June 2021 Minutes

Meeting Details

  • Date: 22 June 2021
  • Time: 12PM US Eastern, UTC 1700 convert
  • Location: Remote
  • Call-in: Zoom Meeting

Agenda

CALL TO ORDER

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

REPORTS

Staff reports, including Executive Director and Finance can be found after the agenda.

Organizational KPIs

KPI                 June        Delta
Members             4,057       20.66%   YoY
Visitors            4,510,000   111.6%   of previous 12 month average
Chapter Meetings    61          105.2%   of previous 12 month average
Meeting RSVPs       1,103       33.1%    of previous 12 month average
YTD net income      ($12,190)            May 
Cash assets         $1,096,149           May 

KPI Summary

Finance Summary

Financial package has not been received at this point.

Old business

Motion to approve the Events Committee

NB: this may need to be tabled until July pending a status update on Events Committee members.

Background: The Events Committee will assist leaders and participants to hold high quality local and regional activities and events. It will assist the Foundation with maintaining a program committee, and assist with sourcing and organizing volunteers and so on for global events. The Committee will also advise the Board on the Events and associated policies, along with maintaining Events in a Box, and improving virtual, local, and regional budget templates and processes. There are representatives from the Events Committee here today if you have any questions.

Motion: “Resolved, the Events Committee is approved with the above charter.”

  • Sponsor: Grant Ongers
  • Second: Sherif Mansour

NEW BUSINESS

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

Discussion on email cleanup

The email cleanup process is detailed in this month’s Project and Technology update. Harold will step the board through why this program is necessary, what the objectives are, and how the email addresses have been selected, and what happens to them after being de-activated. No mail will be lost. We have seen yet another healthy rise in Membership as a result of this campaign. Please ask any questions that you have about this program.

Discussion on Corporate Membership

The Corporate Membership program currently comprises three tiers, with the same benefits but with vastly different prices but the same benefits at each tier. We have a historic low of just 7 corporate members at this top tier, and we lost some rather large and long term corporate supporters arguing with them over how much money they make, where they make it, and if part of a large multi-national, but their own P&L. We should not be arguing with our largest and longest supporters about their gross income.

Andrew and Kelly will discuss with the Board a new tiered approach that includes different benefits for corporate members at the same price points, that should be more attractive to those who wish to become more engaged with OWASP. The changes include:

  • A grant of a trademark license to most sponsorship levels and discounts to those who are on the lowest tier
  • Changes to the way corporate membership is divvied up - some will end up in the expenses bucket as corporate members will be able to direct funds to a number of chapters, projects, and committees, and some will end up in the trademark program
  • Improvements to the way in which we market and sell Corporate Memberships, including renewed flyers and so on
  • Discussion on current bylaws and how they impact the design of the new program
  • Marketing and communications plan to reach out to previous, current, and desired Corporate Members, such as financial institutions

This is an operational matter, and I believe it will allow us to exceed our currently budgeted Corporate Membership number. If we were asking for a reduction in the budgeted number outside of my discretionary spending limit, I would ask for a vote. No bylaws or policy needs to change to support the new model, so in my view, there is no need for a vote. For oversight purposes, I would encourage the Board to review the changes and ask questions.

Discussion on Trademark Program Progress

The trademark program has been progressing.

After some initial enforcement of our trademark, this resulted in costs and lost reputation.

The trademark program focus is now to solidify our hold on our marks, and move to a positive model by including incentives to license our trademarks through Corporate Membership. Subsequent milestones include:

  • Filing for US trademarks (completed in July 2020)
  • Filing for EU trademarks (completed in June 2021 - now fully registered after opposition to OWASP was withdrawn)
  • Madrid filing in 13 countries (completed, waiting upon the waiting period to confirm any disputes)
  • Argentina and Chile trademark filing (in progress)
  • Australian filings moving to our US agent (in progress)
  • Get lawyers to provide a trademark license agreement for the Corporate Membership and individual license agreements
  • Develop a direct licensing model without Corporate Membership based around the presentation to the Board last year by Mike McCamon (not started)
  • Escalating enforcement as a last resort (Halted until the end)

Corporate Membership, Individual Licensing, and Enforcement milestones will come with a comms plan to market and communicate these changes to the community.

Materials:

ADJOURNMENT

Adjournment motion

The next general Board meeting is July 27, at 12 pm US Eastern Time.

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Sherif Mansour Second: TBA


Staff Reports

Executive Director

The Chapter Re-activation program has come to an end. From here on, Chapter management is now business as usual. We will continue to automate to policy now that Chapter data is now in a known-clean state. See below for more details. I worked with Lisa and Dawn and wrote a tool to automate the discovery of anomalies and status. This dramatically improved productivity and will end up being the basis for future notifications to chapter leaders who want to know how to get to the next level.

The NIST Executive Order workshop was okay. We were not selected to speak, but I made a lot of points on the chat, and we have been invited to participate in the SSDF secure development lifecycle framework working group. This is a good start, but not as good as I had hoped. I will continue to engage with NIST on this because I still believe OWASP has a key role to play in delivering the Executive Order.

Corporate Membership program has been progressed, and is discussed above. This is hand in hand with the trademark marks being readied around the world for licensing. We need to ensure all marks are ready for licensing before we go to market, and we need to ensure that there’s a legally enforcable contract or license.

Event training splits have been improved, and will be socialized with prominent trainers and the Events Committee. This will encourage more trainers to train with us, whilst respecting that OWASP is not a commercial entity. We wish to maintain our low cost training offerings to ensure more people can attend and learn from OWASP trainers.

I engaged Virtual’s VP of Marketing to develop a strategic marketing plan for us. I hope to have that to hand by the August Board meeting, but implement many of its recommendations before then. Marketing is a missing piece of the puzzle for us. We’ve never really done it before, and what marketing we’ve had is usually single event focused and simply promotional in nature. Marketing is more than simply advertising, it’s reaching and engaging with new audiences. We do not have this skill set, and if we want to reach out mission target (developers), we need a plan, and we need to be execute it on very little money indeed.

The Events Committee remains in limbo. We need one or two more “officers” for the Committee to be formed. The charter exists, and there is a lot of support for for the committee, but it’s important that we have sufficient OWASP members motivated to be on the Events Committee to help all local and regional events get back on their feet over the coming years as we return from COVID lockdowns.

I met with some of the AppSec Cali organizers. I am hopeful that we can hold a scaled back AppSec Cali early next year. This will require a board vote to redirect some funds, but we are also looking into if event sponsors would be interested in booking on early to cover deposits and other costs before I raise a vote.

The updated Project policy is in review, and the comment period is drawing to an end. This should be ready for being voted on by July’s board meeting.

The updated Events policy is now in draft. I hope to have that ready for your vote in July. Please review.

The updated Expenses policy is nearly ready. The other operational fires kept this one from being published, but it’s very close. I hope to get this into review such that it also can be reviewed prior to the July Board meeting. This is the last of the macro reforms I have in mind, and once in place, we can concentrate on operational delivery and improvements.

As this is a light month this month, I encourage the Board to consider the platform that they were elected to do, and consider raising motions or working with me on the 2022 Operating Plan to get it done next year. I need to get the 2022 Operating Plan ready by November at the latest, so we can work on the budget for next year to be voted on in the January 2022 Board meeting. I am keen to work with you on your platform and agenda.

Finance

I want to apologize for the delay as we were scheduled to close the books this week with the board meeting next Tues the 29th, however with it being a week early we finished the close today

Attached please find the preliminary OWASP Combined (Converted to USD for all reports) financial pkg for May 2021 which represents financial performance through the 5th month of Fiscal year 2021. I have included the 2021 Approved budget which I have spread on a monthly basis.

I have also altered the Board summary to match the categories that the new FY 21 budget highlights.

As this is the May 2021 fin pkg, I have added Q2 2021.

Income Statement:

Revenue: On an accrual basis, total revenue, YTD was $453.2K as compared to the budget of $290.9K. The results are Better by $162.3K, with Conference, Donations and, being over budget by $90K and $72.6K and $28.7K, respectively. While Merchandise, and Trademark income were a combined <$29K> below budget YTD. On a quarterly basis combined Actual was better than budget by $99K with only Merch and Trademarks under budget.

Expenses: Total spending YTD 2021 is $465.4K which is LESS than they YTD Expense budget of $485.5K by $20.1K due to Events, Outreach and Project expenses are UNDER budget by $46.K offsetting EDU, WIA, Events, Fundraising and G&A (the majority of the overage is Legal expenses), which combined is over $K (individual accounts have minimal overages). On a quarterly basis Actual expenses were $26.4K UNDER Budget as all depts were under budget except for minimal overages in Events, WIA EDU and Fundraising most likely due to the allocation of Staff time for the qtr todate. On a Qtrly basis we are over $13K, due primarily to Meetup costs for April and May of $22K

Net Income/Loss: YTD 2021 Net income, on a combined Accrual basis is Negative $12.2K which is Better than the YTD 2021 APPROVED budget of negative <$194.6K> by $182.4K. On a quarterly basis the Actual Net Income was Positive $1.2K which was better than the Budgeted Negative $84.7K by $85.9K.

Chapter Funds: US bal is $852.5, EU Ch bal is $65.7K. US Proj bal is $216.5K. EU Proj bal is $-8K. All balances are slightly down from the previous month

POINTS of NOTE:

Continuing the narrative theme from previous months, as of 5.31.21 our cash position was $1,096K which is DOWN from 4.30.21 cash bal of $1,124.5K. Our avg monthly spend for operations is roughly $85K including all payroll, which is still roughly about 12.9 months of reserve, which is very good in the current environment. If we remove AP and the PPP loan ($112.7K of PPP is in the process of being forgiven, however I will keep it here until it is) which totals $133K (down $1.4K from 4.21 bal) and is just over 1.5 months of reserve taking, us to an estimated 11.4 months of Oper. reserve, again a good number. Now the concern is the $1,127.1 (down $3K, from the 4.21 bal) of Ch/Proj balances. On a good note, Deferred revenue, is starting to build up again at $122.7K, which is a little over one month of reserve. The open AR balance is $161K which is up $54K from 4.21 Bal. Through May 2021 we are tracking a bit better than budget and we need to keep working on revenue while keeping costs down, while we are still in this no travel environment.

Chapters and Membership

(Update from AJV)

The Chapter Re-activation program has come to an end. From here on, Chapter management is now business as usual. We will continue to automate to policy now that Chapter data is now in a known-clean state.

This program was necessary because Chapter policy wasn’t processed at all for a number of years, resulting in many inactive chapters. So instead of the normal background of 5-10 chapters a month going inactive or being created, we had 3-5 new chapters/month and no deactivations for at least 36 months. This could have meant 180 chapters going inactive at once if the focus was just de-activation. In the end, we got most re-activated, and only 49 were truly inactive, a rate of 1-2 chapters a month if only policy had been followed. This shows why not managing to policy is a terrible outcome for chapter participants and OWASP in general and creates community and leader discontent. We should never accept or normalize inactivity.

Despite challenges, and some early missteps, the program has been highly successful at engaging new leadership, sustained new meetings, and more meetings for our members all over the world. I know it doesn’t feel that way to a few chapters, and there were definitely some early challenges and missteps that de-activated otherwise active chapters. This showed both discrepencies in our policy, and a misunderstanding by some as to what a “chapter activity or meeting is” under the old or new policy. I allowed some latitude with policy to leaders who engaged in the process, and they are all now active. I apologize to anyone who was de-activated without looking into it deeper, and we will make it clearer to leaders what is both technically wrong and policy non-compliant in the future and especially before we automate chapter management. We have improved our processes after the first week or so of April, and no more surprises came to light after that.

As of this writing, there are no more chapters to be de-activated, but we are awaiting on several chapters to respond if they need Meetup as they don’t seem to be using it, and encouraging a number of other chapters as BAU to hold meetings and improve their web page. This will not lead to de-activation or re-activation, as these chapters are all now active.

Stats:

We now have

  • December 2020: 276 - number of chapters starting out this process. Only 156 were “active” by our current policy definition, but most were dormant. We gave all chapters a chance to hold a single meeting between February 1, 2020 and March 30, 2021, and many did.
  • March and April 2021: 120 chapters potentially to be de-activated. We worked with the community to obtain new leadership and hold new meetings. Despite issues and missteps, this turned out to be very successful, with many chapters having their existing leadership working on new meetings, or new leadership installed and holding new meetings. We improved our processes through the feedback obtained through meeting with chapter leaders.
  • June 2021: 227 actually active chapters. All active chapters held at least one meeting since February 2020, and have two leaders. This is 71 more than at the start of the program.
  • June 2021: 49 chapters have been de-activated for a variety of reasons, but primarily no communication with the ex-leaders and no one from that community wishing to take up chapter leadership.

We should see a minor change in our Meetup bill as a result, because more chapters were given Meetup than had them, and the number of deactivated chapters who no longer have meetups are less in total than the total number of reactivated chapters. This is okay as long as the newly revitalized chapters actually hold meetings using Meetup. This will be a focus of automated monitoring to ensure that chapters with Meetup are actually using it.

We will be running a small number of technical campaigns to bring their sites up to the latest technology, but this will probably not need the Leader’s assistance, such as replacing old Donation, Membership, etc links with new ones.

Events and Corporate Support

Operations

Our US mailing and business address will officially move to Virtual Inc’s address on July 1. Virtual have agreed to cover this cost in our monthly payments.

Merchandise. As of June 15th, we have sold 54 products, with just 5 since the change to put the Store button on our website. Our first royalty payment was for 41 products and payment ws193.32. Royalty payments are done monthly. That is an average of4.71 per product.

Vendors. Mailchimp - we have cleaned up our mailing lists and reduced the monthly price by300 a month. DocuSign was closed June 17, contract not renewed. I am starting to review our vendors and closing or trying to reduce monthly cost.

Projects and Technology

Projects and Technology June 2021