Board Strategy September 2023
Wednesday, October 25, 2023
Three days (totally nearly 30 hours) with four remote joiners and four in-person. One boardroom, one Zoom session (each day - recordings to be made available soon), many litres of coffee and a single focus on OWASP and securing the future of this Foundation.
So, what did we cover? What did we decide? What are the next steps?
Warning it’s long read…
The TL;DR is the Board has plans to make changes to ensure the Foundation is on the right track for the future we managed to discuss:
- Discussion on By-laws - we need to adopt new ones and those needed some talking about;
- Discussion on Policies - we want to ensure that these are simple and less “red tape”;
- Discussion on Committees - we want to empower the committees and ensure that they are effective;
- Discussion on Funding - covering both project and general funding options;
- Discussion on Structure - looking at the board structure and how the staffing needs to change;
- Discussion on Outreach - this is key to the strategy of the board and needed much discussion;
- Discussion on Projects - a massive topic, discussed through-out (and notes added there); and
- Discussion on (it turns out) Events - an open topic that ended up being all about Events
Discussion on By-laws
We talked about the by-laws and assigned folks to reach out to the missing directors on the list. Once we have given those details to the lawyers they will initiate the signing process. IF we need changes to the by-laws we should do that before then - so everyone was given homework to do, namely to read the by-laws and make notes before Monday 18th of September when Grant and Andrew will meet to prepare the by-laws for distribution.
Discussion on Policies
We appointed a Board sub-committee on Policy in Avi, Bil and Vandana to work with Andrew to produce a list of policies required by law, those that are expected in the by-laws and then review the remaining policies to see which of them we still need / want. They will get that ratified by the lawyers and bring it back to the board where we will divide and conquer them as a group.
Discussion on Committees
We discussed the role of Committees and defined them as the hands of the Board with clear direction and power assigned to them. We talked about how each committee should have a Board shepherd and Staff liaison, and that each should present to the Board at regular intervals their progress and status. We talked about possible Committees that should exist and the culture we need to create in them. The following committees are planned for currently
|Committee||Board Shepherd||Staff Liaison|
|Project Committee||Matt / Avi||Harold|
|Event Committee||Vandana / Avi||Lauren|
|Diversity Equality & Inclusion Committee||Vandana / Avi||Lauren|
|Outreach & Membership Committee||Grant||Dawn|
|Education & Training Committee||Ricardo||Harold|
Step one is to get the committees staffed up (in the cases where they currently are not) and then ensure that their charter actually gives them power to make decisions and holds them to outcomes.
Discussion on Funding
We spent lots of time talking about funding sources and options and we looked at a couple of examples of those funding options within the OWASP projects that work.
The three examples of project specific funding that work in OWASP include the:
- SAMM model;
- DefectDojo model; and
- CRS model
Essentially the models are either productisation of OWASP projects, project income through donations, or a functional grants process. That last needs someone to both hunt for grants, matching them to project work; and to manage the output of the projects working on grants to ensure the goals are achieved.
The SAMM model…
is effectively grant proposals - where the SAMM team decides on packages of work and then asks for the funding required to create those packages. This puts some of the work on getting funding on the project themselves, they create the work packages, but this also gives them more complete control over the direction the project goes.
The model works but relies (currently) on the Foundation having funding available, limiting how much can be done in this way. If we had some process (and a dedicated person) to “shop” around those work packages much more could be done in this way.
The DefectDojo model…
is where a commercial entity (in this case DefectDojo Inc.) is created to provide commercial services on top of the open source product. This is similar to other examples like OWASP ZAP and StackHawk Inc. or SecureFlag Platform and SecureFlag Ltd. but the key difference, and the real reasons DefectDojo Inc. works while the others have not, is that the OWASP project needs to remain a viable project with a healthy community outside of the commercial entity and the folks involved in the commercial entity need to have a real connection to the project.
Supporting project leaders who want to make their OWASP project their day-job is something the Foundation needs to find a way to do while at the same time ensuring the integrity of the projects and the value of the OWASP brand.
The CRS model…
is the more directed grants approach where the project gets a major sponsor (or several) that provide them with the resources (usually money, but sometimes other resources they ask for) and that sponsor then asks for a number of items to get worked on / completed. This is a little between the two previous models where there isn’t a commercial entity running the project, but they are directing it more than in the first grants instance (the SAMM model).
It’s not ideal, as often the control feels very much out of the project leader’s hands, but with the right pairing of project and sponsor it can work. Ensuring that we actively look for these pairings and manage them is important and will need someone on staff to own.
More generally we talked about the funding various parts of the Foundation bring in, things like membership dues for individual membership which would be a larger income source if we achieve our other goal of reaching out to developers as a target for our membership drives. Corporate supporters provide “membership” income as well, and although they are not members like individuals are, they do get to put a logo on the site and it ticks the boxes for them supporting a charity like OWASP.
We talked about the income sources from Events, namely training and conference ticket revenue and event sponsorship and that we want to see this income stream grow and the ways that can be achieved… more on this under Wednesday below.
We talked about the (currently) minor income sources like brand / trademark licensing and swag sales. These are revenue streams that we could definitely do more with, however the board voted to get rid of the OWASPx conference branding option as it cannibalises our own events strategy.
Discussion on Structure
There are two parts to the OWASP structure discussion, namely the board structure (and the model of governance this would bring with it) and the staffing structure needed to support the current and future activities of the Foundation.
We discussed the possibility of expanding the board to the nine permissible under the new by-laws and that this would be best done with a single new seat being added for 2024 and the second seat being introduced in 2025. This allows for a roll-over of four seats one year and five the following rather than six and three if both seats were created in 2024. The seat for 2024 would be opened only after the by-laws are officially adopted - either before elections begin for the 2024 board, or by the 2024 board themselves in the new year.
The board also voted to disband the compliance committee as of January 1st 2024, as the last remaining member of the committee has given notice as of that date. Instead, the board will appoint compliance officers with exactly the same goals as the committee had but falling clearly outside the committee’s policy (instead of being a glaring exception to that policy).
We discussed non-voting participants to the board, formalising the vCFO and legal advisor roles currently filled by service providers to the Foundation. We also started talking about getting insights from industry advisors and offering them some access to the board in return for that premium level of sponsorship - without compromising the board’s integrity or selling votes.
The discussions around staff structure was about ensuring that the most can be achieved by the Foundation with the resources we have available and to ensure that accountability is paired with mandates to get things done.
To that end the board proposes that the Executive Director put together a role description for a Director of Operations who would primarily take on the role of fund raising (as discussed earlier), Marketing (as discussed later) and that they engage with a marketing company and someone who specialises in grant hunting. Eventually, a grants coordinator and a marketing manager might be added to the staff count for those roles as the work picks up.
Longer term some other proposed additions to the staffing complement were discussed, to free up the individuals currently performing more than one role.
Discussion on Outreach
Outreach is a key element in the Foundation’s strategy that’s not being given the right focus, with our current Outreach Committee having no charter, doing double duties with our DEI strategy and having only ad hoc funding at best. A clear steer from the board needs to be given and the focus of this work needs to be equally split between two branches: membership and outreach.
We should also be targeting local events around the world using local OWASP members in a comarketing approach and some strategic events leveraging (flagship) project leaders and engaging OWASP experts to speak at those events.
should be targeting the acquisition of new members and ensuring the renewals of memberships by focusing on why folks want to become members and why they remain them. The two roles that we are targeting for membership are AppSec Professionals and Developers and the member benefits for each need to be thought through and marketed to them (for example by attending the events they attend).
should be targeting CISOs (who write the checks) and Developers (who write the code). The aims being to get developers to:
- use OWASP projects to improve the state of their code;
- contribute to those OWASP projects themselves;
- attend chapter meetings and events; and
- encourage them to become members
The aim with CISOs would be to get them to consider becoming corporate supporters of the Foundation, potentially even to join as industry advisors, and for them to encourage participation by the developers in their organisations, as well as their own AppSec people.
Discussion on Projects
Projects obviously came up a lot during the discussions on Funding and on Structure but there was a full half day dedicated to discussing the future of projects. Discussion was kicked off by underlining that every board member agrees that projects are fundamental and important to OWASP as a Foundation, and then by talking briefly about the departure of the ZAP core team and the Open Letter.
We then moved onto a number of project requests for support and how we would be able to meet those requests, beginning with the CycloneDX team’s list. Much of the results of that discussion you’ve read about in the relevant sections above.
Some specifics not called out earlier worth mentioning here are that the board voted to rescind two project related policies that were no longer enforced (thank goodness), as they were also just generally terrible:
- Project Spending Policy; and
- Project Sponsorship Policy
We also talked about the governance around projects that would need to happen, if we want projects to grow the way they need to as well as ways to make the Project Committee more effective.
We spent a bit of time talking about the automation related to projects by the OWASP staff and ways to use that to ensure things like governance, project maturity “levelling up” and access to Foundation services (like Tweeting project milestones).
Parked Items 11th and 12th
A fair amount of the day was actually spent getting everything above to the point’s I described before and it took us all of the morning and most of the afternoon to get there.
Any other business
As an open call for other business to put before the board was on the agenda we used this opportunity to discuss Events. The board had quite a lot to talk about with regards to events, starting with the fact that events definitely need to continue to be a focus for us, in fact so much so that they definitely need to grow. A number of local events approach (or even exceed) some of the global ones and that needs to change.
We want the Events Team to:
- target a 5x growth in number of attendees within 2 to 3 years; and
- increase the revenue to 1.5 million USD annually.
In addition we wanted the revenue increase to come from corporate
Driving attendance up can be done by making the event low cost (or potentially free) for leaders to attend, offering educational pricing for students and more scholarships to a broader spectrum of folks to attend the OWASP events, and by reducing the cost for ordinary attendees too, simply by reducing the ticket price.
The increased attendance, while reducing the income from ticket sales at an individual level should lead to more interest from sponsors allowing that income stream to increase. Combined with a much improved and accordingly priced training portion of the conference would ensure that the increase in Event revenue comes from corporate sources, not individuals.