[Owasp-board] Final comments requested

Josh Sokol josh.sokol at owasp.org
Mon Apr 18 14:47:56 UTC 2016

I tend to agree with Andrew about it not being votable as it is and I find
myself asking "Why" a lot with this.  We already have a process under
Committees 2.0 wherein these SAC's could be created by regional groups, but
with a more well-defined scope and potentially budget.  This seems like
forcing a structure where it doesn't currently exist because it's not
needed or desired.  I would say that the single biggest reason to do this
is to grow OWASP leadership throughout the world for better diversity and
representation at the Board level.  Now, if that is the goal here, there
should be an open call following the Committees 2.0 model, rather than an
appointment to a post.  My suggestion, instead, is to put out a formal
recommendation that regions establish their own council's under the
Committees 2.0 framework.  Let them determine their boundaries based on
level of interest, geo-politics, etc.  Come up with a potential scope based
on this document, but allow them to modify or append to it as desired.
Tom, you're the one who always says that we should be managing to policy.
We have a policy around how these groups should be created.  Let's follow
that.  This is just a matter of encouraging people to utilize that policy
to accomplish a bigger-picture objective by the Board.


On Sat, Apr 16, 2016 at 3:12 AM, Andrew van der Stock <vanderaj at owasp.org>

> Tom
> It’s just not votable as is, and it’ll get stuck again unless it’s
> completely re-drafted for clarity.
> I'd like to see this completely re-drafted. A lot of this information
> exists in this document, but it disagrees with itself several times. Let's
> get a bit of focus
> WHY are we setting them up, and what OWASP hopes to achieve from these SACs
> WHAT are their duties
> WHAT is their place in our organisation - an org chart would be awesome
> WHEN will they meet
> WHEN will they meet with the Board
> WHEN what is the length of appointment
> WHO makes up a regional security council
> HOW will they be elected or appointed
> WHERE shall they meet together
> WHERE will they meet with the Board
> Additionally, let's use the one word consistently throughout - they are
> either a group, or a council. If they are a council, let's stick to that
> terminology.
> I think when setting up regional advisory groups like this, we need to
> cognizant of our values - transparency, openness and mission. Why are we
> setting these things up? Who do they report to? If they have no budget, it
> will still cost us. There are proposals that require them to meet 4 times a
> year, and if that’s F2F, plus they meet with us two or four times a year
> (which is confusing as we don’t meet 4 times a year F2F), then basically,
> we’re looking at around $50-80k per year in travel costs with 4 or 5 SACs.
> Going from Australia to China for a F2F is an expensive air fare. Plus,
> China does not see Australia as part of Asia. Some of these groupings only
> makes sense to Westerners, not to folks in these regions. I’d expect some
> of these groupings to fall apart once they get going.
> I believe very strongly that we need these groups, but they need to have
> clear reporting lines - do they report to the Community manager or to us?
> If they report to us, that means the community manager has no sway over
> them, and they aren’t really then helping with community or outreach. We
> delegate for a reason. If they report to the Community manager, then I
> think a report tabled to the Community manager twice a year, who then
> reports to us at our Face to Face is sufficient.
> We need to have a mechanism to dissolve a SAC if it becomes dormant or
> dysfunctional. This is absolutely essential, again as OWASP India has shown
> us.
> I also think India is a big enough place that it needs its own council,
> especially as demonstrated recently. Almost all of the folks on the OWASP
> FB group come from India, and I’d conservatively put it at over 7000 based
> on name alone.
> I would like to see nominations put forward by us, the ops team, and the
> local folks, and direct elections held each year along with the Board’s
> elections, for five folks per SAC. 10-12 folks is far too many. It’s
> difficult to get reasonable consensus once you reach 4 folks, and
> practically impossible when 12 folks are involved. Try deciding on a bar
> let alone where a conference is held. I think whatever the number, it
> should always be an odd number of folks so that  decisions can be reached.
> thanks
> Andrew
> On 16 Apr 2016, at 13:13, Tom Brennan - OWASP <tomb at owasp.org> wrote:
> Board,
> Final comments on working doc requested Wednesday 4/20
> https://docs.google.com/a/proactiverisk.com/document/d/16y0acWfeZ_skcO27D-conivvlbSqPbAC1xTY5UfJi_4/edit?usp=docslist_api
> --
> Tom Brennan
> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228 BD0F D9C6
> DC6A A
> OWASP Foundation | www.owasp.org
> Tel:  (m) 973-506-9304
> Need to book time with me to discuss an existing or a future project click
> on my virtual calendar http://www.proactiverisk.com/brennan
> The information contained in this message and any attachments may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If you, the reader of this message, are not the intended
> recipient, you are hereby notified that any dissemination, distribution,
> copying or use of this message and any attachment is strictly prohibited.
> If you have received this message in error, please notify the sender
> immediately by replying to the message, permanently delete it from your
> computer and destroy any printout.
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/7fd4d037/attachment-0001.html>

More information about the Owasp-board mailing list