[Owasp-board] [Governance] On ring-fencing finances, communicating with OWASP and more
Jim Manico
jim.manico at owasp.org
Fri Aug 21 03:14:14 UTC 2015
This is a little tangential, but....
"Maintaining an operating reserve -- a cash fund the organization can
tap in emergencies -- is part of running a good nonprofit. *Putting
money in the bank instead of spending it on the mission may seem
counterproductive, but the National Council of Nonprofits says having
reserves is essential.*"
-
http://smallbusiness.chron.com/can-nonprofit-organization-savings-account-61626.html
So basically chapters who choose to save money and a build a reserve -
is seen as essential by some.
- Jim
On 8/20/15 5:05 PM, tomb at owasp.org wrote:
> Andrew,
>
> The report from the last board meeting are very useful (see reports)
>
> https://www.owasp.org/index.php/August_12,_2015#Reports_2 (see July
> numbers)
>
> And tax filings including;
>
> 997k to 1.6M is big growth (2014 is missing from the website)
> https://www.owasp.org/images/a/a8/Federal_Tax_Return_990_public_inspection_cop_144599420.pdf
>
> https://www.owasp.org/index.php/About_OWASP#Form_990_Documents
>
> And the budgets
> https://www.owasp.org/images/a/ac/2014_Budget_FINAL.pdf
>
> The spend is light from "HQ" on programs to market, promote, provide
> resources to the community.
>
> https://www.owasp.org/index.php/Community_Engagement_-_Payments
>
> The 499k (earmarked to active chapters
> https://www.owasp.org/index.php/Donation_Scoreboard) is a small amount
> in the big picture
>
> Sent from my iPhone
>
> On Aug 20, 2015, at 8:17 PM, Andrew van der Stock <vanderaj at owasp.org
> <mailto:vanderaj at owasp.org>> wrote:
>
>> Remember, Dinis, Josh and I had a podcast on this a little while ago,
>> and Dinis noted that it was an experiment to try and get chapters to
>> be more involved and spend more of their money.
>>
>> As chapters are collecting more and more money which is not being
>> spent, we as a board need to work out the best way forward. I agree
>> with Josh that we need to get chapters to spend their money, but I
>> also feel that as there's no hard and fast bylaw on splits, we need
>> to work out a new model that is based upon desired outcomes. Money
>> sitting in the bank doing nothing in a non-profit is not meeting our
>> mission. We are not a banker to chapters.
>>
>> This time, we really need to do proper modelling to understand the
>> effect of various splits before we commit to them. Otherwise, we'll
>> be back here in less than 2 years with chapters with a million in the
>> bank, and the Foundation and projects still scrapping for tidbits. We
>> need to have balance. I'm happy to discuss that balance.
>>
>> thanks
>> Andrew
>>
>>
>> On Tue, Aug 18, 2015 at 8:52 AM, <tomb at proactiverisk.com
>> <mailto:tomb at proactiverisk.com>> wrote:
>>
>> FYI there is some detail recorded in a few places for clarity.
>>
>> Archive 2013 60/40 split
>> https://lists.owasp.org/pipermail/owasp-board/2013-February/011674.html
>>
>> And here
>>
>> 90/10 Split 2014
>> https://www.owasp.org/index.php/OWASP_Board_Votes
>>
>> The first effort was a (1) year experiment to provide a split to
>> chapters to get them energized. It was voted on year two and
>> passed as well. (2009 time frame) might've in Kate's notes or
>> wiki mins she was the scribe and took them back in those days
>> they do exist.
>>
>> Moving to a global model and empowering a local model will solve
>> this rich/poor chapters debate. Investment in projects will also
>> solve the current issue. For every $1.00 the foundation brings in
>> $.50 should support projects, .25 outreach marketing and .25
>> administrative staff. Will discuss my thoughts on it during my
>> upcoming board interview in more detail. Take a look at the
>> annual report this will help put things in context.
>>
>> Sent from my iPhone
>>
>> On Aug 17, 2015, at 6:12 PM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>>> The OWASP foundation made a promise to chapters - years ago -
>>> that we would isolate earned funds from each chapter for that
>>> chapter only. We then set up a regional conference profit
>>> sharing program for chapters and gave chapters a percentage of
>>> membership funds for members that flagged their chapter. This
>>> was all set up years ago before the election of any current
>>> board member.
>>>
>>> I do not think the foundation should break that promise (if not
>>> verbal contract) to chapters around the world and reverse
>>> current chapter ringfencing.
>>>
>>> But we can certainly change that policy moving forward if
>>> needed, which is actively being discussed by the board, staff
>>> and others.
>>>
>>> I look at this as many things in computer science - as a
>>> tradeoff, not a battle between good and evil.
>>>
>>> Again, my hope is that we work together as adults to collaborate
>>> on a better policy if one is needed. *There is no way we are
>>> going to make everyone happy*. If you mess with chapter
>>> ringfencing, you are going to upset a lot of very hard working
>>> and active chapters. If we leave the ringfencing, it's going to
>>> limit major investment capability of the foundation.
>>>
>>> This is not a cut and dry issue in my opinion. I can see the
>>> benefits either way. I am most concerned about what the
>>> community thinks is best and what is best for the foundation and
>>> serving our mission.
>>>
>>> Also, the whole board voting process slows things down. That
>>> "slowing" factor, like adaptive key generation algorithms, is by
>>> design. It takes a voting quorum of board members to
>>> significantly change policy or embark on major investments. So
>>> for those of you who are frustrated by what you perceive as
>>> "bureaucracy" then when what is the alternative? Do you want one
>>> "king" to just make all decisions? Do you want any member to
>>> just dictate new policy? I think for sure governance can be very
>>> inefficient - but no governance is even more inefficient.
>>>
>>> So please, if you want to see something changed - there are
>>> positive avenues to do so. *Propose an bylaw change to the board
>>> or just ask questions on the board list,* *talk with members of
>>> staff,* *participate on the governance email list and trigger
>>> good debate* - while emailing the leaders list is a good way to
>>> get community involvement in your cause - please consider
>>> following through with action that works with the foundation to
>>> actually make change beyond leaders list email.
>>>
>>> *Communication Resources:*
>>>
>>> 1. Contact the Staff w/ Tracking: https://www.tfaforms.com/308703
>>> 2. OWASP Board List: https://lists.owasp.org/listinfo/owasp-board
>>> 3. OWASP Governance List:
>>> https://lists.owasp.org/mailman/listinfo/governance
>>>
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me at AppSecUSA 2015!
>>>
>>> PS: When the OWASP foundation did not use tracking forms, we
>>> received a large number of complains that support issues fell
>>> through the cracks. Now that we have a contact form with a
>>> tracking ID, we get complaints of bureaucracy. I think it's more
>>> important to NOT let issues fall through the cracks...
>>>
>>>
>>>
>>>
>>> On 8/17/15 11:31 AM, Eoin Keary wrote:
>>>> Johanna,
>>>> The funds distribution in OWASP is broken. Has been broken for
>>>> years. Some funds are legally allocated to chapters and
>>>> projects and can not be moved. Other funds can be moved but the
>>>> mix is unclear.
>>>> The Owasp foundation should have reserved the right to allocate
>>>> funds where required. I believe this has been done but unsure.
>>>>
>>>> I believe some of the funds in OWASP would be best used as
>>>> banking test data as it will persist in banking systems forever :)
>>>>
>>>> This is my humble understanding of the issue.
>>>>
>>>> Eoin Keary
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>>
>>>>
>>>>
>>>> On 17 Aug 2015, at 18:04, johanna curiel curiel
>>>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>>> >I don't think there is anything preventing a project from
>>>>> doing the same, but I haven't seen it done at this point.
>>>>>
>>>>> I think we need to create Project Summits in the form of
>>>>> events with the whole purpose to gather funds for projects
>>>>> .Open samm has done this and I think we can try that. Fo that
>>>>> we need the support of the staff Business liaison, Event
>>>>> manager, just as they put their work and efforts in Events and
>>>>> appsecs. Here cut share between OWASp staff time and projects
>>>>> can also be done.
>>>>>
>>>>> >OWASP has a project funding bucket.
>>>>> Look, Denver chapter has around 50K in their bucket. The
>>>>> richest Project is ZAP with 10k... but thats is the exception.
>>>>> Even worse when you look at chapters outside US or EU, mine
>>>>> has only USD40 dollars. Most projects have Zero Dollars.
>>>>> And the limits right now are a support but do not help to get
>>>>> important things moving like OWASP Academy portal, Leaders
>>>>> like Azzedine assist and show case his chapter or project or
>>>>> other more complex initiatives. Or major improvements or
>>>>> promotions to their projects.
>>>>>
>>>>> >Remember that the Board is just a handful of leaders who
>>>>> were elected to set the compass.
>>>>> Yes but how do they know where to go, that's why the survey.
>>>>> The survey is the compass. And the leaders are elected to
>>>>> listed to the community.
>>>>>
>>>>> And About committees...
>>>>> The only existing active committee right now is the Project
>>>>> Review (which I still call myself a taskforce). I haven't see
>>>>> much initiatives or participation from other committees. So
>>>>> the committee concept in theory seemed like a great idea but
>>>>> in practice is not working because in my eyes, creating a
>>>>> committee is creating a mini board inside OWASP. We do not
>>>>> want to create oligarchies in the end.
>>>>>
>>>>> I thik we should cut off that comitee idea and be more
>>>>> practical. More like this
>>>>>
>>>>> Example:
>>>>>
>>>>> * John Lita wants to create an academy portal but developing
>>>>> it costs money and resources that volunteers alone cannot
>>>>> be easy pull off(owaspa project was the same and died,
>>>>> just like many educational initiatives)
>>>>> * John must create a proposal with defined goals and how to
>>>>> reach them. He joins other volunteers in this effort. No
>>>>> need to be a commitee.
>>>>> * John & Claudia create a survey and seek support of the
>>>>> community
>>>>> * If the idea has major feedback and volunteers, then John
>>>>> has the support from the staff to execute including
>>>>> looking for sponsors using crowdsource funding portals
>>>>> * Staff monitors development and results of the actions taken
>>>>> * Staff reports results to the community back
>>>>>
>>>>> This is in my eyes how I have been working in the end, because
>>>>> , as volunteers, available time mostly depends on one or 2
>>>>> passionate individuals like John-Lita, which are more
>>>>> dedicated and the rest follows...
>>>>>
>>>>> Now if we want to change things, don't tell me to set a
>>>>> committee, because Josh , this has not work so far.
>>>>>
>>>>> Allow me and let the staff know that they should support me
>>>>> and any other volunteers seeking for implementing their ideas
>>>>> ;-).
>>>>> Lets cut the red tape with committees and let people know that
>>>>> if they want to do something,
>>>>>
>>>>> * Contact the staff.
>>>>> * Set a survey and gather support
>>>>> * Need more money? Set a crowd funding project @
>>>>> https://www.kickstarter.com under OWASP
>>>>> * Volunteers implement idea or project with the support of
>>>>> owasp staff and other volunteers
>>>>>
>>>>> How do we get this idea to action?
>>>>> Shall we create a survey?
>>>>> Do you need to discuss this on a board meeting?
>>>>> How do I get empowered and let the staff know that as a
>>>>> volunteer I have your support for this?(if I do?
>>>>>
>>>>> You see...how dependable I'm from the board to be able to execute?
>>>>>
>>>>> Off course I can always do this on my own but them I better do
>>>>> it without OWASP...
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol
>>>>> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>>>
>>>>> Johanna,
>>>>>
>>>>> Thank you for putting your thoughts out there for
>>>>> everyone. Silence is not good for anyone and OWASP will be
>>>>> far more successful if we know what our leaders are
>>>>> struggling with and make a conscious effort to improve
>>>>> it. I think that many of your points are very valid and
>>>>> strongly support the idea of polls to gauge community
>>>>> support for actions being taken. I also support the idea
>>>>> that the Board should be making as few of these decisions
>>>>> as possible and putting the power back in the hands of the
>>>>> community with support from the staff. The Board should
>>>>> be the "compass" making sure that we are moving in the
>>>>> right direction with the community and staff being the
>>>>> ones actually pushing us forward. That's not to say that
>>>>> members of the Board won't have their own projects or
>>>>> initiatives, but they do so as part of the community, not
>>>>> because of their roles on the Board. The Committees 2.0
>>>>> framework was a first step in driving this level of
>>>>> empowerment back to the community while maintaining
>>>>> accountability and providing appropriately scoped
>>>>> actions. My impression was that the Projects Committee
>>>>> was rolling forward quite well under this guidance, but it
>>>>> sounds like maybe I was wrong. Are there specific actions
>>>>> that you have tried to take on the committee that got
>>>>> blocked by the Board or hung up in "red tape"? Are there
>>>>> needs for funding that haven't been met?
>>>>>
>>>>> Regarding the project vs chapter funding schemas, I'm not
>>>>> sure that there is a good answer. Projects are typically
>>>>> made up of a pocket of individuals. Typically one leader
>>>>> with sometimes one or two others assisting. Chapters are
>>>>> typically anywhere from 20 people to hundreds. We provide
>>>>> members with the ability to allocate their funds to
>>>>> either, but most associate themselves with a chapter
>>>>> rather than a project because that's where they
>>>>> participate. We also have chapters putting on conferences
>>>>> with the goal of raising funds. I don't think there is
>>>>> anything preventing a project from doing the same, but I
>>>>> haven't seen it done at this point. Those are the two main
>>>>> ways that I see chapters raising money. Yes, there is
>>>>> certainly a difference in schemas and projects will have a
>>>>> more difficult time, but that's also why OWASP has a
>>>>> project funding bucket. Money from these local events as
>>>>> well as funds raised by our AppSec conferences gets
>>>>> budgeted specifically for this purpose. To my knowledge,
>>>>> no reasonable request for funds by projects has been
>>>>> denied. Just because there isn't money sitting "ring
>>>>> fenced" in an account for the projects, doesn't mean that
>>>>> there isn't money that can be spent. It just means that
>>>>> it needs to be requested from the pool. Yes, it's a
>>>>> different model of funding, but the end result is the
>>>>> same. There are funds available at OWASP for everyone who
>>>>> needs them.
>>>>>
>>>>> There are obviously many things that need to be improved
>>>>> at OWASP and, unfortunately, the Board has been tied up in
>>>>> rules, events, bylaws, etc for a while now. It's
>>>>> definitely not the "fun" part of the job and it is very
>>>>> time consuming. That said, I would argue that these are
>>>>> the things that need to be changed in order for everyone
>>>>> else (staff, community, etc) to be able to be better
>>>>> served. We've made several changes to the Bylaws and are
>>>>> working on more. We've hired an Executive Director
>>>>> (Paul), an Event Manager (Laura), a Community Manager
>>>>> (Noreen), and a Project Coordinator (Claudia) just in the
>>>>> almost two years that I've been on the Board. The needle
>>>>> on the compass is set and, while it takes some time to
>>>>> right the ship, we are getting there by giving our
>>>>> community the support it requires to be successful. So,
>>>>> here's my general thought:
>>>>>
>>>>> 1) If it's within the scope of a defined Committee, JUST
>>>>> DO IT!
>>>>>
>>>>> 2) If there's no Committee defined for it, CREATE ONE,
>>>>> then JUST DO IT!
>>>>>
>>>>> 3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!
>>>>>
>>>>> 4) If asking the staff isn't working or we need to change
>>>>> a policy to make it happen, LET THE BOARD KNOW!
>>>>>
>>>>> The Board should be the last resort, in my opinion, not
>>>>> the first. We should be the enabler, not the bottleneck.
>>>>> I think that our leaders make too many assumptions
>>>>> (probably based on past Board actions) about what needs to
>>>>> go to the Board and we need to get away from that.
>>>>> Remember that the Board is just a handful of leaders who
>>>>> were elected to set the compass. We have a finite number
>>>>> of things that we can handle and our Board meetings are
>>>>> typically overflowing with topics. So, if something is
>>>>> bothering you, I would encourage you to change it. That's
>>>>> why, with the David Rook situation, I encouraged creation
>>>>> of a new Committee to determine a reasonable solution. If
>>>>> it requires a policy change by the Board, then we can vote
>>>>> on that, but asking the Board to take action just
>>>>> perpetuates the oligarchy that you mention in your e-mail.
>>>>> Instead of pushing these issues up to the Board for
>>>>> action, let's have the community DECIDE what they want and
>>>>> have the Board change the compass needle via bylaws,
>>>>> policies, and staff discussions, accordingly. At least,
>>>>> that's my vision for OWASP. Is that something that you
>>>>> can get on board with?
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel
>>>>> <johanna.curiel at owasp.org
>>>>> <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>
>>>>> Members of the board,
>>>>>
>>>>> With the recent issue regarding David Rook, and my
>>>>> latest experience with red-tape, I'm proposing the
>>>>> following.
>>>>>
>>>>> My goals is to call your attention to these issues
>>>>> which I have been observing for a years and not as a
>>>>> critique to your work, but I think if you do not pay
>>>>> attention to these issues and DO something about them,
>>>>> OWASP will loose valuable community participation.
>>>>>
>>>>> * When an initiative is proposed or launched by a
>>>>> member of the board, this should be followed up by
>>>>> a survey where the community can vote.Wether is a
>>>>> rule or money, these decisions should be taken
>>>>> based on collected data and proper substantiation
>>>>> to avoid oligarchy
>>>>> * When an initiative is launched by a member of the
>>>>> community, especially when this initiative cost
>>>>> more than 10k, it should be substantiated with
>>>>> data how this initiative will benefit the
>>>>> community. Also should be followed by a survey
>>>>> * Staff should help creating the survey and analyse
>>>>> the votes
>>>>> * *In other words: do more survey to find out what
>>>>> the community needs and wants.*
>>>>>
>>>>> My observations and where I think you need to give
>>>>> more attention:
>>>>>
>>>>> * Board/Executive director should work closer with
>>>>> the staff for guidance and empowering their role.
>>>>> I have the feeling that the staff is paralysed
>>>>> waiting for instructions or following strict
>>>>> rules. The staff should be motivated to take
>>>>> initiative and implement projects on their own
>>>>> that can help the community. They should not be
>>>>> too dependent on an Executive director or member
>>>>> of the board for this part
>>>>>
>>>>> As I see it ,OWASP is known for his Projects & Chapter
>>>>> leaders which as volunteers have contributed the most
>>>>> to set OWASP on the spotlight. Therefore:
>>>>>
>>>>> * You should determine and implement better ways to
>>>>> provide better funding schemas for projects . This
>>>>> is something a volunteer cannot do. And /nothing/
>>>>> has been done to help solve this issue
>>>>> * There is an unfair inequality in the way chapters
>>>>> can generate funds vs Projects.
>>>>> * Money is locked down in the chapters budget
>>>>> * Chapters outside US & EU have more struggles to
>>>>> find support. You should consider a way to support
>>>>> better these ones since their countries are not
>>>>> developed in the area of security as countries in
>>>>> EU and US.
>>>>> * Follow up: when issues like David Rook or a
>>>>> volunteer rants(like me or others ) out of
>>>>> frustation, take action. Put it in the agenda and
>>>>> try to solve and discuss the issues to improve the
>>>>> actual problems. So far I have seen very little
>>>>> follow up on major issues and discussions raised
>>>>> in the mailing lists
>>>>> * Way to much attention to rules, /events/ and
>>>>> bylaws etc. Time to take action and take decisions
>>>>> and propose plans for improvements of the actual
>>>>> situation above mentioned
>>>>>
>>>>> Being that said, and with all due respect to you, I
>>>>> hope that you can take actions and /execute/
>>>>> improvements that have been an issue since I joined
>>>>> OWASP 3 years ago.
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Governance mailing list
>>>>> Governance at lists.owasp.org
>>>>> <mailto:Governance at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the
>>>>> Google Groups "OWASP Projects Task Force" group.
>>>>> To unsubscribe from this group and stop receiving emails from
>>>>> it, send an email to projects-task-force+unsubscribe at owasp.org
>>>>> <mailto:projects-task-force+unsubscribe at owasp.org>.
>>>>> To post to this group, send email to
>>>>> projects-task-force at owasp.org
>>>>> <mailto:projects-task-force at owasp.org>.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0p_kEGLn%3DCK38cQf%3Dv0gKoVB0R82Y10U1VmKvu_vm32Q%40mail.gmail.com.
>>>> --
>>>> You received this message because you are subscribed to the
>>>> Google Groups "OWASP Projects Task Force" group.
>>>> To unsubscribe from this group and stop receiving emails from
>>>> it, send an email to projects-task-force+unsubscribe at owasp.org
>>>> <mailto:projects-task-force+unsubscribe at owasp.org>.
>>>> To post to this group, send email to
>>>> projects-task-force at owasp.org
>>>> <mailto:projects-task-force at owasp.org>.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/9E03385F-18C6-4C6E-A8D6-F0B2D08100E7%40owasp.org.
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>> WARNING: E-mail transmission cannot be guaranteed to be secure or
>> error-free as information could be intercepted, corrupted, lost,
>> destroyed, arrive late or incomplete, or contain viruses. The
>> sender therefore does not accept liability for any errors or
>> omissions in the contents of this message, which arise as a
>> result of e-mail transmission. No employee or agent is authorized
>> to conclude any binding agreement on behalf of ProactiveRISK with
>> another party by email.
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150820/dd2aef1e/attachment-0001.html>
More information about the Owasp-board
mailing list