September 2020 Minutes

Board Minutes - September 22, 2020

Meeting Details

  • Time: 12PM US Eastern, UTC 1700
  • Location: Remote

Meeting Recording

CALL TO ORDER

Board Members

  • Gary Robinson
  • Sherif Mansour
  • Vandana Verma
  • Owen Pendlebury
  • Martin Knobloch
  • Grant Ongers
  • Richard Greenberg

Guests

  • Andrew van der Stock
  • Mike McCamon
  • Tom Pappas
  • Dawn Aitken
  • Kelly Santalucia
  • Lisa Jones
AGENDA

Approval of Minutes

Chair: Are there any corrections or further corrections to the minutes?

Motion: “There being no corrections to the minutes, the minutes are approved as read.”

REPORTS

Organizational KPIs

- Membership                3,138         -1.31% less members than last month
- Momentum:                 521,546       65.62% more visitors than last month
- OSD Funding SLA met       89.5%         77.4% last month
- NFRSD Non-funding SLA met x%            y% last month (new report coming)
- YTD net income            $ (210,800)	  $ (42,500) less than last month
- Cash assets               $ 1,431,894   $ (86,783) less than last month 

Financial

Note from Tom Pappas:

We did have an issue this month. These financials do not have any August 2020 activity from OWASP VZW as we no longer have access to the ING accounts. There has not been much activity the past few months from OWASP VZW so this should not cause much of a variance but wanted to make sure I noted this up front.

Note from Executive Director:

Martin had an update to the Board at the Face 2 Face that he is actively trying to recover access to the account. I am working with Virtual to determine a multi-currency bank we might be able to migrate to, as continued inability to access our funds and ING’s lack of contact options is unacceptable.

Income Statement:

Revenue: On an accrual basis, total revenue, YTD was $1,344.6K as compared to the budget of $1,403.6K. The results are WORSE by $59K, with Conference income being $123.6K ahead of the 2020 budget/Zforecast, offsetting the other revenue lines that were under budget (Membership and Donations).

Expenses: Total spending YTD 2020 is LESS than budget by $82.3K due to under spending in most of the depts. ( Conference expenses are over budget by $123.9K(Apsec Cali 20, 20 Snofroc , 20 NZ Day and 20 Seasides , and offset by the underspending in all depts except for Professional due to the Trade mark legal efforts and the 2019 Audit fees.

Net Income/Loss: YTD 2020 Net income, on a combined Accrual basis is <-$210.8K >which is BETTER than the YTD 2020 budget/Zforecast of negative -<234.2K> by $23.4K or $106.1K WORSE than the July 2020 positive variance of $129.5K. We are now starting to see the affects noted in the Zforecast and the forecasted reduced revenue due to the loss of in person events, which we have come to rely on.

Chapter Funds: US bal is $829.9K which is flat from the Jul 20 balance. EU Ch bal is $64.2K. Also US Proj bal is $184.5K. (which is down $1.5K from the Jul 20 bal). EU Proj bal is $-9K

See below for the full finance report

Executive Director Report

This month has been extremely busy, more so than usual:

  • Contract review by Schawbe is well underway. We have counsel present today to give an overview to the Board on the changes they are recommending to the reviewed policies and contracts. Additionally, in light of the issues around the August Special Meeting, I have asked them for a quote on providing counsel to the Board for our monthly meetings. If the Board wishes to investigate that after their Board training, please ask questions today to give more background on how that might work.
  • The Global Board of Directors election is now underway. Candidates have now been announced, and we are expecting the Candidates to complete video responses to the communities questions.
  • AppSec Virtual organization is well underway, with many speakers having recorded their talks. We are awaiting two keynote speakers to contact us, which is disappointing, but we will continue to work with them, and prepare a Plan B in case of continued non-communication. We appreciate the event sponsors and Corporate Members who are supporting this event, as well as all training and paid attendees.
  • Operating Plan 2021 is being finalized. A close to or actually final draft is attached for your reference.
  • A draft Events strategy is found below. We will not be in a position to choose an option until after AppSec Virtual has concluded and its profitability and impact on our budget is determined.
  • I met with the Board over two weekends on our first virtual face to face. The advice and direction obtained from these meetings has been invaluable.
  • Policy Review Committee has addressed many comments and has finalized three policies, which are below for your approval.
  • Due to continuous unresolvable issues with PayPal over the last many months, hundreds of wasted staff hours, and several outstanding refunds and trainer payments being unable to be processed, we will be deprecating PayPal immediately, with a view to closing two of the three PayPal accounts, and keeping one for emergency use only. We will be moving solely to ACH / batch / SWIFT payments, and Stripe. This will help us with financial controls, reduce costs, and prevent delayed payments or refunds to trainers and attendees.
  • There is continued non-compliance with the Regional Events policy. We nearly didn’t have a 760 attendee OWASP Africa event two weekends ago because we had no idea it was due to run, and they had no access to a very large Zoom webinar room, which we of course provided immediately. Other events are on the cusp of either being approved (AppSec IL) or cancelled (AppSec Indonesia) due to leaders either complying with or not following policy as the case may be. The continued lack of compliance with one of our oldest and most successful policies is extraordinarily disappointing, as OWASP leaders have run literally hundreds of successful regional events since this policy came into being more than 8 years ago. We want more regional events, more contact with our mission, more event sponsorship, and more support for our leaders. We cannot do this if folks believe they can bypass the policy and ignore our support. Everyone, including these events, are all the much poorer for the lack of compliance. We will be conducting an education campaign around this to encourage more virtual regional events, and to help leaders get back on track with sponsorships, help, and the new regional model. This is a perfect time to run mid-sized virtual events all over the world. It’s simple, fast, and we have all the resources any virtual regional event needs for very little money indeed.

I will prepare with Grant Ongers a revision to the finalized membership policy a revision to allow optional complementary membership for active leaders. After working with the staff, the earliest this could take place is November 1, 2020. Therefore a motion to move these changes will be due at the October board meeting.

E-VOTES AND OTHER VOTES HELD BY THE BOARD

Motion to endorse temporary suspension of a member by the Executive Director

Motion: “It is resolved that the action by the Executive Director, Andrew van der Stock, to temporarily suspend and refer an OWASP leader to the Compliance Committee for review is supported by the Board.” Grant Ongers motions, Vandana Verma seconds

Note: this vote was held during the Board’s September Face to Face strategy meeting on September 12, 2020. The following vote was minuted by Andrew van der Stock. A recording exists of this meeting in case of any disputes.

Vote

  • Martin Knobloch - Yes
  • Vandana Verma - Yes
  • Richard Greenberg - Yes
  • Grant Ongers - Yes
  • Gary Robinson - Yes
  • Owen Pendlebury - Yes
  • Sherif Mansour - Absent with apologies

Passed: 6-0

Motion for Josh Sokol honary membership

Background: Andrew van der Stock asked for the Board to consider Josh Sokol for honorary membership. Josh has been involved in the OWASP Foundation since 2007. He was instrumental in the growth of the OWASP Austin Chapter and is a co-Founder of the LASCON Conference. Josh was the Chair of the Global Chapters Committee. He served on the Global Board of Directors for four years. Josh is still actively contributing to OWASP through his leadership role with the OWASP Austin Chapter, his continued support of the LASCON conference, and time spent reviewing OWASP policies. Andrew believes Josh’s long standing contributions on behalf of OWASP and his local community meets and exceeds all of the criteria for honorary membership, and vouches for Josh Sokol.

Motion: “Even though I disagree with Josh on almost every topic, Josh has done amazing things for OWASP over a very long period of time, including being an Austin chapter leader for a long time, running LASCON, and being an ex-Board member. I vouch for Josh to be an honorary member. Richard Greenberg motions, Grant Ongers seconds”

Vote

https://doodle.com/poll/qkpd658mn9pviq2b

Replace with vote during meeting since there was no sponsor for the motion

  • Vandana Verma - Yes
  • Richard Greenberg - Yes
  • Grant Ongers - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Abstain
  • Martin Knobloch - No

Passes: 4-1 (Abstain: 1)

NEW BUSINESS

Motion to operationalize temporary infractions of Code of Conduct - TABLED

Motion: “It is resolved that the Foundation shall draw up a policy to operationalize rapid, escalating, and time limited responses to continued breaches of the OWASP Code of Conduct by participants and members. If the behavior is continuous, unlawful, or egregious, the policy should refer to and rely upon the existing bylaw governing the Board’s power to revoke membership. Vandana Verma motions, Grant Ongers seconds

Motion to approve reviewed policies

Motion: It is resolved that the following three policies are approved, which have completed the policy review process. The Foundation shall upload them within 30 days of this vote:

Feedback for these policies has been published to the global-board list. Sherif Mansour motions, Richard Greenberg seconds

Vote:

  • Grant Ongers - Yes
  • Gary Robinson - Yes
  • Martin Knobloch - Yes
  • Vandana Verma - Yes
  • Richard Greenberg - Yes
  • Sherif Mansour - Yes

Passes: 6-0

Motion to approve a new Committee policy - TABLED

Background. The Current Committees 2.0 policy doesn’t give clear guidance on many topics, including formation, activity, expenses, programs, fidiciary duties, and has a lot of extraneous informational text in there that properly belongs in a Committee Handbook. This policy brings the formation into line with a standing committee documented in RONR 12th Edition 50:7, and makes sure committees are responsible for coming up with a program of works and delivering outcomes, and not just as an advisory board.

Motion: “It is resolved that to promote the creation of additional core committees to enumerate the powers devolved to Committees, with appropriate checks and balances to comply with legal, tax and other regulations and safeguards to protect the Foundation and Board, that the following Committee policy is approved. Existing Committees will transition to the governance model of this Committee policy. OWASP’s bylaws should be amended to allow the devolution of certain Board responsibilities and activities to committees as follows:

Change from

Establishment. The Board of Directors may, by resolution adopted by a majority of the Directors in office, establish one or more Advisory Boards or Committees. Committees will be held to the core purpose and core values as outlined in Sections 1.02 and 1.03. Committees will be structured according to the guidelines in Policy and Procedure.

to

SECTION 5.01 Committees

Establishment. The Board of Directors may, by resolution adopted by a majority of the Directors in office, establish one or more Board sub-committees (e.g, fundraising, finance, audit, or executive), Advisory Boards, or Committees. These will be held to the core purpose and core values as outlined in Sections 1.02 and 1.03. Committees are formed and governed by the Committees Policy, and are limited the Charter's purpose and scope. As a Committee Charter might devolve powers currently held by the Board or the Foundation to the Committee, any such devolution to a Committee will require a 2/3rd majority vote.

Sponsor: TBA Second: TBA

Motion to establish a Project Committee

Motion: “It is resolved that a Project Committee be established under the most recent approved Committee policy, with the Committee purpose to provide mentorship and guidance for all OWASP projects, promote project activity, evangelize OWASP projects publicly, and to advise the Board or Foundation on bylaw or policy changes. Sherif Manosur motions, Vandana Verma seconds

Vote:

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Vandana Verma - Yes
  • Richard Greenberg - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Yes

Passes: 6-0

Motion to approve new Operation Plan

Motion: “It is resolved that the Board approves of the OWASP Foundation’s 2021 Operation Plan, and directs the Foundation to publish the Plan to the owasp.org website and to start executing the Plan as soon as possible, reporting back at least quarterly on progress. Sherif Mansour motions, Grant Ongers seconds”

Vote

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Vandana Verma - Yes
  • Gary Robinson - Yes
  • Sherif Mansour - Yes

Passes: 5-0

Discussion on 2021 Events Strategy - TABLED

The new events strategy proposes a full calendar of virtual events for the Foundation in 2021. There are two major options, which it is not possible to pick at this time until the financial performance of AppSec Virtual is understood. We will be bringing the Events strategy to a vote in November 2020.

CCOMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS
ADJOURNMENT

Motion: “The next scheduled Board meeting will be held during AppSec Virtual on Tuesday October 20, 2020 at midday US EDT, one week earlier than normal to allow public participation. It is moved and seconded to adjourn. Those in favor, say ‘aye’.” TABLED

Staff and officer reports

Finance (Tom Pappas)

We did have an issue this month. These financials do not have any August 2020 activity from OWASP VZW as we no longer have access to the ING accounts. There has not been much activity the past few months from OWASP VZW so this should not cause much of a variance but wanted to make sure I noted this up front.

Attached please find the preliminary OWASP Combined (Converted to USD for all reports) financial pkg for August 2020 which represents financial performance for the 7th month of Fiscal year 2020. I have included the 2020 approved budget for the first 4 months and the approved Zforecast for May, June, July and August. All amounts are combined with the EU and converted to USD in these reports.

One other note, while through August 2020 from a Net Income perspective, the Foundation continues to do “ok”, as compared to the first 4 months of the approved Budget and May, June, July and August of the approved Z forecast, specifically due to the efforts of Mike, Emily and the team pulling off successful “on line” events, this will not continue due to the uncertain and turbulent nature of the world, which is why the “Z” forecast, voted in at the April board meeting, is now being used for comparison purposes. This is particularly evident with the Pandemic effects, as we have noted many times for the past 6 years the Foundation has become an events driven organization and relies heavily on the income from them. With the Pandemic halting travel and in person meetings we need to be VERY cautious as to how we spend the funds of the Foundation as revenue will most certainly trail expenses for the remainder of FY20 and possibly FY2021. Also of concern is the deferred revenue balance of $483K for events that originally were supposed to be in person ( SF and Dublin ) that will now be on line events. So there some “RISK” some of these sponsors, may ask for refunds due to the events being held on line as opposed to in person events as originally planned.

Income Statement:

Revenue: On an accrual basis, total revenue, YTD was $1,344.6K as compared to the budget of $1,403.6K. The results are WORSE by $59K, with Conference income being $123.6K ahead of the 2020 budget/Zforecast, offsetting the other revenue lines that were under budget (Membership and Donations).

Expenses: Total spending YTD 2020 is LESS than budget by $82.3K due to under spending in most of the depts. ( Conference expenses are over budget by $123.9K(Apsec Cali 20, 20 Snofroc , 20 NZ Day and 20 Seasides , and offset by the underspending in all depts except for Professional due to the Trade mark legal efforts and the 2019 Audit fees.

Net Income/Loss: YTD 2020 Net income, on a combined Accrual basis is <-$210.8K >which is BETTER than the YTD 2020 budget/Zforecast of negative -<234.2K> by $23.4K or $106.1K WORSE than the July 2020 positive variance of $129.5K. We are now starting to see the affects noted in the Zforecast and the forecasted reduced revenue due to the loss of in person events, which we have come to rely on.

Chapter Funds: US bal is $829.9K which is flat from the Jul 20 balance. EU Ch bal is $64.2K. Also US Proj bal is $184.5K. (which is down $1.5K from the Jul 20 bal). EU Proj bal is $-9K

POINTS of NOTE:

With regard to Operating cash, the Liabilities (AP, accrued expenses, PPP loan, deferred revenue for events such as Apsec EU, Lascon, Apsec US etc that may not happen) of $585.2K added to the $1,069K of Ch/Proj balances is $1,654.5K , as compared to the $1,345.1K of cash, leaves us a Negative Oper. Cash balance of $309.4K, if all the Chapters and Projects spent all their funds ( I have held out the $113K of PPP federal funding as the chance of it being forgiven is fairly high). This Oper cash deficit is $57K MORE than it was at the end of June. Also Open AR is $127.7K which is down $50K from the June balance of $277K, which when collected would “Almost” balance out the Oper cash deficit. While we are not currently in a “cash” deficit position, we do need to be cognizant that with the continued travel and meeting restrictions on gatherings which has severely affected our events, if we do not make some of this up with our on line offerings ( SF needs to meet or exceed the current estimates) our cash position will worsen as we move through the rest of the fiscal year. I did see the email noting that Apsec Cali has been cancelled as an “in person” event. It would greatly benefit the Foundation if we were to put on a significant “online event” in its place, not only to help with our Cash flow, but being the first event coming out of the Holidays, could be a significant opportunity for us.

At this point in the year with all that is going on while we are still ahead of budget for Net Income we do need to start to focus on next year as the effects of the Pandemic are not estimated to ease, allowing travel and in person meetings until the fall of 2021. To that end we need to make sure we are providing value in our “online” events not only for the registrants but for our sponsors as well.

I have the next board call as Tues Sept 22th 2020 and I will be attending along with Marissa Oakley who has begun to work on the OWASP financials with me. Be safe everyone

Membership Manager (Lisa Jones)

64 Chapter pages have been non responsive for 9 months to migrate/create chapter pages on new owasp.org website. Notifications sent via: Mailchimp, Meetup, Connector, leaders list, and owasp.org website.

  • 36 Chapter pages need to remove the template from the index.md file.
  • 29 will need a second leader.

Detailed Membership report

Operations Manager (Dawn Aitken)

  • Elections are proceeding as scheduled
  • The payment option PayPal will be removed from our system due to ongoing issues
  • Anyone who has not done so, please purchase your copy of Robert Rules of Order

Director of Projects and Technology (Harold Blakenship)

Work continues on the automation; we are nearly complete with having membership getting automated into Copper (I say nearly because I want to see some come through and make sure they are right).

  • SecureFlag update. current Month-to-Date cost is running $635.55. Forecast to be 815 for the month.
  • 11 new projects in the last 60 days.
  • 1 project promotion

Director of Corporate Support (Kelly Santalucia)

Global AppSec 2020 Virtual event Status

  • Amount paid (signed contract, invoiced and paid): $210,500
  • Amount in outstanding Contracts sent: $27,500 (waiting to receive back the signed agreement)
  • Amount in open invoices $52,500 (contract signed and invoice sent, just waiting on payment)
  • Grand Total of all 3: $290,500 and I am still pushing to sell more

Additionally, not included in the above numbers, we have 9 companies who had signed their F2F agreement but have not yet signed the amended virtual agreement. Of these 9 companies, 8 of them had previously paid totaling: $80k/USD. The remaining company that has not signed its amended virtual agreement and who has not paid totals $15k/USD. I am confident that at least 5 of these 9 companies will be signed within the next week (totaling $50k/USD)

Director of Events (Emily Berman and Alonna Stock)