April 2021 Global Board of Directors Meeting Minutes

Meeting Details

Agenda

CALL TO ORDER

Board Members

  • Owen Pendlebury
  • Martin Knobloch
  • Grant Ongers
  • Vandana Verma
  • Joubin Jabbari
  • Sherif Manosur

Guests

  • Andrew van der Stock
  • Tom Pappas
  • Dawn Aitken
  • Kelly Santalucia
  • Harold Blankenship
  • Lisa Jones
  • various community members

CHANGES TO THE AGENDA

  • n/a

APPROVAL OF MINUTES

Vote

  • Owen Pendlebury - Yes
  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Vandana Verma - Yes
  • Joubin Jabbari - Yes
  • Sherif Mansour - Yes

Passes: 6-0

REPORTS

Directors can find staff reports after the agenda.

Organizational KPIs

KPI             April       Delta
Members         3818        0.03%
Visitors        3.9m        79%     (now using CloudFlare numbers)
OSD SLA met     33.4%       -66%    (clearing out backlog)
NSFR SLA met    91.1%       -5.89%  (clearing out backlog)
YTD net income  ($13.4k)    $96.5k  better than YTD budget
Cash assets     $1,332,401  $205.3k better than YTD budget

KPI Summary

Finance Summary

Project status

Delivered April Delayed Due in May
Merchandise   Business continuity plan draft (Next)
Chapter Reactivation (due April 30)   Inactive chapters removed
Regional Membership Drive   Membership portal (Later)
Brain Break (India)   May training
Reach out to Event committee members   Vote on Event committee
Events committee charter (draft)   Vote on Event charter
Events in a box (draft)   Handover to Events Committee
COVID temporary restrictions update   COVID temporary restrictions update
Conflict of Interest Policy (draft)   Conflict of Interest review
  Expenses policy draft Expenses policy review
  Events policy draft Expenses policy review
Outreach Committee Re-Charter Vote    
Marketing experiments Marketing strategy draft Marketing strategy milestone
  Mission statement announcement Mission statement town halls
Partnership Evaluation Scorecard   Partnership Policy (Later)
    EU Board meeting

Comments

  • Next membership drive will be in July
  • Tom Papppas setup a DUNS # for the Foundation
  • Tom Pappas introduced Virtual, Inc.’s new CFO, Mauro Lance
  • PP1 - has been submitted
  • PP2 - will be submitted by the next Board Meeting

e-Votes to read into minutes

Motion to requalify candidates

Background Given the confused and unclear state of the membership list(s), the recently uncovered corner case where membership status was not correctly communicated, and the uncertainty (of whether one’s membership is in good standing or not, whether one can stand for the Board, vote in the elections, or participate as an OWASP leader) attached to that I would like to propose the following motions:

Motion “Resolved, that up until the week before the 2022 Board election being called, any member affected any of the following conditions:

  • The lack of notification for renewal failing to be sent by the Foundation (for example, as described to the Board during the March public board call);
  • The membership renewal service not being operational during an attempt to renew within 24 hours of expiration, and the member then informed the Foundation of this fact; or
  • A Foundation-side operation issue which recorded a membership as having expired when it had not

be given one week to correct their membership status from the moment the Foundation informs them of their lapse, and for their membership to be considered uninterrupted for the duration for all intents and purposes.”

  • Sponsor: Grant Ongers
  • Second: Joubin Jabbari

Vote: https://doodle.com/poll/edsnp34mgxzu6sqn

Sherif Mansour:  Yes
Vandana Verma:   Abstain
Bil Corry:       Yes
Grant Ongers:    Yes
Owen Pendlebury: Yes
Martin Knobloch: Yes
Joubin Jabbari:  Yes

Vote passes six yes, one abstain. - POSTED

Subsidiary Motion: Single source of truth for membership data

Background: Given the confused and unclear state of the membership list(s), the recently uncovered corner case where membership status was not correctly communicated, and the uncertainty (of whether one’s membership is in good standing or not, whether one can stand for the Board, vote in the elections, or participate as an OWASP leader) attached to that I would like to propose the following motions:

Subsidiary Motion: “Resolved, that the combined unique individuals across the three current sources of membership information (the Foundation’s Copper CRM; mailing list, MailChimp; and automated payment system, Stripe) for whom an expectation of active membership exists, be considered fully qualified members in good standing as of the 1st of June 2021. These three lists are merged into a single source of truth. Any cases of doubt (around the validity of membership or remaining duration of membership) be resolved in favor of the member concerned.

  • Sponsor: Grant Ongers
  • Second: Joubin Jabbari

Vote: https://doodle.com/poll/isbaqbgrd7grzkch

Sherif Mansour:  Yes
Vandana Verma:   Abstain
Bil Corry:       Yes
Grant Ongers:    Yes
Owen Pendlebury: Yes
Martin Knobloch: Yes
Joubin Jabbari:  Yes

Vote passes six yes, one abstain. - POSTED

NEW BUSINESS

Motion to approve the Outreach Committee Charter

Background: The Outreach Committee has worked on a revised Charter under the new Charter policy. A representative has been invited to this meeting to discuss the charter with the Board.

Motion: “Resolved, the Board approves the Outreach Charter as found here.”

  • Sponsor: Grant Ongers
  • Second: Vandana Verma

Vote

  • Owen Pendlebury - Yes
  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Vandana Verma - Yes
  • Joubin Jabbari - Yes
  • Sherif Mansour - Yes

Passes: 6-0 POSTED

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

Discussion on good standing bylaw changes - TABLED

Background: The Foundation Staff disagree with how the main and subsidiary e-vote motions have been framed. The motions read as a failure by the Foundation, rather than as a failure by candidates or Director in a difficult to enforce and apply bylaw rule. The Foundation Bylaws and Director’s Commitment Agreement both require the Director to maintain good standing. There is nothing in our bylaws or policies that requires the Foundation to notify a Board member or candidate of their membership renewal or ensure that our technical systems are functional. We have technical systems in place to determine if the message was received and opened. Additionally, there have been no examples of the second point since the new system became operational in February 2020. We have corrected all of the third points.

The Foundation staff urge the Board to reform the bylaws around eligibility and good standing. The goal should be to make it simpler and more equitable for candidates and remove reliance on technical systems. The Board could do such a change by removing the 12-month prior good standing and requiring all Board members to have either auto-renewing membership or pre-pay membership dues to the end of their term or become a lifetime member.

These bylaw changes would reduce barriers to becoming a Board member, improve equity to allow all members to run, including leaders moving from complimentary membership. The grace provision protects Directors in case of Director card expiry or technical faults. Operationally, these changes eliminate manual detection of membership lapses, implied requirements to provide notifications. Lastly, it reduces the number of technical systems and processes required to function to just the payment system.

Proposed Change:

Section 3.02 - Replace:

“A Director or Candidate for the Board shall have maintained continuous membership in good standing over the previous 12 months, notwithstanding any grace periods established in these bylaws.

At the time of their election, to qualify to stand, candidates must hold an Individual membership, Lifetime membership, or hold a valid Honorary Membership. This membership must have been in place for a 12 month period prior to the date of the election.”

to:

“All Directors shall have continuous individual paid membership throughout their term. Successful candidates and Directors should use one of the membership auto-renew feature; Pre-paying membership to cover the entirety of their term; or Obtain paid Lifetime or Honorary Lifetime membership.

Director membership will be validated by the OWASP Foundation no later than the first week of January each year and reported to the Secretary at the first Board meeting.”

Section 3.15 - Replace:

“Directors and Candidates for the Board who have lapses in good standing have a grace period of 7 days to renew their membership. Directors or Candidates who fail to obtain paid individual or lifetime membership, honorary membership, or renew their previous membership within the permitted grace period will not have maintained good standing for the purposes of election eligibility. Directors may continue to vote on the Board during the grace period.”

with:

“If a Director fails to pay their membership auto-renewal, such as credit card expiry, they will have seven days to remedy the situation. If a Director fails to pay their dues after seven days, they will become ineligible to stand in an upcoming election. If a technical issue around the auto-renewal system occurs, the Foundation will have seven days to rectify the technical fault. Any affected Director will be deemed to be in good standing if action is taken to remedy the situation, and their membership considered continuous during that time.”

Tax discussion on merchandise sales for 501 (c) 3 entities

Tom Pappas will answer your questions around the pros, cons, and issues surrounding merchandise sales supporting our mission.

Event Committee discussion

We are aiming to present the finalized Event Charter and create the Events Committee next month. This is a short discussion around progress, with issues, blockers, and some basic action items that will allow this to be completed next month. ajv & Kelly.

  • Event Committee meeting has been scheduled.

Presentation from Lisa Jones

Lisa Jones will give a short presentation on the results of the March membership drive and the current status of the Chapter Activity Initiative, including some issues and concerns that have arisen as a result of leaders choosing their own interpretation of policy or wilfully misinterpreting statements as policy.

Agenda and Scheduling the next executive session

In prior years, the Board has met at AppSec Global events to discuss longer and important strategic topics. Let’s quickly discuss a time to hold this in May and September / October with the wider Board. Please forward agenda topics, such as Federated OWASP entities, to Andrew van der Stock to be included on the agenda.

ADJOURNMENT

Adjournment motion

The next general Board meeting is on May 25, at 12 pm US Eastern Time.

  • https://owasp.org/www-board/meetings/202105.html

“It is moved and seconded to adjourn. Those in favor say “aye””

Sponsor: Sherif Mansour Second: TBA


Staff Reports

Executive Director

This has been a busy month for the Foundation. We have completed several projects, and many other things besides. I look forward to seeing the merchandise store go live soon, which will allow members to assist us in fundraising, although likely in very small amounts. Our costs are not as large as expected so far, but we will be keeping a close eye on it before opening it up to all designs.

I am moving our KPI reporting to be mission centric. This may be the last month you see any reporting of our website traffic, as it’s operational in nature and a weak indicator of engagement. We need to better report on the health of our finances, projects, chapters, and events, as well as total social engagement. For now, I report the values from Cloud Flare, which is a more accurate statement of our website traffic, and I’ve changed across to reporting our membership data from an internal tool developed by Harold that uses Stripe, which is the most accurate membership record we have.

For the first time in a long time, we reviewed our Director and Officer’s insurance. We renewed, upping the limit from $USD 1m to $USD 2m. Although this was a bit more than budgeted for, it’s well worth the piece of mind. We have not upped our coverage in many years. There was a small price increase for other things, but I am glad we did not have to go out to market, because COVID has made some forms of insurance extremely expensive or unobtainium. We will revisit our D&O insurance levels in another three years.

We continue to have issues with excessive compliance from our EU entity. I strongly urge the Board to consider creating a new federated governance model to be applied to all OWASP subsidiary entities, and once that is done, move the EU entity to the Netherlands or Ireland to reduce compliance costs whilst building our mission and financial capabilities.

Lastly, AppSec Australia continues to drag on. I made a recommendation to the Board to not proceed after not hearing from the organizers for over a week after a longer gap before that. Vandana and I met with Daniel, who explained his extenuating circumstances. We agreed that the Board shall discuss the matter privately, and Daniel and myself will improve communications, such as ensuring that he lets us know when things are overwhelming and from our side, when things are due.

Finance

Attached, please find the preliminary OWASP Combined (converted to USD for all reports) financial pkg for March 2021, which represents financial performance for the 3rd month of the fiscal year 2021. I have included the 2021 approved budget, which I have spread on a monthly basis. I have also altered the Board summary to match the categories that the new FY 21 budget highlights. Finally, I have included a YOY Balance sheet which we will review at the Board call next week.

Income Statement:

  • Revenue: On an accrual basis, total revenue, YTD was $250.1K as compared to the budget of $186.8K. The results are better by $63.3K, with conferences, donations, and over budget by $16K and $37K and $28K, respectively. Merchandise and trademark income were a combined <$17.5K> below budget YTD.
  • Expenses: Total spending YTD 2021 is $263.5K which is LESS than the YTD Expense budget of $296.6K by $33.1K due to Chapters, Outreach and Project expenses are UNDER budget by $48.1K offsetting EDU, WIA, Events, Fundraising, and G&A, which combined is over $14.9K (individual accounts have minimal overages).
  • Net Income/Loss: YTD 2021 Net income, on a combined accrual basis, is Negative $13.4K which is Better than the YTD 2021 APPROVED budget of negative <$109.9K> by $96.5K. Chapter Funds: US bal is $855.64K (up $6.8K) EU Ch bal is $60.6K (down $4.3K). US Proj bal is $219.2K (Up $10.7K). EU Proj bal is $-8.5K

POINTS of NOTE:

Continuing the narrative theme from previous months, as of 3.31.21, our cash position was $1,140.2K, which is up $13.1K from 2.28.21 cash balance of $1,127.1K. Our avg monthly spend for operations is roughly $82K including all payroll, which is still roughly about 13.9 months of reserve, which is very good in the current environment. If we remove AP and the PPP loan ($112.7K of PPP is in the process of being forgiven. However, I will keep it here until it is), which totals $148.2K and is just over 1.8 months of reserve taking, us to an estimated 12 months of operating reserve, again a good number. Now the concern is the $1,126.7K of Ch/Proj balances.

On a good note, deferred revenue is starting to build up again at $122.3K, which is a little over one month of reserve. However, the open AR balance is $131.2K, which I am told is all collectible, so that almost offsets the deferred revenue just mentioned (though I would like to see us collect the $53.7K that is over 60 days old). Through March 2021, we are tracking a bit better than budget. We need to keep working on revenue while keeping costs down while we are still in this no-travel environment.

Chapters and Membership

See presentation from Lisa Jones in this meeting.

Events and Corporate Support

Looking for assistance with:

  • Event Committee: establishing this committee and getting them going
  • AppSec Australia 2021

Corporate Membership

  • Sold $177,800 to date, 88.9% of the budgeted ($200,000) amount for FY 2021

Full report

Operations

  • The merchandise store will be announced next week and is in final testing
  • P&L’s for conferences are up to date. We can only complete early 2021 event P&L’s once we receive the Event Brite payment in May / June.

Projects and Technology

Projects:

  • 8 New projects in the last 60 days
  • Project Committee is re-working the Project Graduation procedures, Project Policy, and Contribution policies for projects.
  • Working with Vandana to see if the developer event can be combined with projects to create a summit/developer style event.

Technology:

  • Email for members/leaders cleanup in testing
  • Regional promotion updates
  • Membership Portal (members.owasp.org) prioritized over other automation; open to testing by staff and board members

Other:

  • Conflict of Interest draft policy in review