[Owasp-board] [Governance] On ring-fencing finances, communicating with OWASP and more

Jim Manico jim.manico at owasp.org
Fri Aug 21 03:14:14 UTC 2015

This is a little tangential, but....

"Maintaining an operating reserve -- a cash fund the organization can 
tap in emergencies -- is part of running a good nonprofit. *Putting 
money in the bank instead of spending it on the mission may seem 
counterproductive, but the National Council of Nonprofits says having 
reserves is essential.*"


So basically chapters who choose to save money and a build a reserve - 
is seen as essential by some.

- Jim

On 8/20/15 5:05 PM, tomb at owasp.org wrote:
> Andrew,
> The report from the last board meeting are very useful (see reports)
> https://www.owasp.org/index.php/August_12,_2015#Reports_2 (see July 
> numbers)
> And tax filings including;
> 997k to 1.6M is big growth (2014 is missing from the website)
> https://www.owasp.org/images/a/a8/Federal_Tax_Return_990_public_inspection_cop_144599420.pdf
> https://www.owasp.org/index.php/About_OWASP#Form_990_Documents
> And the budgets
> https://www.owasp.org/images/a/ac/2014_Budget_FINAL.pdf
> The spend is light from "HQ" on programs to market, promote, provide 
> resources to the community.
> https://www.owasp.org/index.php/Community_Engagement_-_Payments
> The 499k (earmarked to active chapters 
> https://www.owasp.org/index.php/Donation_Scoreboard) is a small amount 
> in the big picture
> Sent from my iPhone
> On Aug 20, 2015, at 8:17 PM, Andrew van der Stock <vanderaj at owasp.org 
> <mailto:vanderaj at owasp.org>> wrote:
>> Remember, Dinis, Josh and I had a podcast on this a little while ago, 
>> and Dinis noted that it was an experiment to try and get chapters to 
>> be more involved and spend more of their money.
>> As chapters are collecting more and more money which is not being 
>> spent, we as a board need to work out the best way forward. I agree 
>> with Josh that we need to get chapters to spend their money, but I 
>> also feel that as there's no hard and fast bylaw on splits, we need 
>> to work out a new model that is based upon desired outcomes. Money 
>> sitting in the bank doing nothing in a non-profit is not meeting our 
>> mission. We are not a banker to chapters.
>> This time, we really need to do proper modelling to understand the 
>> effect of various splits before we commit to them. Otherwise, we'll 
>> be back here in less than 2 years with chapters with a million in the 
>> bank, and the Foundation and projects still scrapping for tidbits. We 
>> need to have balance. I'm happy to discuss that balance.
>> thanks
>> Andrew
>> On Tue, Aug 18, 2015 at 8:52 AM, <tomb at proactiverisk.com 
>> <mailto:tomb at proactiverisk.com>> wrote:
>>     FYI there is some detail recorded in a few places for clarity.
>>     Archive 2013 60/40 split
>>     https://lists.owasp.org/pipermail/owasp-board/2013-February/011674.html
>>     And here
>>     90/10 Split 2014
>>     https://www.owasp.org/index.php/OWASP_Board_Votes
>>     The first effort was a (1) year experiment to provide a split to
>>     chapters to get them energized.  It was voted on year two and
>>     passed as well. (2009 time frame) might've in Kate's notes or
>>     wiki mins she was the scribe and took them back in those days
>>     they do exist.
>>     Moving to a global model and empowering a local model will solve
>>     this rich/poor chapters debate. Investment in projects will also
>>     solve the current issue. For every $1.00 the foundation brings in
>>     $.50 should support projects, .25 outreach marketing and .25
>>     administrative staff. Will discuss my thoughts on it during my
>>     upcoming board interview in more detail. Take a look at the
>>     annual report this will help put things in context.
>>     Sent from my iPhone
>>     On Aug 17, 2015, at 6:12 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>>     The OWASP foundation made a promise to chapters - years ago -
>>>     that we would isolate earned funds from each chapter for that
>>>     chapter only. We then set up a regional conference profit
>>>     sharing program for chapters and gave chapters a percentage of
>>>     membership funds for members that flagged their chapter. This
>>>     was all set up years ago before the election of any current
>>>     board member.
>>>     I do not think the foundation should break that promise (if not
>>>     verbal contract) to chapters around the world and reverse
>>>     current chapter ringfencing.
>>>     But we can certainly change that policy moving forward if
>>>     needed, which is actively being discussed by the board, staff
>>>     and others.
>>>     I look at this as many things in computer science - as a
>>>     tradeoff, not a battle between good and evil.
>>>     Again, my hope is that we work together as adults to collaborate
>>>     on a better policy if one is needed. *There is no way we are
>>>     going to make everyone happy*. If you mess with chapter
>>>     ringfencing, you are going to upset a lot of very hard working
>>>     and active chapters. If we leave the ringfencing, it's going to
>>>     limit major investment capability of the foundation.
>>>     This is not a cut and dry issue in my opinion. I can see the
>>>     benefits either way. I am most concerned about what the
>>>     community thinks is best and what is best for the foundation and
>>>     serving our mission.
>>>     Also, the whole board voting process slows things down. That
>>>     "slowing" factor, like adaptive key generation algorithms, is by
>>>     design. It takes a voting quorum of board members to
>>>     significantly change policy or embark on major investments. So
>>>     for those of you who are frustrated by what you perceive as
>>>     "bureaucracy" then when what is the alternative? Do you want one
>>>     "king" to just make all decisions? Do you want any member to
>>>     just dictate new policy? I think for sure governance can be very
>>>     inefficient - but no governance is even more inefficient.
>>>     So please, if you want to see something changed - there are
>>>     positive avenues to do so. *Propose an bylaw change to the board
>>>     or just ask questions on the board list,* *talk with members of
>>>     staff,* *participate on the governance email list and trigger
>>>     good debate* - while emailing the leaders list is a good way to
>>>     get community involvement in your cause - please consider
>>>     following  through with action that works with the foundation to
>>>     actually make change beyond leaders list email.
>>>     *Communication Resources:*
>>>      1. Contact the Staff w/ Tracking: https://www.tfaforms.com/308703
>>>      2. OWASP Board List: https://lists.owasp.org/listinfo/owasp-board
>>>      3. OWASP Governance List:
>>>         https://lists.owasp.org/mailman/listinfo/governance
>>>     Aloha,
>>>     -- 
>>>     Jim Manico
>>>     Global Board Member
>>>     OWASP Foundation
>>>     https://www.owasp.org
>>>     Join me at AppSecUSA 2015!
>>>     PS: When the OWASP foundation did not use tracking forms, we
>>>     received a large number of complains that support issues fell
>>>     through the cracks. Now that we have a contact form with a
>>>     tracking ID, we get complaints of bureaucracy. I think it's more
>>>     important to NOT let issues fall through the cracks...
>>>     On 8/17/15 11:31 AM, Eoin Keary wrote:
>>>>     Johanna,
>>>>     The funds distribution in OWASP is broken. Has been broken for
>>>>     years. Some funds are legally allocated to chapters and
>>>>     projects and can not be moved. Other funds can be moved but the
>>>>     mix is unclear.
>>>>     The Owasp foundation should have reserved the right to allocate
>>>>     funds where required. I believe this has been done but unsure.
>>>>     I believe some of the funds in OWASP would be best used as
>>>>     banking test data as it will persist in banking systems forever :)
>>>>     This is my humble understanding of the issue.
>>>>     Eoin Keary
>>>>     OWASP Volunteer
>>>>     @eoinkeary
>>>>     On 17 Aug 2015, at 18:04, johanna curiel curiel
>>>>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>      >I don't think there is anything preventing a project from
>>>>>     doing the same, but I haven't seen it done at this point.
>>>>>     I think we need to create Project Summits in the form of
>>>>>     events with the whole purpose to gather funds for projects
>>>>>     .Open samm has done this and I think we can try that. Fo that
>>>>>     we need the support of the staff Business liaison, Event
>>>>>     manager, just as they put their work and efforts in Events and
>>>>>     appsecs. Here cut share between OWASp staff time and projects
>>>>>     can also be done.
>>>>>      >OWASP has a project funding bucket.
>>>>>     Look, Denver chapter has around 50K in their bucket. The
>>>>>     richest Project is ZAP with 10k... but thats is the exception.
>>>>>     Even worse when you look at chapters outside US or EU, mine
>>>>>     has only USD40 dollars. Most projects have Zero Dollars.
>>>>>     And the limits right now are a support but do not help to get
>>>>>     important things moving like OWASP Academy portal, Leaders
>>>>>     like Azzedine assist and show case his chapter or project or
>>>>>     other more complex initiatives. Or major improvements or
>>>>>     promotions to their projects.
>>>>>       >Remember that the Board is just a handful of leaders who
>>>>>     were elected to set the compass.
>>>>>       Yes but how do they know where to go, that's why the survey.
>>>>>     The survey is the compass. And the leaders are elected to
>>>>>     listed to the community.
>>>>>     And About committees...
>>>>>     The only existing active committee right now is the Project
>>>>>     Review (which I still call myself a taskforce). I haven't see
>>>>>     much initiatives or participation from other committees. So
>>>>>     the committee concept in theory seemed like a great idea but
>>>>>     in practice is not working because in my eyes, creating a
>>>>>     committee is creating a mini board inside OWASP. We do not
>>>>>     want to create oligarchies in the end.
>>>>>       I thik we should cut off that comitee idea and be more
>>>>>     practical. More like this
>>>>>       Example:
>>>>>       * John Lita wants to create an academy portal but developing
>>>>>         it costs money and resources that volunteers alone cannot
>>>>>         be easy pull off(owaspa project was the same and died,
>>>>>         just like many educational initiatives)
>>>>>       * John must create a proposal with defined goals and how to
>>>>>         reach them. He joins other volunteers in this effort. No
>>>>>         need to be a commitee.
>>>>>       *  John & Claudia create a survey and seek support of the
>>>>>         community
>>>>>       *   If the idea has major feedback and volunteers, then John
>>>>>         has the support from the staff to execute including
>>>>>         looking for sponsors using crowdsource funding portals
>>>>>       * Staff monitors development and results of the actions taken
>>>>>       * Staff reports results to the community back
>>>>>     This is in my eyes how I have been working in the end, because
>>>>>     , as volunteers, available time mostly depends on one or 2
>>>>>     passionate individuals like John-Lita, which are more
>>>>>     dedicated and the rest follows...
>>>>>     Now if we want to change things, don't tell me to set a
>>>>>     committee, because Josh , this has not work so far.
>>>>>      Allow me  and let the staff know that they should support me
>>>>>     and any other volunteers seeking for implementing their ideas
>>>>>     ;-).
>>>>>     Lets cut the red tape with committees and let people know that
>>>>>     if they want to do something,
>>>>>       * Contact the staff.
>>>>>       * Set a survey and gather support
>>>>>       * Need more money? Set a crowd funding project @
>>>>>         https://www.kickstarter.com under OWASP
>>>>>       * Volunteers implement idea or project with the support of
>>>>>         owasp staff and other volunteers
>>>>>     How do we get this idea to action?
>>>>>     Shall we create a survey?
>>>>>     Do you need to discuss this on a board meeting?
>>>>>     How do I get empowered and let the staff know that as a
>>>>>     volunteer I have your support for this?(if I do?
>>>>>     You see...how dependable I'm from the board to be able to execute?
>>>>>     Off course I can always do this on my own but them I better do
>>>>>     it without OWASP...
>>>>>     Regards
>>>>>     Johanna
>>>>>     On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol
>>>>>     <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>>>         Johanna,
>>>>>         Thank you for putting your thoughts out there for
>>>>>         everyone. Silence is not good for anyone and OWASP will be
>>>>>         far more successful if we know what our leaders are
>>>>>         struggling with and make a conscious effort to improve
>>>>>         it.  I think that many of your points are very valid and
>>>>>         strongly support the idea of polls to gauge community
>>>>>         support for actions being taken.  I also support the idea
>>>>>         that the Board should be making as few of these decisions
>>>>>         as possible and putting the power back in the hands of the
>>>>>         community with support from the staff.  The Board should
>>>>>         be the "compass" making sure that we are moving in the
>>>>>         right direction with the community and staff being the
>>>>>         ones actually pushing us forward. That's not to say that
>>>>>         members of the Board won't have their own projects or
>>>>>         initiatives, but they do so as part of the community, not
>>>>>         because of their roles on the Board. The Committees 2.0
>>>>>         framework was a first step in driving this level of
>>>>>         empowerment back to the community while maintaining
>>>>>         accountability and providing appropriately scoped
>>>>>         actions.  My impression was that the Projects Committee
>>>>>         was rolling forward quite well under this guidance, but it
>>>>>         sounds like maybe I was wrong. Are there specific actions
>>>>>         that you have tried to take on the committee that got
>>>>>         blocked by the Board or hung up in "red tape"? Are there
>>>>>         needs for funding that haven't been met?
>>>>>         Regarding the project vs chapter funding schemas, I'm not
>>>>>         sure that there is a good answer. Projects are typically
>>>>>         made up of a pocket of individuals. Typically one leader
>>>>>         with sometimes one or two others assisting. Chapters are
>>>>>         typically anywhere from 20 people to hundreds.  We provide
>>>>>         members with the ability to allocate their funds to
>>>>>         either, but most associate themselves with a chapter
>>>>>         rather than a project because that's where they
>>>>>         participate. We also have chapters putting on conferences
>>>>>         with the goal of raising funds.  I don't think there is
>>>>>         anything preventing a project from doing the same, but I
>>>>>         haven't seen it done at this point. Those are the two main
>>>>>         ways that I see chapters raising money.  Yes, there is
>>>>>         certainly a difference in schemas and projects will have a
>>>>>         more difficult time, but that's also why OWASP has a
>>>>>         project funding bucket.  Money from these local events as
>>>>>         well as funds raised by our AppSec conferences gets
>>>>>         budgeted specifically for this purpose.  To my knowledge,
>>>>>         no reasonable request for funds by projects has been
>>>>>         denied. Just because there isn't money sitting "ring
>>>>>         fenced" in an account for the projects, doesn't mean that
>>>>>         there isn't money that can be spent.  It just means that
>>>>>         it needs to be requested from the pool. Yes, it's a
>>>>>         different model of funding, but the end result is the
>>>>>         same. There are funds available at OWASP for everyone who
>>>>>         needs them.
>>>>>         There are obviously many things that need to be improved
>>>>>         at OWASP and, unfortunately, the Board has been tied up in
>>>>>         rules, events, bylaws, etc for a while now. It's
>>>>>         definitely not the "fun" part of the job and it is very
>>>>>         time consuming. That said, I would argue that these are
>>>>>         the things that need to be changed in order for everyone
>>>>>         else (staff, community, etc) to be able to be better
>>>>>         served. We've made several changes to the Bylaws and are
>>>>>         working on more.  We've hired an Executive Director
>>>>>         (Paul), an Event Manager (Laura), a Community Manager
>>>>>         (Noreen), and a Project Coordinator (Claudia) just in the
>>>>>         almost two years that I've been on the Board.  The needle
>>>>>         on the compass is set and, while it takes some time to
>>>>>         right the ship, we are getting there by giving our
>>>>>         community the support it requires to be successful.  So,
>>>>>         here's my general thought:
>>>>>         1) If it's within the scope of a defined Committee, JUST
>>>>>         DO IT!
>>>>>         2) If there's no Committee defined for it, CREATE ONE,
>>>>>         then JUST DO IT!
>>>>>         3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!
>>>>>         4) If asking the staff isn't working or we need to change
>>>>>         a policy to make it happen, LET THE BOARD KNOW!
>>>>>         The Board should be the last resort, in my opinion, not
>>>>>         the first. We should be the enabler, not the bottleneck. 
>>>>>         I think that our leaders make too many assumptions
>>>>>         (probably based on past Board actions) about what needs to
>>>>>         go to the Board and we need to get away from that. 
>>>>>         Remember that the Board is just a handful of leaders who
>>>>>         were elected to set the compass.  We have a finite number
>>>>>         of things that we can handle and our Board meetings are
>>>>>         typically overflowing with topics. So, if something is
>>>>>         bothering you, I would encourage you to change it.  That's
>>>>>         why, with the David Rook situation, I encouraged creation
>>>>>         of a new Committee to determine a reasonable solution.  If
>>>>>         it requires a policy change by the Board, then we can vote
>>>>>         on that, but asking the Board to take action just
>>>>>         perpetuates the oligarchy that you mention in your e-mail.
>>>>>         Instead of pushing these issues up to the Board for
>>>>>         action, let's have the community DECIDE what they want and
>>>>>         have the Board change the compass needle via bylaws,
>>>>>         policies, and staff discussions, accordingly.  At least,
>>>>>         that's my vision for OWASP.  Is that something that you
>>>>>         can get on board with?
>>>>>         ~josh
>>>>>         On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel
>>>>>         <johanna.curiel at owasp.org
>>>>>         <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>             Members of the board,
>>>>>             With the recent issue regarding David Rook, and my
>>>>>             latest experience with red-tape, I'm proposing the
>>>>>             following.
>>>>>             My goals is to call your attention to these issues
>>>>>             which I have been observing for a years and not as a
>>>>>             critique to your work, but I think if you do not pay
>>>>>             attention to these issues and DO something about them,
>>>>>             OWASP will loose valuable community participation.
>>>>>               * When an initiative is proposed or launched by a
>>>>>                 member of the board, this should be followed up by
>>>>>                 a survey where the community can vote.Wether is a
>>>>>                 rule or money, these decisions should be taken
>>>>>                 based on collected data and proper substantiation
>>>>>                 to avoid oligarchy
>>>>>               * When an initiative is launched by a member of the
>>>>>                 community, especially when this initiative cost
>>>>>                 more than 10k, it should be substantiated with
>>>>>                 data how this initiative will benefit the
>>>>>                 community. Also should be followed by a survey
>>>>>               * Staff should help creating the survey and analyse
>>>>>                 the votes
>>>>>               * *In other words: do more survey to find out what
>>>>>                 the community needs and wants.*
>>>>>             My observations and where I think you need to give
>>>>>             more attention:
>>>>>               * Board/Executive director should work closer with
>>>>>                 the staff for guidance and empowering their role.
>>>>>                 I have the feeling that the staff is paralysed
>>>>>                 waiting for instructions or following strict
>>>>>                 rules. The staff should be motivated to take
>>>>>                 initiative and implement projects on their own
>>>>>                 that can help the community. They should not be
>>>>>                 too dependent on an Executive director or member
>>>>>                 of the board for this part
>>>>>             As I see it ,OWASP is known for his Projects & Chapter
>>>>>             leaders which as volunteers have contributed the most
>>>>>             to set OWASP on the spotlight. Therefore:
>>>>>               * You should determine and implement better ways  to
>>>>>                 provide better funding schemas for projects . This
>>>>>                 is something a volunteer cannot do. And /nothing/
>>>>>                 has been done to help  solve this issue
>>>>>               * There is an unfair inequality in the way chapters
>>>>>                 can generate funds vs Projects.
>>>>>               * Money is locked down in the chapters budget
>>>>>               * Chapters outside US & EU have more struggles to
>>>>>                 find support. You should consider a way to support
>>>>>                 better these ones since their countries are not
>>>>>                 developed in the area of security as countries in
>>>>>                 EU and US.
>>>>>               * Follow up: when issues like David Rook or a
>>>>>                 volunteer rants(like me or others ) out of
>>>>>                 frustation, take action. Put it in the agenda and
>>>>>                 try to solve and discuss the issues to improve the
>>>>>                 actual problems. So far I have seen very little
>>>>>                 follow up on major issues and discussions raised
>>>>>                 in the mailing lists
>>>>>               * Way to much attention to rules, /events/ and
>>>>>                 bylaws etc. Time to take action and take decisions
>>>>>                 and propose plans for improvements of the actual
>>>>>                 situation above mentioned
>>>>>             Being that said, and with all due respect to you, I
>>>>>             hope that you can take actions and /execute/
>>>>>             improvements that have been an issue since I joined
>>>>>             OWASP 3 years ago.
>>>>>             Regards
>>>>>             Johanna
>>>>>             _______________________________________________
>>>>>             Governance mailing list
>>>>>             Governance at lists.owasp.org
>>>>>             <mailto:Governance at lists.owasp.org>
>>>>>             https://lists.owasp.org/mailman/listinfo/governance
>>>>>     -- 
>>>>>     You received this message because you are subscribed to the
>>>>>     Google Groups "OWASP Projects Task Force" group.
>>>>>     To unsubscribe from this group and stop receiving emails from
>>>>>     it, send an email to projects-task-force+unsubscribe at owasp.org
>>>>>     <mailto:projects-task-force+unsubscribe at owasp.org>.
>>>>>     To post to this group, send email to
>>>>>     projects-task-force at owasp.org
>>>>>     <mailto:projects-task-force at owasp.org>.
>>>>>     To view this discussion on the web visit
>>>>>     https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0p_kEGLn%3DCK38cQf%3Dv0gKoVB0R82Y10U1VmKvu_vm32Q%40mail.gmail.com.
>>>>     -- 
>>>>     You received this message because you are subscribed to the
>>>>     Google Groups "OWASP Projects Task Force" group.
>>>>     To unsubscribe from this group and stop receiving emails from
>>>>     it, send an email to projects-task-force+unsubscribe at owasp.org
>>>>     <mailto:projects-task-force+unsubscribe at owasp.org>.
>>>>     To post to this group, send email to
>>>>     projects-task-force at owasp.org
>>>>     <mailto:projects-task-force at owasp.org>.
>>>>     To view this discussion on the web visit
>>>>     https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/9E03385F-18C6-4C6E-A8D6-F0B2D08100E7%40owasp.org.
>>>     _______________________________________________
>>>     Owasp-board mailing list
>>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>>     WARNING: E-mail transmission cannot be guaranteed to be secure or
>>     error-free as information could be intercepted, corrupted, lost,
>>     destroyed, arrive late or incomplete, or contain viruses. The
>>     sender therefore does not accept liability for any errors or
>>     omissions in the contents of this message, which arise as a
>>     result of e-mail transmission. No employee or agent is authorized
>>     to conclude any binding agreement on behalf of ProactiveRISK with
>>     another party by email.
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance

Jim Manico
Global Board Member
OWASP Foundation
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150820/dd2aef1e/attachment-0001.html>

More information about the Owasp-board mailing list