[Owasp-leaders] My views on Sarah's appointment

Jon Molesa rjmolesa at owasp.org
Thu May 30 16:01:26 UTC 2013

I feel the need to weigh in here. I can see both sides of the issue having
been involved at the executive level of other organizations in the past.

First, the board is democratically elected and as such are supposed to
represent the views, opinions, and visions of the members who nominated and
elected them to power. Executive boards generally have been given the power
to make decisions that they believe are the best for the organization
without having to run every decision by the entire body. Trusting in our
elected leaders to fulfill their promises and exercise good judgment is why
we as a body have the board in place. Having to run every decision past the
general population defeats much of the purpose of having a board in place.

However, there are times when decisions they make can be seen in a way not
as intended. This usually occurs, in my experience and opinion, where money
is involved. Because the resources belong to the entire membership, who in
many cases helped raise the funds, it can be viewed as the board acting on
self-serving interests. It also commonly happens around appointments of

An example from my past is when a board met at a Wendy's and approved the
allocation of a large sum of money without the knowledge or consent from
the organizations members. It was viewed as a reckless and careless act by
the members. The ironic thing is that the boards approval did go to vote by
the membership and it was passed. Later, however, it was discovered that
many folks didn't understand what they were voting on and became very upset
that it wasn't discussed. Following that event there was a lot of
discussion and proposed amendments to the Constitution and By-laws to limit
what the board could do. I found the whole thing somewhat amusing because
generally the members didn't pay attention, follow along, or even discuss
issues. Most people try to avoid conflict. And it did in fact somewhat
negate even having a board. Ultimately I left that organization due to the
politics become too much to effectively navigate. Most of the meetings
revolved around appropriate use of power and money rather than the stated
mission of the organization.

In this case, at OWASP, I believe the board acted within the confines of
their delegated power and authority. The decision for the position of
Executive Director was discussed for some time on this list as I recall. I
don't recall any serious objections to the idea. However, that doesn't seem
to be the issue. The issue seems to be around the selection of the person
to fill that roll. Again, I don't believe the board acted outside of their
delegated authority. Though there is a perception that the selection was
not fair and democratic. I do not know what if any written rules or
guidelines are in place as to how the position is to be filled, but at this
time it's almost a moot point.

My suggestion going forward is that is that if a majority of the population
feels the board acted inappropriately in this matter and there isn't any
clearly written rules that dictate how the role is filled, selection
criteria, hiring and firing is to be handled, then some should be drafted.
If they do exist then review the actions of the board against the
documentation. If they acted inappropriately, nominate and elect candidates
that better represent the vision of the population.

I do want to warn though that it would be very unproductive for the person
in any staff position to be replaced any time there is a new board. It
would be difficult for anyone to complete a task or goal. They would also
have little motivation to  act on OWASP's behalf if they believed their
efforts were not valued and were going to be replaced with the next board.

I don't know if I'm making sense or not or if anyone really cares. It just
reminds me of something that occurred in the past that
had devastating effects on the organization. A friend of mine says that
perception is reality. I don't always agree with that sentiment, but in
many cases it happens to be true. We always view reality through our own
filters. If people believe that the board acted inappropriately on any
matter, weather they did or not, there's a perception management issue that
needs to be addressed.

My .02.

On Fri, May 24, 2013 at 12:05 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Well I have written a model I like on An Idea of a new model for OWASP<http://blog.diniscruz.com/2012/10/an-idea-of-new-model-for-owasp.html> ,
> which if you look at it is based on an OWASP structure:
> a) driven by the OWASP leaders energy, activities and actions
> b) supported by a strong, cohesive, motivated and empowered OpsTeams (i.e
> OWASP employees)
> c) kept in check by a group (which you can call a 'Board' if you want)
> that mainly deals with community/cultural issues
> And I quite like your reference of Ricardo Semmlers<http://en.wikipedia.org/wiki/Ricardo_Semler>and its Industrial
> democracy <http://en.wikipedia.org/wiki/Industrial_democracy> , and if
> more organizations (like OWASP implement similar models, then it will
> stop becoming an outlier model :)  )
> I also agree that what is done is done and nothing can be done about it,
> which is why I proposed a number of solutions in my blog post<http://blog.diniscruz.com/2013/05/sarah-baso-as-owasp-executive-director.html> specially
> the first two, which are aimed at fixing the new OpsTeam model that break
> the b) point made above
> My key problem with the current OWASP structure is that we evolved into a
> model where there is a huge amount of really talented OWASP leaders spent
> on 'organisational and political' stuff, which frankly should be handled
> and delegate to the OPsTeam. We need energy spent on getting stuff done and
> fixing application security challenges, not be involved in political fights.
> Dinis Cruz
> On 24 May 2013 16:17, David (dmalloc) <dmalloc at users.sourceforge.net>wrote:
>> mparsons at parsonsisconsulting.com wrote:
>> > +1 Dinis
>> I do not get the point of this thread nor the blog entry. If I was to
>> break out my Lean hat, I would consider this a waste.
>> We can argue the moral implications of the selection process for the
>> next few years and we would not find a consensus. As much as I think
>> Dinis wants to create an organization in Ricardo Semmlers image, I also
>> know that his success was probably a statistical outlier. Otherwise
>> there would be thousands of organizations right now where everyone is
>> equal and all is done by consent.
>> I wish you luck in that endevour, Dinis I applaud your passion and vigour.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Jon Molesa
rjmolesa at owasp.org

Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht
oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist
and lsat ltteer are in the rghit pclae. The rset can be a toatl mses  and
you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed
ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it
out aynawy.

... so please excuse me for every typo in the email above.

Reference: https://github.com/Ettercap/ettercap/blob/master/README
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130530/10a5be46/attachment-0001.html>

More information about the OWASP-Leaders mailing list