[Owasp-leaders] Vote by email: Establishing OWASP Regional Security Councils

Andrew van der Stock vanderaj at owasp.org
Thu Jan 7 04:28:56 UTC 2016


As you can tell from my discussion, in it's current form and without it
being seconded or discussed, it would be a no from me at this stage. This
is *not* my formal vote on this matter, as I believe it can be shaped into
a voting package with a bit of work to define what it really is.

Let's work on it a bit more as I'm roughly supportive of your initiative
and I think your heart is in the right place. Let's just make it better so
it can succeed before we plow on to a vote.

Anything like this that comes up for a Board vote should be sent to the
board list for openness and transparency reasons. We had so many
unnecessary OTR conversations last year, when only a tiny handful really
required us to be circumspect in our public handling of the discussion. Can
we as a Board please ensure that we use the Board list unless it's
absolutely necessary to go offline?

thanks,
Andrew

On Thu, Jan 7, 2016 at 2:07 PM, Tom Brennan <tomb at proactiverisk.com> wrote:

> Is your vote No or abstain?
>
>
> On Wednesday, January 6, 2016, Andrew van der Stock <vanderaj at owasp.org>
> wrote:
>
>> Tom,
>>
>> Beyond the strategic focus of projects, there's not a lot of governance
>> in this at all; we don't want to create mini-boards, nor more rudderless
>> committees that have failed in the past.
>>
>> I'd like to see:
>>
>> What they are responsible for, specifically? If they are just projects
>> and not community or outreach, let's make that clear. I think given that
>> many projects are worldwide, delegating down to regional levels is not
>> really going to work. ASVS has leadership in the Australia (Asia Pac), UK
>> (Europe), and US (North America). Many projects would struggle with this
>> alignment.
>>
>> Secondly, you miss a critical regional OWASP super power - India. India
>> is almost always squished into EMEA or Asia Pac by western firms, but it's
>> not really a part of either grouping, and it's so big it pretty much
>> deserves to be on its own. I would like to hear from Indian chapter and
>> project leaders to see how we can make this work for them, if they would
>> prefer to be part of EMEA or AsiaPac, or their own thing.
>>
>> If are delegating our responsibility over projects, who do they report
>> to? In my view, it must be Claudia, who reports to Paul who reports to us.
>> If they report to us, that bypasses the Foundation staff's role of doing
>> stuff and is a vote of no confidence in our staff. I would like it very
>> much if it was made clear as how the lines of reporting work, and to make
>> sure Claudia can manage and delegate work off to the regional committees so
>> that they work on strategically aligned things rather than any old random
>> thing.
>>
>>
>>    - What they are doing is measurable? How do we measure success?
>>    - What they are doing is actionable? What specific steps are required
>>    for success?
>>    - What they are doing is realistic? Volunteer time is incredibly
>>    valuable, and they tend to work on things that appeal to them. Is it
>>    realistic to expect folks to work on things that they may not enjoy doing
>>    as a precursor to global board eligibility?
>>    - What they are doing is either time boxed or at least not open
>>    ended. This is the mistake we had last time, it was BAU make work that
>>    failed because no one wants to do BAU make work.
>>    - What sort of funding envelope will they have at their disposal? If
>>    it's the CEF and Projects budget, how does that impact project autonomy?
>>
>>
>> I'm keen to try out anything that really helps at a regional level, but
>> it can't just be the creation of more committees who don't know what they
>> are doing other than "do first, ask for forgiveness later". That's how all
>> of our previous committees failed. Let's not make the mistakes of the past.
>> Let's make it better with a bit more detail around the edges so they can
>> succeed.
>>
>> thanks,
>> Andrew
>>
>>
>>
>>
>> On Thu, Jan 7, 2016 at 10:38 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
>>
>>> Yes
>>>
>>> On Wed, Jan 6, 2016 at 1:58 PM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> *Board Members:*
>>>>
>>>> A vote by email has been requested per *section 3.09 *Foundation Bylaws
>>>>
>>>> https://www.owasp.org/images/e/e1/OWASPByLawsOfficial-25Sept2015CLEAN.pdf
>>>>
>>>> *Motion:*
>>>> Approve the establishment of Regional Representation of OWASP
>>>> Foundation to focus on the core projects and efforts of the foundation to
>>>> be known as:
>>>>
>>>>
>>>>
>>>>
>>>> *-- Asia-Pacific Security Council (APSC) -- North America Security
>>>> Council (NASC) -- Europe Middle East and Africa Security Council (ESC) --
>>>> Latin America Security Council (LASC) *
>>>>
>>>> VOTES (please reply-all with your vote)
>>>> Tom - Motion / Yes
>>>> Jim -
>>>> Tobias -
>>>> Matt -
>>>> Anthony -
>>>> Michael -
>>>> Josh -
>>>>
>>>> *On Background:*
>>>>
>>>> *OWASP is built on self-organized efforts bottom up.*  Regional and
>>>> cultures are different around the world... never mind time zones.  OWASP
>>>> needs to reenergize regional coordination of projects activities, events,
>>>> summits, etc.  The motion is requesting a formal approval process to
>>>> establish regional advisory councils/committees as the first order of
>>>> business for our community volunteers in 2016. Each committee should be
>>>> 8-12 people.  Since we have "45,000" people in the community should not be
>>>> to hard to pick +/- 40 from the membership of 2508 as of today.
>>>> https://docs.google.com/spreadsheets/d/1-yoQ0XTBPfmZEvVSvXey0w3nGZXG2Ctbn3o_mXL7dAU/edit
>>>> <https://docs.google.com/spreadsheets/d/1-yoQ0XTBPfmZEvVSvXey0w3nGZXG2Ctbn3o_mXL7dAU/edit>
>>>>
>>>> Once approved OWASP has highlighted and empowered more volunteers to
>>>> self-organize and participate on core aspects of OWASP Foundation and
>>>> recognition of their time investment, locally and raises visibility
>>>> globally in key regions.
>>>>
>>>> *FAQ1*
>>>> *How do we then fill the Councils with members?*
>>>>
>>>> *Step #2 is simple*, the board will ask for self nominations, solicit
>>>> and appoint interested parties vetted with assistance of community members
>>>> and staff associated with industry users and/or leaders of projects to be
>>>> appointed for a (1) year term to these advisory boards. *This creates
>>>> quick and swift action and energy around the world aligned to the mission
>>>> of the charity and the strategic goals of 2016.*
>>>>
>>>> *FAQ2*
>>>> *But isn't that why Committee 2.0 was created?*
>>>>
>>>> Yes, but it needs help to get off the ground and implementation. So to
>>>> jump start it, you must start off with one year appointment of task forces
>>>> then we can follow Committee 2.0
>>>> https://owasp.org/index.php/Governance/OWASP_Committees and adjust as
>>>> needed.  This fantastic guidance document has had unfortunately no action
>>>> taken by the community so we need to *JUMP START IT *and the community
>>>> will evolve bottom up.
>>>>
>>>> *FAQ3*
>>>> *How do we know what they are working on?*
>>>> Not a big fan of micro management.. but I agree that if it is worth
>>>> doing, funding then metrics should be measured. Requesting a summary
>>>> roll-up report from each committee chairman simply outlining PLANS for next
>>>> three months, PROGRESS from last three months and PROBLEMS that they may
>>>> need the board to noodle on and help with.  This should be supplied
>>>> starting with Q2 board meeting to update on any efforts that they have self
>>>> organized and to demonstrate the cascading communication (
>>>> https://www.owasp.org/index.php/OWASP_Strategic_Goals) of strategic
>>>> goals globally
>>>>
>>>> In edition to encouraging virtual meetings, the groups will self
>>>> regulate and will likely rally at min.,  2x per year. 1x locally at
>>>> regional project summary  and 1x at global project summit off-site.  This
>>>> will self level.
>>>>
>>>> *FAQ4*
>>>> *What are the roles of the OWASP staff in these groups?*
>>>> The councils are self-organized by the regional members. Employees aka:
>>>> OWASP Foundation Operations provide support to EVERYONE so if a council
>>>> needs something they can request it just like everyone does everyday
>>>> example: https://www.tfaforms.com/308703 and the requests will be
>>>> responded to or escalated as needed.  We are establishing working
>>>> committees and leaders in regional groups, this is going back to basics and
>>>> helping to drive regional coordination and advisory status.
>>>>
>>>> *FAQ5*
>>>> *Who do you think should be appointed Tom?*
>>>>
>>>> IMHO Tip of my tongue are the candidates from 2015/2014 elections in
>>>> their regions of the world have already stated the "why me" lets not lose
>>>> that energy rather encourage it!
>>>>
>>>> Abbas Naderi Afooshteh
>>>> Jonathan Carter
>>>> Bill Corry
>>>> Nigel Phair
>>>> Milton Smith
>>>> Timur Khrotko
>>>> Tahir Khan
>>>> <insert others that are regionally recognized by their peers have
>>>> expressed they want to help the OWASP Mission>
>>>>
>>>> *FAQ6*
>>>> *We need a taskforce or a committee for X this will mess that up...*
>>>> When a defined need is established for a short or long term taskforce,
>>>> project, committee etc...etc.. the first thing we do is ask each of these
>>>> councils to represent their region of the world and take a active part in
>>>> the discussion.  If that does not fit then it does not limit a additional *"get
>>>> things done committee"* to work on and as we know is true it will be a
>>>> collection of people that have time to volunteer and that is OPEN to
>>>> everyone.
>>>>
>>>> *FAQ7*
>>>> If we do this will it upset the annual election process?
>>>> *It will enhance it actually..... *This model provides a pool of 40+
>>>> vetted people in the community that if they want to serve on a regional
>>>> board and then run for a global board they have a proven track record of
>>>> getting things done.
>>>>
>>>> *FAQ8*
>>>> If more discussion is needed happy to discuss on the NEXT board meeting
>>>> OR if you prefer to discuss it more just call me to understand the spirit
>>>> of the end goal.
>>>>
>>>> Skype: proactiverisk
>>>> Phone: 973-506-9304
>>>>
>>>> Tom Brennan
>>>> Global Board Member
>>>> OWASP Foundation
>>>>
>>>>
>>>>
>>>>
>>>> The information contained in this message and any attachments may be
>>>> privileged, confidential, proprietary or otherwise protected from
>>>> disclosure. If you, the reader of this message, are not the intended
>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>> copying or use of this message and any attachment is strictly prohibited.
>>>> If you have received this message in error, please notify the sender
>>>> immediately by replying to the message, permanently delete it from your
>>>> computer and destroy any printout.
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>
> --
>
> Tom Brennan
> ProactiveRISK | www.proactiverisk.com
> 973-506-9304
>
> Need to book time with me to discuss an existing or a future project click
> on my virtual calendar https://secure.scheduleonce.com/TomBrennan
>
>
> The information contained in this message and any attachments may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If you, the reader of this message, are not the intended
> recipient, you are hereby notified that any dissemination, distribution,
> copying or use of this message and any attachment is strictly prohibited.
> If you have received this message in error, please notify the sender
> immediately by replying to the message, permanently delete it from your
> computer and destroy any printout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160107/0dce655f/attachment-0001.html>


More information about the OWASP-Leaders mailing list