April 2020 Videoconference

Meeting Details

• Time: 12PM US Eastern, UTC 1700 convert
• Location: Remote
• Call-in: Zoom Meeting

Agenda

CALL TO ORDER

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

Previous Meeting Minutes

REPORTS

Organizational KPIs

• Membership 2,938 (228 increase from Last Month)
• Momentum: 560K visitors to website (6669K compared to 2019; decrease of 16.3%)
• Operations:
  • 96% of Service Desk tickets closed within SLA (worse from 100% last month)
  • 86.6% of Non-Funding tickets were closed within SLA (worse from 94.2% last month)
• Money: $1.4M Cash on hand. YTD Net income is -$81K (compared to budget -$156K which is better by $75K).

Financial

Attached please find the preliminary OWASP Combined (Converted to USD for all reports) financial pkg for Mar 2020 which represents financial performance for the 3rd month of Fiscal year 2020. I have included the 2020 approved budget. All amounts are combined with the EU and converted to USD in these reports. This report is PREIMINARY as we will be going through and Audit for 2019 and as is customary we will keep the books open until the end of March to capture and trailing items:

One other note, while through Mar 2020 from a Net Income perspective, this will not continue due to the uncertain and turbulent nature of the world. Mike has worked hard on a few scenarios which he and I have reviewed and I agree with Mike that Scenario Z is the best course of Action for the Foundation to make it through this. As we have noted many times for the past 6 years the Foundation has become an events driven organization and relies heavily on the income from them. Mike and the Staff have worked very hard and we are seeing the efforts pay off with the increased numbers that are signing up for the “Virtual APSEC Days”.

Income Statement:

Revenue: On an accrual basis, total revenue, YTD was $757.9K as compared to the budget of $762.3K. The results are Worse by $4.3K, with Conference income being $145K ahead of the 2020 budget, offsetting the other revenue lines that were under budget

Expenses: Total spending YTD 2020 is LESS than budget by $79.2K due to under spending in most of the depts. ( Conference expenses are over budget by $50.4K, and offset by the $90.1K underspending on the Summit.

Net Income/Loss: YTD 2020 Net income, on a combined Accrual basis is <-$81.5K which is BETTER than the YTD 2020 budget of negative -$156.4K by $74.9K.

Chapter Funds: US bal is $805.2K which is down $12K from the Feb 20 bal of $817.2K. EU Ch bal is $59.3K. Also US Proj bal is $180.5K. (which is UP $1.6K from Feb 20). EU Proj bal is $-5K

POINTS of NOTE:

With regard to Operating cash, the Liabilities (AP, accrued expenses, accrued Payroll, Apsec EU deferred revenue of $119K etc) of $309K added to the $1,040K of Ch/Proj balances is $1,348K , as compared to the $1,406K of cash, leaves us Positive Oper. Cash of $58K, for the time being(which is $35K better than Feb 20). Also Open AR is $189K which is down $91K from the Feb 20 balance of $280K. So if they were all to be collected we would have about $247K of Oper cash exclusive of what is owed to Chapters, and on avg our monthly expenses are about $110K which is just over 2 months of Oper cash reserve

At this point in the year we are flat to Budget on revenue and below budget on expenses which has us ahead of budget for Net Income as well as positive Oper cash exclusive of the Ch/Proj balances, which is very positive as we finish up the first qtr. of FY20.

• March 2020 Board Summary
• March 2020 Balance Sheet

Executive Director Report

OLD BUSINESS

NEW BUSINESS

1. Motion to authorize the Executive Director, exercising all necessary due diligence and care, as individually authorized to obligate the funds of the OWASP Foundation (OWASP), to execute agreements reflecting those obligations, and to further delegate this authority as deemed appropriate, for the purpose of organizing and hosting both:
   • (a) Global AppSec in Berlin on or before May 15, 2022 with a total expense budget not to exceed 825,000 EUROS and
   • (b) Global AppSec in San Francisco on or before November 1, 2021 with a total expense budget not to exceed $975,000.

2. Approve revised 2020 Budget Plan Model Z, in response to COVID-19 uncertain negative impact on finances of the Foundation. See Attached slides

3. Activate a Community Review Process to collect, evaluate, and incorporate feedback and suggestions for significant changes to OWASP, chapters, and projects
   • (a) website design and in particular the recognition of supporters of the Foundation
   • (b) Chapter tiers
   • (c) Fair and reasonable expenses
   • (d) Honorary memberships

4. Project Plans to be created and shared with the BoD for Global Conferences

5. One centralized OWASP calendar

   COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS
   

ADJOURNMENT

Executive Director Report

COVID-19 Response

Attached to this month’s New Business is the Executive Director’s report/plan for the remainder of 2020 considering the worldwide coronavirus pandemic. The economic plan is build with the most conservative event revenue forecast assuming ALL gatherings more than 50 people would be prohibited for the remainder of the year. The original ask from the Board was to only model SF, but if SF were to be cancelled many other events on our calendar would share the same fate.

We modeled several different outcomes and have presented three new, and our original approved plan for a total of four options. We are recommendation a hybrid of budget caps and new revenue activities to best mitigate the finanical impact of cancelling 2020 events.

Two other related activites were to (1) apply for the US Payroll Protection Plan and (2) quickly identify other revenue streams for the Foundation. #1 was completed but OWASP Foundation was not included in the first round of funding of this program. It should be noted that the forumlas provided by the Federal Government cap our loan amount at $41,552 meaning that while it would help; it is not a transformative impact. #2 resulted in the Virtual AppSec Days (more details below) which have already resulted in over $125,000 revenue to the Foundation.

Conferences

As directed by the Board to design and implement quick revenue opportunities to backfill 2020 revenue lost from the postponement of Global AppSec Dublin, the staff launched Virtual AppSec Days registration on 7-April. Given the urgency of the Board’s request, staff elected to select from previously accepted CfT submissions instead of the longer process to open a fresh CfT.

As of 25-April, the conference has 1,165 Conference attendee registrants, 242 Training registrations, and 85 CtF registrations. Our marketing has led to over 17K visitors to the registration site. The event is expected to gross over $125,000 with a forecasted profit of at least $75K. Our custom-build registration tool has been reliably processing registrations and will save the Foundation at least $4,250 compared to having used our previous provider or Eventbrite.

Needless to say, standing up, launching and preparing for an event like with so many unfamiliar tools on such an aggressive timeline has been extremely stressful for staff. Emily, Sibah, and Harold deserve a great deal of thanks for making this event happen - incredibly so successfully, on an absurd timeline. Following the close of this event, staff is already brainstorming ways we could add this concept to our evergreen programming.

San Francisco CfT and CfP closed with 53 and 172 submissions respectively. Kelly has already been actively selling the event and has $398K contracted revenue with $120K in the sales pipeline. Over the past three weeks, selling results have been soft due to COVID-19 and general market uncertainty. We are tracking to plan on key milestones which can be found, along with contracted sponsors at https://owasp.org/www-staff/projects/202010-Global-AppSec-SF

As part of our COVID-19 plan we have secured (but have not signed) a contract with the same venue in SF for 2021. We requested, and were given concessions, if we still need to cancel the 2020 event without force maejour. We have also received our contract for Berlin 2022. Both of these items are on the April 2020 Board agenda for approval.

Lisa submitted an updated DEFCON application for a larger booth. Staff will be coordinating with the Outreach Committee on this Global Partnership effort. Plans for BlackHat US are underway for August 1-6 and BlackHat Asia has been rescheduled to September 29 - October 2, 2020. OWASP will be participating in both events.

Website

SEO engagement will end the first week of May. Search visibility since site launch in January is down only 0.63% which would be considered a best in class metric for a site with such a complicated content remapping need. In addition to ensuring our URLs were remapped the firm with Harold’s help also performed keyword research & mapping, 301 redirect mapping, xml and html sitemap creation, schema markup design, title tag & meta description optimizations, 404 page recommendations, duplicate content analysis, broken link analysis, on-site competitive analysis, branded search audit, and Cloudflare and server migration support.

Work is proceeding with our DNS/VM migration. DNS is now serving from Cloudflare which also gives better caching leading to a 10% increase in site response time down from an average 330ms to less than 300ms. The wiki is in the process of being moved to a new, more affordable hosting VM. There was an effort to static-fy the wiki to remove MySQL dependencies but that effort requires more research. More details can be found https://owasp.org/www-staff/projects/202003-DNS-VM-migration.html

Content migration by Chapters and Projects has slowed with 156 of 271 Chapters (57.5%) and 88 of 151 (58.3%) Projects yet to migrate. Chapter page migration, along with new chapter activity can be monitored at https://owasp.org/chapters/status/

Community Review Process

Tricia (Virtual resource) has been assisting me in developing the Community Review Process. I would expect this item to be ready for Board review at our May meeting. Rather than just tossing up a tool to collect feedback, I have instead chosen to develop a process that not just collects feedback, but also defines roles, participants, a methodology to process conflicting data, reporting, and then delivers a final work product.

Staffing

Following last month’s Board discussion, we closed on a final Sr. Events Manager candidate. We are in the compensation negotiation phase with our preferred candidate.

We have been reassigning roles between Dawn and Lisa. The substantive change is Dawn will no longer have primary responsibility for Community and Chapters allowing her to solely focus on operations and as our internal accounting interface to Virtual. Lisa has very willingly accepted several new responsibilities as part of this transition. There are some additional alterations yet to complete on workflows but no issues are expected.

IT Retooling

Copper migration continues. We have migrated Chapter, Project, and Committee information into the system. Kelly has been updating Opportunities so we can more transparently monitor pipeline and invoicing. Hopefully before 1-June the CRM will be ingesting Membership, Donation, and Event transactions. Some early testing has verified the functionality, it is now just a matter of defining requirements and building some light tools to animate this effort. We do not anticipate any major issues with this migration.

Finally, Harold and I have been brainstorming integrations between our website and Meetup. We have also been discussing a backup plan for replacing Meetup if their business model continues to change. It is also notable that Meetup currently costs ~$32K per year so even today it is not trivial.

Miscellaneous

• As always, most major staff projects are all listed with milestones at https://owasp.org/www-staff/