[Owasp-leaders] [Owasp-board] Vote by email: Establishing OWASP Regional Security Councils

Tom Brennan tomb at owasp.org
Wed Jan 13 16:24:09 UTC 2016


Talk about it tonight at the monthly board meeting its on the agenda.


On Wed, Jan 13, 2016 at 10:19 AM, Tobias <tobias.gondrom at owasp.org> wrote:

> Hi all,
> Josh, thank you very much for explaining the basic operation of the board
> to Tom.
> Frankly I was a little surprised about his approach. As he was already a
> board member before and has been part of the mailing-lists over a long
> time, I thought the procedure would have been clear. But maybe we need to
> provide better documentation. Hopefully your explanation could already help
> with that. If more information is needed, we could offer some additional
> explaining in an individual call outside the regular meeting to explain the
> basic procedure again if that helps.
> One more comment: topics that shall lead to a vote or board discussion
> should be at least cc'ed to the board list. That is the purpose of that
> list.
> Best regards, Tobias
> Ps.: btw. if volunteers from the regions like to create regional boards,
> this can be done already today without a vote. There is the committee 2.0
> procedure that allows for that. No board vote required. All it takes is the
> volunteers who want to do the work and spend the time for it. :-)
> On 07/01/16 11:15, Josh Sokol wrote:
> Tom,
> Proper protocol would require a second of your motion, followed by a
> discussion, followed by a vote.  I have similar concerns as Andrew and
> can't say that I'm convinced that this is warranted.  I would like to have
> more time to digest what this is actually intended to accomplish, and
> perhaps socializing it with the community to see if they have interest,
> before voting for it.
> ~josh
> On Wed, Jan 6, 2016 at 9:07 PM, Tom Brennan <tomb at proactiverisk.com>
> wrote:
>> Is your vote No or abstain?
>> On Wednesday, January 6, 2016, Andrew van der Stock <vanderaj at owasp.org>
>> wrote:
>>> Tom,
>>> Beyond the strategic focus of projects, there's not a lot of governance
>>> in this at all; we don't want to create mini-boards, nor more rudderless
>>> committees that have failed in the past.
>>> I'd like to see:
>>> What they are responsible for, specifically? If they are just projects
>>> and not community or outreach, let's make that clear. I think given that
>>> many projects are worldwide, delegating down to regional levels is not
>>> really going to work. ASVS has leadership in the Australia (Asia Pac), UK
>>> (Europe), and US (North America). Many projects would struggle with this
>>> alignment.
>>> Secondly, you miss a critical regional OWASP super power - India. India
>>> is almost always squished into EMEA or Asia Pac by western firms, but it's
>>> not really a part of either grouping, and it's so big it pretty much
>>> deserves to be on its own. I would like to hear from Indian chapter and
>>> project leaders to see how we can make this work for them, if they would
>>> prefer to be part of EMEA or AsiaPac, or their own thing.
>>> If are delegating our responsibility over projects, who do they report
>>> to? In my view, it must be Claudia, who reports to Paul who reports to us.
>>> If they report to us, that bypasses the Foundation staff's role of doing
>>> stuff and is a vote of no confidence in our staff. I would like it very
>>> much if it was made clear as how the lines of reporting work, and to make
>>> sure Claudia can manage and delegate work off to the regional committees so
>>> that they work on strategically aligned things rather than any old random
>>> thing.
>>>    - What they are doing is measurable? How do we measure success?
>>>    - What they are doing is actionable? What specific steps are
>>>    required for success?
>>>    - What they are doing is realistic? Volunteer time is incredibly
>>>    valuable, and they tend to work on things that appeal to them. Is it
>>>    realistic to expect folks to work on things that they may not enjoy doing
>>>    as a precursor to global board eligibility?
>>>    - What they are doing is either time boxed or at least not open
>>>    ended. This is the mistake we had last time, it was BAU make work that
>>>    failed because no one wants to do BAU make work.
>>>    - What sort of funding envelope will they have at their disposal? If
>>>    it's the CEF and Projects budget, how does that impact project autonomy?
>>> I'm keen to try out anything that really helps at a regional level, but
>>> it can't just be the creation of more committees who don't know what they
>>> are doing other than "do first, ask for forgiveness later". That's how all
>>> of our previous committees failed. Let's not make the mistakes of the past.
>>> Let's make it better with a bit more detail around the edges so they can
>>> succeed.
>>> thanks,
>>> Andrew
>>> On Thu, Jan 7, 2016 at 10:38 AM, Bev Corwin <bev.corwin at owasp.org>
>>> wrote:
>>>> Yes
>>>> On Wed, Jan 6, 2016 at 1:58 PM, Tom Brennan - OWASP <tomb at owasp.org>
>>>> wrote:
>>>>> *Board Members:*
>>>>> A vote by email has been requested per *section 3.09 *Foundation
>>>>> Bylaws
>>>>> https://www.owasp.org/images/e/e1/OWASPByLawsOfficial-25Sept2015CLEAN.pdf
>>>>> *Motion:*
>>>>> Approve the establishment of Regional Representation of OWASP
>>>>> Foundation to focus on the core projects and efforts of the foundation to
>>>>> be known as:
>>>>> *-- Asia-Pacific Security Council (APSC)  -- North America Security
>>>>> Council (NASC)  -- Europe Middle East and Africa Security Council (ESC)  --
>>>>> Latin America Security Council (LASC) *
>>>>> VOTES (please reply-all with your vote)
>>>>> Tom - Motion / Yes
>>>>> Jim -
>>>>> Tobias -
>>>>> Matt -
>>>>> Anthony -
>>>>> Michael -
>>>>> Josh -
>>>>> *On Background:*
>>>>> *OWASP is built on self-organized efforts bottom up.*  Regional and
>>>>> cultures are different around the world... never mind time zones.  OWASP
>>>>> needs to reenergize regional coordination of projects activities, events,
>>>>> summits, etc.  The motion is requesting a formal approval process to
>>>>> establish regional advisory councils/committees as the first order of
>>>>> business for our community volunteers in 2016. Each committee should be
>>>>> 8-12 people.  Since we have "45,000" people in the community should not be
>>>>> to hard to pick +/- 40 from the membership of 2508 as of today.
>>>>> https://docs.google.com/spreadsheets/d/1-yoQ0XTBPfmZEvVSvXey0w3nGZXG2Ctbn3o_mXL7dAU/edit
>>>>> <https://docs.google.com/spreadsheets/d/1-yoQ0XTBPfmZEvVSvXey0w3nGZXG2Ctbn3o_mXL7dAU/edit>
>>>>> Once approved OWASP has highlighted and empowered more volunteers to
>>>>> self-organize and participate on core aspects of OWASP Foundation and
>>>>> recognition of their time investment, locally and raises visibility
>>>>> globally in key regions.
>>>>> *FAQ1*
>>>>> *How do we then fill the Councils with members?*
>>>>> *Step #2 is simple*, the board will ask for self nominations, solicit
>>>>> and appoint interested parties vetted with assistance of community members
>>>>> and staff associated with industry users and/or leaders of projects to be
>>>>> appointed for a (1) year term to these advisory boards. *This creates
>>>>> quick and swift action and energy around the world aligned to the mission
>>>>> of the charity and the strategic goals of 2016.*
>>>>> *FAQ2*
>>>>> *But isn't that why Committee 2.0 was created?*
>>>>> Yes, but it needs help to get off the ground and implementation. So to
>>>>> jump start it, you must start off with one year appointment of task forces
>>>>> then we can follow Committee 2.0
>>>>> https://owasp.org/index.php/Governance/OWASP_Committees and adjust as
>>>>> needed.  This fantastic guidance document has had unfortunately no action
>>>>> taken by the community so we need to *JUMP START IT *and the
>>>>> community will evolve bottom up.
>>>>> *FAQ3*
>>>>> *How do we know what they are working on?*
>>>>> Not a big fan of micro management.. but I agree that if it is worth
>>>>> doing, funding then metrics should be measured. Requesting a summary
>>>>> roll-up report from each committee chairman simply outlining PLANS for next
>>>>> three months, PROGRESS from last three months and PROBLEMS that they may
>>>>> need the board to noodle on and help with.  This should be supplied
>>>>> starting with Q2 board meeting to update on any efforts that they have self
>>>>> organized and to demonstrate the cascading communication (
>>>>> https://www.owasp.org/index.php/OWASP_Strategic_Goals) of strategic
>>>>> goals globally
>>>>> In edition to encouraging virtual meetings, the groups will self
>>>>> regulate and will likely rally at min.,  2x per year. 1x locally at
>>>>> regional project summary  and 1x at global project summit off-site.  This
>>>>> will self level.
>>>>> *FAQ4*
>>>>> *What are the roles of the OWASP staff in these groups?*
>>>>> The councils are self-organized by the regional members. Employees
>>>>> aka: OWASP Foundation Operations provide support to EVERYONE so if a
>>>>> council needs something they can request it just like everyone does
>>>>> everyday example: https://www.tfaforms.com/308703 and the requests
>>>>> will be responded to or escalated as needed.  We are establishing working
>>>>> committees and leaders in regional groups, this is going back to basics and
>>>>> helping to drive regional coordination and advisory status.
>>>>> *FAQ5*
>>>>> *Who do you think should be appointed Tom?*
>>>>> IMHO Tip of my tongue are the candidates from 2015/2014 elections in
>>>>> their regions of the world have already stated the "why me" lets not lose
>>>>> that energy rather encourage it!
>>>>> Abbas Naderi Afooshteh
>>>>> Jonathan Carter
>>>>> Bill Corry
>>>>> Nigel Phair
>>>>> Milton Smith
>>>>> Timur Khrotko
>>>>> Tahir Khan
>>>>> <insert others that are regionally recognized by their peers have
>>>>> expressed they want to help the OWASP Mission>
>>>>> *FAQ6*
>>>>> *We need a taskforce or a committee for X this will mess that up...*
>>>>> When a defined need is established for a short or long term taskforce,
>>>>> project, committee etc...etc.. the first thing we do is ask each of these
>>>>> councils to represent their region of the world and take a active part in
>>>>> the discussion.  If that does not fit then it does not limit a additional *"get
>>>>> things done committee"* to work on and as we know is true it will be
>>>>> a collection of people that have time to volunteer and that is OPEN to
>>>>> everyone.
>>>>> *FAQ7*
>>>>> If we do this will it upset the annual election process?
>>>>> *It will enhance it actually..... *This model provides a pool of 40+
>>>>> vetted people in the community that if they want to serve on a regional
>>>>> board and then run for a global board they have a proven track record of
>>>>> getting things done.
>>>>> *FAQ8*
>>>>> If more discussion is needed happy to discuss on the NEXT board
>>>>> meeting OR if you prefer to discuss it more just call me to understand the
>>>>> spirit of the end goal.
>>>>> Skype: proactiverisk
>>>>> Phone: 973-506-9304
>>>>> Tom Brennan
>>>>> Global Board Member
>>>>> OWASP Foundation
>>>>> The information contained in this message and any attachments may be
>>>>> privileged, confidential, proprietary or otherwise protected from
>>>>> disclosure. If you, the reader of this message, are not the intended
>>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>>> copying or use of this message and any attachment is strictly prohibited.
>>>>> If you have received this message in error, please notify the sender
>>>>> immediately by replying to the message, permanently delete it from your
>>>>> computer and destroy any printout.
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> Tom Brennan
>> ProactiveRISK | www.proactiverisk.com
>> 973-506-9304
>> Need to book time with me to discuss an existing or a future project
>> click on my virtual calendar https://secure.scheduleonce.com/TomBrennan
>> The information contained in this message and any attachments may be
>> privileged, confidential, proprietary or otherwise protected from
>> disclosure. If you, the reader of this message, are not the intended
>> recipient, you are hereby notified that any dissemination, distribution,
>> copying or use of this message and any attachment is strictly prohibited.
>> If you have received this message in error, please notify the sender
>> immediately by replying to the message, permanently delete it from your
>> computer and destroy any printout.
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

Tom Brennan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160113/1abe6174/attachment-0001.html>

More information about the OWASP-Leaders mailing list