[Owasp-leaders] Why OWASP can't pay OWASP Leaders

Antonio Fontes antonio.fontes at owasp.org
Wed Apr 11 13:27:12 UTC 2012

I agree with Dinis, leaders should not be paid.

Basically, the inner concept of a leader doing the actual work is
basically wrong. If leaders want to work on guides or tools or
whatsoever OWASP project (or chapter), then they should consider
resigning from their position as leaders and instead become
contributors, or reviewers, or developers, or whatsoever title they may
find attractive. As leaders, I personaly believe that these actually do
more harm to OWASP projects than they help.

This applies to chapter leaders also. At both summits I attended, I
heard several chapters leaders reporting that organizing local meetings
takes too much of their time. While investing lots of their personal
time in literaly doing all the work may sound honorable, it's not the
reason why they are (or should be) elected as leaders.

To the contrary, a leader must emphasize on:
- ensuflating the inspiration and motivation in the contributors of a
- identifying, locating, contacting, planing, organising, inspiring,
motivating and managing (or surrounding him-herself with) the most
appropriate resources who can help him/her achieve the mission.

In a project leadership position, this practically translates into:
- Defining the project mission statement with clear and easy words,
understanding and expressing the need that is being answered and the
response to this need, defining the deliverables that would satisfy this
need and how the leader sees a path towards the construction and the
delivery of these deliverables.
- Looking for end-users (sometimes, it would be the project leader
itself) and contributors (designers, coders, reviewers/testers,
documenters, etc.) that may benefit from participating in such a project
(also known as looking for win-win situations) in other ways than just
earning some cash.
- Driving these end-users and contributors in such a way that it meets
the project mission and deliverables.

Most projects that stale right now are either led by people:
- who don't use the tool anymore and who were its original user
- who created an ecosystem in which their actual work is necessary to
keep the project alive, hence its death when the leader suddenly starts
working at a real job
- who dreamed of receiving the glorious title of "OWASP Project Leader"
(and all its benefits) and who actually have no clue on where to go next
- who have a vision but don't know how to turn it into real stuff <---
these guys DEFINITELY NEED HELP/SUPPORT from a project manager (which
rebounds to another discussion on the need for dedicated professional
support inside OWASP).

This also applies to chapter meetings. Being a chapter leader mostly
requires organizing meetings. This translates to:
- Envisioning the meeting itself: its size, its venue, its agenda, its
date, etc.
- Looking for people who want to help. Believe me: a lot of people
actually want to help you FOR FREE. There are people who want to help
you find a venue, others who want to help you find speakers, other who
want to help you manage the registrations, etc. Even some others who
want to financialy support your meeting just to allow them to appear
anywhere in it.

As a leader, whether on a project or chapter, two major skills are
required and they have nothing to do with application security:
- the ability to connect people from different backgrounds and make them
work together to turn a vision into real stuff.
- the ability to recognize that they no longer do they job and should
reconsider transfering their responsibility to someone else.

More practically, being a leader MOSTLY results in:
- sending emails to the right people
- answering emails from these people
- attending a few conference calls through skype

If your vision of a leader's duties include much more work than that,
then there is a high probability that you are doing the work that
someone else wants to do, for free, just because he/she wants to help
you or benefits from helping you.

A little thought to those who still don't believe we need to hire people
at OWASP: a not-for-profit organization means a not-for-profit
organization. In now way does it mean "unrewarded workers", it just
means that whatever the revenue, it remains strictly invested in
achieving the mission and nothing else, whether that revenue be 10$ or
10m$. OWASP needs some core resources to be hired as professionals to
make sure that the entire ecosystem of volounteers can actually do their
work in the best conditions. These professionals do not need to
understand anything about application security: if you work for a
security company which employs an accountant, just ask her/him to list
you at least one item from the OWASP Top 10. I am sure you would not
fire her/him for being such an ignorant, would you? These people should
earn a normal salary, neither lower nor higher than elsewhere, that is
entirely and stricly disconnected from any incentive to increase yearly
revenue but rather making sure it is allocated the smartest way.

Considering that I am not a project leader myself, I understand I may be
completly out of bounds in some parts of my reply. I sincerely apologize
if I hurt someone with this, please consider it just as a proposition
resulting from a "personal view on things".

Finally, I am also in the SHAMEFUL situation of a Chapter Leader who
hasn't been doing his job for the last months and I sincerely hope that
writing this email will have the retro-consequence of kicking up my own a.s!


Antonio Fontes
OWASP Switzerland, board member
OWASP Geneva, chapter leader
  skype: antonio.fontes

On 11.04.2012 03:41, vanderaj vanderaj wrote:
> Dinis,
> So essentially, the only folks who can't get paid are those who do. the.
> work. 
> No worries. Loud and clear.
> I must remember that the next time I think I want to sign up to sit in
> my office for months on end away from my family and friends. 
> thanks,
> Andrew
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list