>>>
>>>> Regards
>>>>
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me at AppSecUSA 2015!
--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150818/0eaa4715/attachment-0001.html>
More information about the Owasp-board
mailing list