[Owasp-board] [Governance] Bylaw Update Discussion - Board Member Confidence
Jim Manico
jim.manico at owasp.org
Wed Aug 26 12:53:25 UTC 2015
Josh,
+1 on both accounts. I am personally very grateful for your many and
regular contributions on the board, even when we disagree on occasion. I
think you handle conflict extremely well and I appreciate your strong
sense of ethics.
Keep on rockin' in the free world.
Aloha,
Jim
On 8/26/15 7:13 AM, Josh Sokol wrote:
> Fabio,
>
> I did not express any concern about the 75% requirement. I think it
> is a very reasonable expectation to have a Board member not miss more
> than 3 meetings a year. Even that number seems high to me. I don't
> see any issue if Michael or Andrew were to trigger a vote of
> confidence if they were to miss another meeting. In all likelihodd,
> if that were to happen, we would just handle it exactly as we handled
> your situation. We recognize contributions outside of the meetings
> and move on. That said, if a Board member got elected, and simply
> wasn't attending meetings, or wasn't putting in any effort, would you
> really want to wait longer than 3 months to have the OPTION to remove
> them? This process is working exactly as it was designed to. Why
> would we want to change it all of a sudden now that someone was
> falling below the bar?
>
> With respect to changing the in-person Board meeting requirements, I
> strongly object. I was the one who petitioned the Board to have this
> requirement changed from MUST to SHOULD in the first place. While my
> family and work obligations make travel quite difficult for me, I
> don't think it has sacrificed my participation in the Board at all.
> And in terms of interaction with the community, I was out at both
> BSides Las Vegas and BlackHat where OWASP had a presence at both.
> Were you? I participate in the MONTHLY OWASP Austin chapter meetings,
> MONTHLY happy hours, and LASCON. I attend many other local and
> regional security events such as BSides Austin and HouSecCon. So,
> there are MANY other ways for a Board member to meet with the
> community, talk about their needs, and help them progress their
> projects without an in-person Board meeting. With OWASP having a
> highly-distributed global Board, and in this age of technology, the
> idea that we all have to be in the same place to get something done is
> ludicrous. Is it more ideal? Absolutely. Should it be a
> requirement? Absolutely not.
>
> ~josh
>
> On Tue, Aug 25, 2015 at 5:08 AM, Fabio Cerullo <fcerullo at owasp.org
> <mailto:fcerullo at owasp.org>> wrote:
>
> Bill,
>
> Thanks for updating the wording in the clause below. I have some
> comments regarding the 75% attendance requirement.
>
> Besides Josh, several board members already expressed a concern
> about this requirement and are willing to lower/eliminate it.
>
> Just to give you an example: Michael and Andrew will trigger a
> vote of CONFIDENCE if they miss another meeting during the
> calendar year.
>
> https://docs.google.com/spreadsheets/d/1wpaOCBP-qrnde0sLiglDMJOUCtse6oB-zf3ONCkWgZk/edit?pli=1#gid=6
>
> I think that is counterproductive and will send us in a spiral of
> votes of CONFIDENCE at every Board meeting. I would suggest to
> lower that requirement or NOT making the vote of CONFIDENCE a
> requirement for meetings attendance. The vote of CONFIDENCE should
> be a mechanism to expel a Board member if they don’t fulfil their
> duties, misbehave with other members/staff of the community, or
> they significantly do not show up at the Board meetings (e.g.
> attendance less than 50%).
>
> Also, I believe the requirement to meet in person is quite vague
> as per current statement below. I attended all in person meetings
> at AppSec USA & AppSec EU and think they are very valuable. You
> have a chance to meet with the community, talk about their needs,
> help them progress their projects, and meet face-to-face with your
> fellow Board members. So if we are going to change the Bylaws, I
> think we need to put a requirement for Board members to meet in
> person at least ONCE a year. I will appreciate your feedback and
> from the rest of the Governance list regarding this matter.
>>
>> Attendance in person or virtually by board members is required at
>> no less than 75% of the total meetings each year and *shall be
>> highly encouraged to meet in person at least once annually* at a
>> date to be announced and agreed upon.
>>
> Thanks,
>
> Fabio Cerullo
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me at AppSecUSA 2015 <https://2015.appsecusa.org> in
> San Francisco!
>
>> On 25 Aug 2015, at 10:22, Bil Corry <bil.corry at owasp.org
>> <mailto:bil.corry at owasp.org>> wrote:
>>
>> Hi Josh,
>>
>> Tabulation is described as thus (emphasis is mine):
>>
>> "Attendance is tabulated after every scheduled meeting for the
>> purpose of determining if the 75% attendance requirement has been
>> met, and the tabulation is *based upon the entire calendar year.*"
>>
>> That means if there are 12 meetings during the year and you miss
>> the first meeting, your attendance is 11/12 or 92%. No vote required.
>>
>> As far as your other concerns, I've updated the text below,
>> hopefully I've covered it all? I pulled deadlines out of thin
>> air, so feel free to tweak the numbers and method of voting.
>>
>>
>> *SECTION 3.03 Regular Meetings.* The Board of Directors shall
>> have regular meetings as needed. A link to the board meeting
>> agenda’s and the historical minutes is here:
>> https://www.owasp.org/index.php/OWASP_Board_Meetings. Meetings
>> shall be at such dates, times, and places as the Board shall
>> determine in December of the preceding year and as amended by the
>> Board. In no event will there be less than one meeting per
>> quarter. These meetings will be open to public attendance,
>> however, certain portions of the meeting may be closed to board
>> members and their delegates when required for legal reasons, or
>> to shield liability, or to handle personnel issues, or similar.
>> Attendance in person or virtually by board members is required at
>> no less than 75% of the total meetings each year and shall be
>> highly encouraged to meet in person at least once annually at a
>> date to be announced and agreed upon. Attendance is tabulated by
>> the Executive Director or delegate within seven days after every
>> scheduled meeting for the purpose of determining if the 75%
>> attendance requirement has been met, and the tabulation is based
>> upon the entire calendar year. Cancelled meetings are considered
>> attended for the purposes of the tabulation. Failure by a board
>> member to meet the 75% attendance requirement after any
>> tabulation will cause a mandatory vote of confidence by the
>> remaining board members, whose votes will be publicly recorded.
>> The vote of confidence is to take place within 21 days, but not
>> sooner than 7 days, of notification by the Executive Director or
>> delegate that a board member has not met the attendance
>> threshold. During the first seven days, the board member in
>> question will have an opportunity to make their case to their
>> fellow board members. The vote of confidence will take place on
>> the OWASP Board of Directors email list, unless the Board votes
>> to review the matter at their next meeting, so long as the next
>> meeting occurs within the 21-day window. An overall vote of
>> "confidence" is record if half or more of the board members vote
>> for it and it will prevent further votes of confidence for the
>> remainder of the year so long as the board member in question
>> does not miss any further meetings. An overall vote of "no
>> confidence" is recorded if more than half of the board members
>> vote for it, which causes the board member in question to be
>> instantly removed from their seat on the board. Vacancies on the
>> board are handled as per Section 3.10.
>>
>> _
>> _
>>
>> 2 OWASP Board of Directors will hold quarterly board meetings
>> lasting 46 hours each. The schedule of meetings will be set by
>> the board in December before the year. It is likely the the board
>> meetings will take place on Saturdays or on a dedicated day
>> before a large OWASP conference. This change is a result of the
>> success of the longer format board meeting and also a result of
>> the Executive Director role that has enabled full time
>> involvement and focus on OWASP operations. Board members must
>> attend (in person or virtually) 3 of the 4 meetings to fulfill
>> the attendance requirements. This will take effect in January,
>> 2014. Changes passed August 19, 2013.
>>
>> 3 “and shall be highly encouraged to meet in person at least once
>> annually at a date to be announced and agreed upon” amendment to
>> document passed June 10, 2013.
>>
>>
>>
>>
>> - Bil
>>
>>
>> On Mon, Aug 24, 2015 at 2:31 PM, Josh Sokol <josh.sokol at owasp.org
>> <mailto:josh.sokol at owasp.org>> wrote:
>>
>> Bil,
>>
>> I initiated a Board vote on the new text that you had
>> proposed back in April or May this year and the Board
>> unanimously voted to approve. Paul has been working to try
>> to identify all of the changes that have been made (there's
>> only been one or two this year) in order to get a new version
>> of the Bylaws on the website. Regardless, the one that is
>> there is definitely out-of-date.
>>
>> With respect to your update, thank you, I was thinking
>> something similar as well, but this doesn't address a few of
>> my bullet points:
>>
>> * The method of tabulation is unspecified. If we are
>> tabulating sequentially, then we have a situation where
>> if a Board member missed their first meeting, a vote is
>> required to be held for three tabulations (0%, 50%, and
>> 66%) until they make it up over 75%. I am guessing that
>> the intent is for this to be tabulated assuming
>> attendance for all future meetings and action would be
>> taken if the person would be unable to maintain 75%
>> attendance, but if anyone disagrees and has a different
>> interpretation, please let me know.
>> * The timeframe for the vote is unspecified. It just says
>> that it will cause a mandatory vote of confidence, but
>> never says when that vote is supposed to take place or
>> who is supposed to initiate it. Is it to be handled
>> immediately at the time of tabulation? Is it handled
>> offline over e-mail as we recently did? Is it handled at
>> the next Board meeting? Based on the current verbiage,
>> technically the Board could drag it's heels on it
>> indefinitely. I would think that something reasonable
>> would be having the vote initiated by our Executive
>> Director within two weeks of the tabulation that found
>> them to be not meeting their attendance requirements. If
>> there is a Board meeting during that window, then it
>> could be handled then, or handled via the mailing list
>> otherwise. That provides time to handle the situation
>> and removes any Board member bias from the initiation of
>> the vote.
>> * This does not offer the offender an opportunity to
>> explain why they failed to meet their attendance
>> requirement. I think that a reasonable process would
>> assume that there is a rational explanation for why they
>> did not attend. Maybe it's because all of the meetings
>> were being held at 2 AM in their timezone. Maybe it's
>> because of a death in the family. I think this process
>> should take the personal factor into consideration.
>>
>> Would you care to take a stab at addressing these? If not, I
>> can certainly take a shot at it as well.
>>
>> ~josh
>>
>>
>> On Mon, Aug 24, 2015 at 2:07 AM, Bil Corry
>> <bil.corry at owasp.org <mailto:bil.corry at owasp.org>> wrote:
>>
>> Hi Josh,
>>
>> The current bylaw I see is from last year, which doesn't
>> have the text you quoted. It's here:
>>
>> https://www.owasp.org/index.php/OWASP_Foundation_ByLaws
>>
>> I know we discussed changing the bylaws, but I don't know
>> what was ultimately adopted. FWIW, this is the wording
>> from last proposed text, which is very clear on how
>> tabulation is calculated, although it doesn't give
>> strict time limes for tabulation and confidence voting.
>> The thought was to allow the Board some flexibility in
>> how they want to execute it. But if you'd like it to be
>> formally incorporated into the bylaws, then please
>> proposed some text.
>>
>>
>> *SECTION 3.03 Regular Meetings.* The Board of Directors
>> shall have regular meetings as needed. A link to the
>> board meeting agenda’s and the historical minutes is
>> here:
>> https://www.owasp.org/index.php/OWASP_Board_Meetings.
>> Meetings shall be at such dates, times, and places as
>> the Board shall determine in December of the preceding
>> year and as amended by the Board. In no event will there
>> be less than one meeting per quarter. These meetings
>> will be open to public attendance, however, certain
>> portions of the meeting may be closed to board members
>> and their delegates when required for legal reasons, or
>> to shield liability, or to handle personnel issues, or
>> similar. Attendance in person or virtually by board
>> members is required at no less than 75% of the total
>> meetings each year and shall be highly encouraged to meet
>> in person at least once annually at a date to be
>> announced and agreed upon. Attendance is tabulated after
>> every scheduled meeting for the purpose of determining if
>> the 75% attendance requirement has been met, and the
>> tabulation is based upon the entire calendar year.
>> Cancelled meetings are considered attended for the
>> purposes of the tabulation. Failure by a board member to
>> meet the 75% attendance requirement after any tabulation
>> will cause a mandatory vote of confidence by the
>> remaining board members, whose votes will be publicly
>> recorded. An overall vote of "no confidence" is recorded
>> if half or more of the board members vote for it, which
>> causes the board member in question to be instantly
>> removed from their seat on the board. Vacancies on the
>> board are handled as per Section 3.10.
>>
>> 2 OWASP Board of Directors will hold quarterly board
>> meetings lasting 46 hours each. The schedule of meetings
>> will be set by the board in December before the year. It
>> is likely the the board meetings will take place on
>> Saturdays or on a dedicated day before a large OWASP
>> conference. This change is a result of the success of the
>> longer format board meeting and also a result of the
>> Executive Director role that has enabled full time
>> involvement and focus on OWASP operations. Board members
>> must attend (in person or virtually) 3 of the 4 meetings
>> to fulfill the attendance requirements. This will take
>> effect in January, 2014. Changes passed August 19, 2013.
>>
>> 3 “and shall be highly encouraged to meet in person at
>> least once annually at a date to be announced and agreed
>> upon” amendment to document passed June 10, 2013.
>>
>>
>>
>>
>> - Bil
>>
>>
>> On Sat, Aug 22, 2015 at 6:01 PM, Josh Sokol
>> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>
>> Board,
>>
>> As recently discussed and voted on in a separate
>> thread, our current Bylaws state as follows:
>>
>> /Failure by a board member to meet the 75% attendance
>> requirement after any tabulation will cause a
>> mandatory vote of confidence by the remaining board
>> members, whose votes will be publicly recorded. An
>> overall vote of "no confidence" is recorded if half
>> or more of the board members vote for it, which
>> causes the board member in question to be instantly
>> removed from their seat on the board./
>>
>> I see a few issues with this:
>>
>> * The timeframe that this applies to is
>> unspecified. Is it per quarter? Per calendar
>> year? Over the two year duration of a Board
>> member term? Over the cumulative time that a
>> Board member is in office? I'm guessing that the
>> intent is for this to be over the calendar year,
>> but if anyone disagrees and has a different
>> interpretation, please let me know.
>> * The definition of "tabulation" is unspecified.
>> Who is doing the tabulation? Is there a certain
>> time that this tabulation is conducted? I'm
>> guessing that the intent is for this to be based
>> on the attendance role that is captured during
>> the Board meeting, but if anyone disagrees and
>> has a different interpretation, please let me know.
>> * The method of tabulation is unspecified. If we
>> are tabulating sequentially, then we have a
>> situation where if a Board member missed their
>> first meeting, a vote is required to be held for
>> three tabulations (0%, 50%, and 66%) until they
>> make it up over 75%. I am guessing that the
>> intent is for this to be tabulated assuming
>> attendance for all future meetings and action
>> would be taken if the person would be unable to
>> maintain 75% attendance, but if anyone disagrees
>> and has a different interpretation, please let me
>> know.
>> * The timeframe for the vote is unspecified. It
>> just says that it will cause a mandatory vote of
>> confidence, but never says when that vote is
>> supposed to take place or who is supposed to
>> initiate it. Is it to be handled immediately at
>> the time of tabulation? Is it handled offline
>> over e-mail as we recently did? Is it handled at
>> the next Board meeting? Based on the current
>> verbiage, technically the Board could drag it's
>> heels on it indefinitely. I would think that
>> something reasonable would be having the vote
>> initiated by our Executive Director within two
>> weeks of the tabulation that found them to be not
>> meeting their attendance requirements. If there
>> is a Board meeting during that window, then it
>> could be handled then, or handled via the mailing
>> list otherwise. That provides time to handle the
>> situation and removes any Board member bias from
>> the initiation of the vote.
>> * This does not offer the offender an opportunity
>> to explain why they failed to meet their
>> attendance requirement. I think that a reasonable
>> process would assume that there is a rational
>> explanation for why they did not attend. Maybe
>> it's because all of the meetings were being held
>> at 2 AM in their timezone. Maybe it's because of
>> a death in the family. I think this process
>> should take the personal factor into consideration.
>>
>> With the above in mind, I don't see a reason to lower
>> the bar from 75%. My thinking is that this is a
>> reasonable expectation to have of a Board member with
>> all things being equal. It may not be the best
>> measure of engagement, but it is still a
>> responsibility that all Board members are aware of
>> going into it, and I am not aware of it having been
>> an issue in the past (until now), so I'm not sure why
>> we would change it now that one Board member had a
>> vote initiated for it. I would propose that we
>> update the language in order to better clarify my
>> bullet points above, but leave the requirement itself
>> in place. Please provide your thoughts regarding
>> each of these bullet points (or any other issues that
>> you think need to be addressed here). Once we have
>> some level of agreement with these, I can take the
>> action item of re-writing this section of the Bylaws
>> in order to incorporate these changes. Thanks.
>>
>> ~josh
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/governance
>
>
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150826/5e1c63dd/attachment-0001.html>
More information about the Owasp-board
mailing list