[Owasp-leaders] Why OWASP can't pay OWASP Leaders

Antonio Fontes antonio.fontes at owasp.org
Wed Apr 11 13:49:18 UTC 2012

Hi Eoin,

Sorry for the misunderstanding, I mean that leaders duties don't include
contributing to projects. Not that they should not contribute to them if
they want to.

Now,if we look at the example of stale OWASP projects that were started
by their leaders, they also stopped evolving because their leader
stopped contributing for it.

The explanation is simple: these leaders enhanced their role to
contributors (even from the begining) instead of looking for
contributors. Suddenly, for availability or motivation reasons, they
could not continue investing time in their project and didn't even
realize they were also giving up their leadership responsibilities.

This results in a quite perverse situation because it may actually
refrain motivated contributors from working on a project because there
is no leadership in it.

A leader should be a leader first. If he/she suddenly wants to
contribute to the project AND if she/he can afford it without
sacrificing the leadership responsibility, only on these conditions
should he/she contribute.

That's what I meant :)

Antonio Fontes
OWASP Switzerland, board member
OWASP Geneva, chapter leader
  skype: antonio.fontes

On 11.04.2012 15:34, Eoin wrote:
> Hey Antonio,
> Leaders should not contribute to projects?
> Most projects exist because because of the leaders contributions.
> Sorry if I am not understanding you correctly? :)
> On 11 April 2012 14:27, Antonio Fontes <antonio.fontes at owasp.org
> <mailto:antonio.fontes at owasp.org>> wrote:
>     I agree with Dinis, leaders should not be paid.
>     Basically, the inner concept of a leader doing the actual work is
>     basically wrong. If leaders want to work on guides or tools or
>     whatsoever OWASP project (or chapter), then they should consider
>     resigning from their position as leaders and instead become
>     contributors, or reviewers, or developers, or whatsoever title they may
>     find attractive. As leaders, I personaly believe that these actually do
>     more harm to OWASP projects than they help.
>     This applies to chapter leaders also. At both summits I attended, I
>     heard several chapters leaders reporting that organizing local meetings
>     takes too much of their time. While investing lots of their personal
>     time in literaly doing all the work may sound honorable, it's not the
>     reason why they are (or should be) elected as leaders.
>     To the contrary, a leader must emphasize on:
>     - ensuflating the inspiration and motivation in the contributors of a
>     project
>     - identifying, locating, contacting, planing, organising, inspiring,
>     motivating and managing (or surrounding him-herself with) the most
>     appropriate resources who can help him/her achieve the mission.
>     In a project leadership position, this practically translates into:
>     - Defining the project mission statement with clear and easy words,
>     understanding and expressing the need that is being answered and the
>     response to this need, defining the deliverables that would satisfy this
>     need and how the leader sees a path towards the construction and the
>     delivery of these deliverables.
>     - Looking for end-users (sometimes, it would be the project leader
>     itself) and contributors (designers, coders, reviewers/testers,
>     documenters, etc.) that may benefit from participating in such a project
>     (also known as looking for win-win situations) in other ways than just
>     earning some cash.
>     - Driving these end-users and contributors in such a way that it meets
>     the project mission and deliverables.
>     Most projects that stale right now are either led by people:
>     - who don't use the tool anymore and who were its original user
>     - who created an ecosystem in which their actual work is necessary to
>     keep the project alive, hence its death when the leader suddenly starts
>     working at a real job
>     - who dreamed of receiving the glorious title of "OWASP Project Leader"
>     (and all its benefits) and who actually have no clue on where to go next
>     - who have a vision but don't know how to turn it into real stuff <---
>     these guys DEFINITELY NEED HELP/SUPPORT from a project manager (which
>     rebounds to another discussion on the need for dedicated professional
>     support inside OWASP).
>     This also applies to chapter meetings. Being a chapter leader mostly
>     requires organizing meetings. This translates to:
>     - Envisioning the meeting itself: its size, its venue, its agenda, its
>     date, etc.
>     - Looking for people who want to help. Believe me: a lot of people
>     actually want to help you FOR FREE. There are people who want to help
>     you find a venue, others who want to help you find speakers, other who
>     want to help you manage the registrations, etc. Even some others who
>     want to financialy support your meeting just to allow them to appear
>     anywhere in it.
>     As a leader, whether on a project or chapter, two major skills are
>     required and they have nothing to do with application security:
>     - the ability to connect people from different backgrounds and make them
>     work together to turn a vision into real stuff.
>     - the ability to recognize that they no longer do they job and should
>     reconsider transfering their responsibility to someone else.
>     More practically, being a leader MOSTLY results in:
>     - sending emails to the right people
>     - answering emails from these people
>     - attending a few conference calls through skype
>     If your vision of a leader's duties include much more work than that,
>     then there is a high probability that you are doing the work that
>     someone else wants to do, for free, just because he/she wants to help
>     you or benefits from helping you.
>     A little thought to those who still don't believe we need to hire people
>     at OWASP: a not-for-profit organization means a not-for-profit
>     organization. In now way does it mean "unrewarded workers", it just
>     means that whatever the revenue, it remains strictly invested in
>     achieving the mission and nothing else, whether that revenue be 10$ or
>     10m$. OWASP needs some core resources to be hired as professionals to
>     make sure that the entire ecosystem of volounteers can actually do their
>     work in the best conditions. These professionals do not need to
>     understand anything about application security: if you work for a
>     security company which employs an accountant, just ask her/him to list
>     you at least one item from the OWASP Top 10. I am sure you would not
>     fire her/him for being such an ignorant, would you? These people should
>     earn a normal salary, neither lower nor higher than elsewhere, that is
>     entirely and stricly disconnected from any incentive to increase yearly
>     revenue but rather making sure it is allocated the smartest way.
>     Considering that I am not a project leader myself, I understand I may be
>     completly out of bounds in some parts of my reply. I sincerely apologize
>     if I hurt someone with this, please consider it just as a proposition
>     resulting from a "personal view on things".
>     Finally, I am also in the SHAMEFUL situation of a Chapter Leader who
>     hasn't been doing his job for the last months and I sincerely hope that
>     writing this email will have the retro-consequence of kicking up my
>     own a.s!
>     Antonio
>     --
>     Antonio Fontes
>     OWASP Switzerland, board member
>     OWASP Geneva, chapter leader
>      skype: antonio.fontes
>     On 11.04.2012 03:41, vanderaj vanderaj wrote:
>     > Dinis,
>     >
>     > So essentially, the only folks who can't get paid are those who
>     do. the.
>     > work.
>     >
>     > No worries. Loud and clear.
>     >
>     > I must remember that the next time I think I want to sign up to sit in
>     > my office for months on end away from my family and friends.
>     >
>     > thanks,
>     > Andrew
>     >
>     >
>     > _______________________________________________
>     > OWASP-Leaders mailing list
>     > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> -- 
> Eoin Keary
> OWASP Global Board Member (Vice Chair)
> https://twitter.com/EoinKeary

More information about the OWASP-Leaders mailing list