<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">To strengthen the role and numbers of
      women in AppSec, should we revive/continue and improve the
      marketing for our Women in AppSec program? <br>
      <br>
      In the past we had this program and I believe it was a great idea.
      Unfortunately our promotion of the program did not reach so many
      people IMHO....<br>
      <br>
      Would there be any volunteers to lead this effort? <br>
      <br>
      Best regards, Tobias<br>
      <br>
      <br>
      <br>
      <br>
      On 28/02/15 05:16, Noreen Whysel wrote:<br>
    </div>
    <blockquote
      cite="mid:547D87E1-0779-43BE-94D1-125A3DB67AA7@owasp.org"
      type="cite">
      <meta http-equiv="content-type" content="text/html;
        charset=windows-1252">
      <div>I was at that panel at the joint cybersecurity conference in
        Brooklyn. In theory, it was a good idea. Highlight five women
        who were Chief Security Officers at their respective firms. In
        practice, it was not so great. It was held during lunch in a
        noisy gymnasium. The previous sessions had gone over time and
        food had not been set up so the panel had to start during a lot
        of clanging and ongoing conversation while people were on line.
        To top it off the person who introduced them said something to
        the effect of "We are going to see why women would want to go
        into cybersecurity..it isn't a vey glamorous career."</div>
      <div><br>
      </div>
      <div>The panel itself was very good. Quite impressive women with
        stellar backgrounds and a lot to say about strides they have
        made and the development of the industry itself. One of the
        women addressed the "glamour" question by stating that she felt
        it was indeed a glamorous field to be in, but I really took it
        as a calling out of the poor setup. By the end I feel that it
        had quieted enough to get something meaningful out of it, at
        least for me, but there were still many people who chatted with
        their lunch mates throughout the presentation. I blame the
        setting more than the introducer, btw.</div>
      <div><br>
      </div>
      <div>That said, quotas are really hard. I<span
          style="background-color: rgba(255, 255, 255, 0);">n the end it
          all comes down to who submits. </span>Best to strive toward
        encouraging as many talented women (and people of color) as
        possible to present. Speaker mentoring can be extremely helpful
        also. A lot of us, male and female, struggle with Imposter
        Syndrome so any support is always appreciated. </div>
      <div><br>
        <span style="background-color: rgba(255, 255, 255, 0);">Noreen
          Whysel<br>
        </span><span style="background-color: rgba(255, 255, 255, 0);
          font-size: 13pt;">Community Manager</span>
        <div><span style="background-color: rgba(255, 255, 255, 0);">OWASP

            Foundation</span></div>
      </div>
      <div><br>
        On Feb 27, 2015, at 10:16 AM, Helen Gao <<a
          moz-do-not-send="true" href="mailto:helen.gao@owasp.org">helen.gao@owasp.org</a>>

        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div>
          <div dir="ltr">
            <div>
              <div>Hi Andrew, Michael and the board.<br>
                <br>
                I don't know what made me to speak out twice in one day
                even though I am not a board member. But I admire
                Andrew's effort of bring this matter to the boardroom.
                The question of the desired percentage reminds me of the
                <a moz-do-not-send="true"
                  href="http://30percentclub.org/">30% Club</a>. It's
                launched in the UK in 2010 with a goal of 30% women
                corporate boards by end 2015. We shouldn't set a hard
                percentage risking the quality of speakers, but the
                success of 30% Club did show the effectiveness of goal
                setting.<br>
                <br>
              </div>
              <div>BTW, 3 OWASP chapters in the New York metropolitan
                area are co-organizers of New York Metro Joint Cyber
                Security Conference 2015. There was a well received
                panel discussion of female CISOs in last year's
                conference. I expect to see more female participation
                this year.<br>
              </div>
              <div><br>
              </div>
              Regards,<br>
              <br>
            </div>
            Helen<br>
          </div>
          <div class="gmail_extra"><br>
            <div class="gmail_quote">On Fri, Feb 27, 2015 at 1:12 AM,
              Michael Coates <span dir="ltr"><<a
                  moz-do-not-send="true"
                  href="mailto:michael.coates@owasp.org" target="_blank">michael.coates@owasp.org</a>></span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div dir="ltr">Andrew,
                  <div><br>
                  </div>
                  <div>(To address the policies comments)</div>
                  <div>Here are the conference speaker policies. These
                    policies address most of your comments already.We
                    just need to make sure the policies are visible on
                    the conference website and not just on the owasp
                    wiki and also in our terms and contracts.</div>
                  <div><br>
                  </div>
                  <div><a moz-do-not-send="true"
                      href="https://www.owasp.org/index.php/Governance/Conference_Policies"
                      target="_blank">https://www.owasp.org/index.php/Governance/Conference_Policies</a><br>
                  </div>
                  <div><br>
                  </div>
                  <div> I'll fix AppSecUSA in just a moment.</div>
                  <div><br>
                  </div>
                  <div>(Regarding diversity of speakers)</div>
                  <div>Agree that more diversity in submission is better
                    than less.</div>
                  <span class="">
                    <div><br>
                    </div>
                    <div><span style="font-size:12.8000001907349px">*
                        Require conference committees to send out
                        invitations to as many women speakers as
                        possible there is diversity in submissions.</span><br
                        style="font-size:12.8000001907349px">
                    </div>
                    <div><br>
                    </div>
                  </span>
                  <div><span style="font-size:12.8000001907349px">>
                      I'm not sure what this means in practice. We're
                      broadcasting out CFP far and wide. Perhaps the
                      community can create a google spreadsheet with
                      lists of ideas to advertise AppSec conferences. We
                      can then make it standard practice for conferences
                      to advertise CFP to everything on the list.</span></div>
                  <span class="">
                    <div><span style="font-size:12.8000001907349px"><br>
                      </span></div>
                    <div><span style="font-size:12.8000001907349px">* We
                        should also help with helping folks create solid
                        CFPs that are more likely to succeed if
                        submissions are to be chosen solely by merit. </span><span
                        style="font-size:12.8000001907349px"><br>
                      </span></div>
                    <div><span style="font-size:12.8000001907349px"><br>
                      </span></div>
                  </span>
                  <div><span style="font-size:12.8000001907349px">>
                      Certainly not against it. If a group wants to
                      provide tips and techniques to make better CFPs
                      then that's great. I don't think this should be a
                      requirement or expectation of the conference
                      organizers. They already have plenty of items on
                      their plate.</span></div>
                  <div><span style="font-size:12.8000001907349px"><br>
                    </span></div>
                  <div><span style="font-size:12.8000001907349px">* </span><span
                      style="font-size:12.8000001907349px">what is the
                      desired percentage of talks that should be given
                      by women, how we will achieve that goal, and when
                      shall we achieve that goal?</span></div>
                  <div><span style="font-size:12.8000001907349px"><br>
                    </span></div>
                  <div><span style="font-size:12.8000001907349px">>
                      Discussion is good. We should always select the
                      best talks for a conference. We should also always
                      encourage a wide range of people to submit talks
                      and help them submit good talks. In addition OWASP
                      has such a range of speaking opportunities from
                      global conferences to regional and local events
                      there are numerous ways for people to build their
                      speaking skills </span><span
                      style="font-size:12.8000001907349px">This however
                      is separate from target percentages which I don't
                      believe would have the net effect you're hoping
                      for.</span></div>
                  <div><br>
                  </div>
                </div>
                <div class="gmail_extra"><br clear="all">
                  <div>
                    <div>
                      <div dir="ltr">
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr"><br>
                                    --<br>
                                    Michael Coates | <a
                                      moz-do-not-send="true"
                                      href="https://twitter.com/intent/user?screen_name=_mwc"
                                      target="_blank">@_mwc</a><br>
                                  </div>
                                  <div>OWASP Global Board<br>
                                  </div>
                                  <div dir="ltr">
                                    <div>Join me at <a
                                        moz-do-not-send="true"
                                        href="http://AppSecUSA.org"
                                        target="_blank">AppSecUSA</a>
                                      2015 in San Francisco!</div>
                                    <div><br>
                                    </div>
                                    <div><br>
                                      <br>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                  <br>
                  <div class="gmail_quote">
                    <div>
                      <div class="h5">On Thu, Feb 26, 2015 at 7:13 PM,
                        Andrew van der Stock <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:vanderaj@owasp.org"
                            target="_blank">vanderaj@owasp.org</a>></span>
                        wrote:<br>
                      </div>
                    </div>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div>
                        <div class="h5">
                          <div dir="ltr">
                            <div>
                              <div>
                                <div>
                                  <div>
                                    <div>
                                      <div>Hi folks,<br>
                                        <br>
                                      </div>
                                      It's way, way, way past time for
                                      discussions to start as we are
                                      running several global branded
                                      events in 2015 and NONE of them
                                      have a code of conduct or
                                      anti-harrassment policy and
                                      already two of our three or four
                                      events have either zero or only
                                      one woman speakers, despite AppSec
                                      EU having over 120 CFP
                                      submissions. <br>
                                      <br>
                                      If you believe things are fine or
                                      that is just how our industry is,
                                      that ship sailed back in 1950.
                                      Let's get to a consensus and work
                                      towards fixing this problem. <br>
                                      <br>
                                      We have almost certainly started
                                      to sign up sponsors, vendors, and
                                      CFPs are open, so we have to do
                                      something now before we can't
                                      until 2016. Inaction allows the
                                      status quo to thrive, and it's
                                      really unacceptable. <br>
                                      <br>
                                    </div>
                                    LatAm Tour 2015: Speaker agreement:
                                    Nothing. No women speakers.<br>
                                    <div><a moz-do-not-send="true"
href="https://www.owasp.org/images/4/4f/AppSec_Latam_2015_Speaker_Agreement.pdf"
                                        target="_blank">https://www.owasp.org/images/4/4f/AppSec_Latam_2015_Speaker_Agreement.pdf</a><br>
                                      <br>
                                      LatAm Tour 2015: Instructor
                                      agreement: Nothing. No women
                                      instructors as far as I can tell<br>
                                      <a moz-do-not-send="true"
href="https://www.owasp.org/images/f/fa/LatamTour_2015_Training_Instructor_Agreement.pdf"
                                        target="_blank">https://www.owasp.org/images/f/fa/LatamTour_2015_Training_Instructor_Agreement.pdf</a><br>
                                      <br>
                                    </div>
                                    LatAm Tour 2015: Sponsor
                                    opportunities. Nothing<br>
                                    <a moz-do-not-send="true"
href="https://www.owasp.org/images/5/5f/Latam_Tour_2015_Sponsorship_Opportunities.pdf"
                                      target="_blank">https://www.owasp.org/images/5/5f/Latam_Tour_2015_Sponsorship_Opportunities.pdf</a><br>
                                    <br>
                                    <div>AppSec EU 2015: Nothing in our
                                      speaker, sponsor, or vendor
                                      information. Just one woman
                                      co-speaker selected from 120
                                      submissions. Really? In 2015?<br>
                                      <a moz-do-not-send="true"
href="http://2015.appsec.eu/wp-content/uploads/2014/12/AppSec-Eu_Research-2015_Amsterdam_Sponsor-document.pdf"
                                        target="_blank">http://2015.appsec.eu/wp-content/uploads/2014/12/AppSec-Eu_Research-2015_Amsterdam_Sponsor-document.pdf</a><br>
                                      <br>
                                    </div>
                                  </div>
                                  <div>AppSecUSA 2015 code of conduct:
                                    Nothing. <br>
                                  </div>
                                  <div><br>
                                  </div>
                                  <div>AppSecUSA 2015 vendor form:
                                    Nothing.<br>
                                    <a moz-do-not-send="true"
href="https://docs.google.com/forms/d/1Mh7PoELRg1fyc9NHQVrzHrmEh3yEh3qPljKa93oISjc/viewform"
                                      target="_blank">https://docs.google.com/forms/d/1Mh7PoELRg1fyc9NHQVrzHrmEh3yEh3qPljKa93oISjc/viewform</a><br>
                                  </div>
                                  <div><br>
                                  </div>
                                  <div>AppSecUSA 2015 speaker agreement
                                    form: Nothing<br>
                                    <a moz-do-not-send="true"
href="https://2015.appsecusa.org/c/wp-content/uploads/2015/02/AppSec-USA-2015_Speaker-Agreement.pdf"
                                      target="_blank">https://2015.appsecusa.org/c/wp-content/uploads/2015/02/AppSec-USA-2015_Speaker-Agreement.pdf</a><br>
                                  </div>
                                  <br>
                                  Maybe now you can see the problem. It
                                  shouldn't be up to the organizers of
                                  each year to determine and include
                                  these policies, they should be
                                  overlays for all our events, like our
                                  Code of Ethics is. <br>
                                  <br>
                                </div>
                                <div>Despite all this doom and gloom,
                                  our anti-harassment policy for OWASP
                                  AppSec USA 2014 is okay. It's not
                                  surprising that there were women
                                  speakers at this event, but only just
                                  barely: five women speakers out of 78
                                  (6%), including Kate who talked about
                                  starting a chapter. This is actually
                                  our best representation for all the
                                  events I looked at. <br>
                                  <br>
                                  AppSecUSA 2014 Code of conduct:<br>
                                  <a moz-do-not-send="true"
href="https://www.owasp.org/index.php/AppSec_USA_2014/Conference_Policies#Anti_Harassment_Policy"
                                    target="_blank">https://www.owasp.org/index.php/AppSec_USA_2014/Conference_Policies#Anti_Harassment_Policy</a><b>
                                  </b><br>
                                  <br>
                                  It should be linked to in all speaker
                                  agreement, the vendor and sponsorship
                                  agreements. I am very disappointed
                                  that none of the events in 2015 seem
                                  to be using it. <br>
                                </div>
                                <div><br>
                                </div>
                                <div>Other code of conducts you may be
                                  interested in:<br>
                                </div>
                                <div><br>
                                </div>
                                <div><a moz-do-not-send="true"
                                    href="http://Linux.conf.au"
                                    target="_blank">Linux.conf.au</a> is
                                  the only global Linux conference Linus
                                  attends every year. <br>
                                  <a moz-do-not-send="true"
                                    href="http://linux.conf.au/cor/code_of_conduct"
                                    target="_blank">http://linux.conf.au/cor/code_of_conduct</a><br>
                                  <br>
                                </div>
                                Black Hat did not implode with this code
                                of conduct:<br>
                                <div><a moz-do-not-send="true"
                                    href="https://www.blackhat.com/code-of-conduct.html"
                                    target="_blank">https://www.blackhat.com/code-of-conduct.html</a><br>
                                  <br>
                                </div>
                                <div>KiwiCon's Code of Conduct is
                                  antipodean direct: <br>
                                  <a moz-do-not-send="true"
                                    href="https://www.kiwicon.org/faq/code-of-conduct/"
                                    target="_blank">https://www.kiwicon.org/faq/code-of-conduct/</a>
                                  <br>
                                  <br>
                                </div>
                                <div>They kicked out speakers Ben Nagy
                                  and the Grugq last year, so it's not
                                  just ASCII art. <br>
                                  <br>
                                </div>
                                <div>I wanted to share with you BruCon's
                                  Code of Conduct as they started with
                                  the Ada Initiative in 2013, and then
                                  modified it after it was used against
                                  them. <br>
                                  <br>
                                </div>
                                <div>At the very least, I'm looking for
                                  the Board to discuss this issue at our
                                  next Board meeting, and I'd like for
                                  us to vote on the following as a
                                  package:<br>
                                  <br>
                                </div>
                                <div>* We make AppSec USA's 2014 Code of
                                  Conduct / Anti-harassment policy the
                                  de facto starting point for all our
                                  conferences, globally.  <br>
                                  <br>
                                </div>
                                <div>* Adopt a reference in the standard
                                  OWASP Speaker's agreement form that
                                  points to this policy<br>
                                  <br>
                                </div>
                                <div>* Add in a reference to the
                                  standard OWASP vendor / sponsor
                                  agreement form that points to this
                                  policy, as well as prohibiting
                                  sexualized staff members (booth babes
                                  and the fictitious booth dudes). <br>
                                </div>
                                <div><br>
                                </div>
                                <div>* Require the LatAm Tour, AppSec EU
                                  and AppSec US 2015 organisers to use
                                  these updated policies, which will
                                  almost certainly entail getting back
                                  to the already chosen speakers,
                                  sponsors and vendors and getting them
                                  to re-agree to it. As it was already
                                  policy in 2014, this shouldn't be too
                                  much of a stretch as it was most
                                  likely overlooked or forgotten. <br>
                                </div>
                                <div><br>
                                </div>
                                <div>For AppSec USA 2015 and beyond, we
                                  really need to get them to encourage
                                  submissions from women. If a
                                  conference gets zero CFP submissions
                                  by women, you will have zero talks by
                                  women. I do not believe for a second
                                  there are zero women in our industry.
                                  We need to stop being passive about
                                  this, and start recruiting women to
                                  submit talks. <br>
                                </div>
                                <div><br>
                                </div>
                                <div>* Require conference committees to
                                  send out invitations to as many women
                                  speakers as possible there is
                                  diversity in submissions.<br>
                                  <br>
                                  * We should also help with helping
                                  folks create solid CFPs that are more
                                  likely to succeed if submissions are
                                  to be chosen solely by merit. I don't
                                  think this should be restricted to
                                  just women, but should also include
                                  first time speakers, who often
                                  struggle to get their first speaking
                                  gig at a large conference.<br>
                                  <br>
                                </div>
                                <div>I would like to get us to talk
                                  about the best way to achieve a
                                  desired outcome - what is the desired
                                  percentage of talks that should be
                                  given by women, how we will achieve
                                  that goal, and when shall we achieve
                                  that goal?<br>
                                  <br>
                                  thanks,<br>
                                </div>
                                <div>Andrew<br>
                                </div>
                              </div>
                            </div>
                          </div>
                          <br>
                        </div>
                      </div>
                      _______________________________________________<br>
                      Owasp-board mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:Owasp-board@lists.owasp.org"
                        target="_blank">Owasp-board@lists.owasp.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                        target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
                <br>
                _______________________________________________<br>
                Owasp-board mailing list<br>
                <a moz-do-not-send="true"
                  href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
                <a moz-do-not-send="true"
                  href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                  target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                <br>
              </blockquote>
            </div>
            <br>
            <br clear="all">
            <br>
            -- <br>
            <div class="gmail_signature">
              <div dir="ltr">Helen Gao, CISSP</div>
            </div>
          </div>
        </div>
      </blockquote>
      <blockquote type="cite">
        <div><span>_______________________________________________</span><br>
          <span>Owasp-board mailing list</span><br>
          <span><a moz-do-not-send="true"
              href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></span><br>
          <span><a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br>
        </div>
      </blockquote>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>