OWASP Operating Plan 2021 - Introduction

Operating Plan 2021

Andrew van der Stock and OWASP Foundation Staff

September 2020 Approved by the Board September 22, 2020

[TOC]

• Survive (Part 1)
• Focus on Mission (Part 2)
• Thrive (Part 3)

Introduction

This operating plan sets a new course for the OWASP Foundation. The COVID era is one of extreme challenges, but also an opportunity to rebuild our Community and to repair faulty or broken policies and procedures. The pandemic has dramatically cut into mission-related activity and income sources and fundamentally altered how OWASP raises most of its money: sponsorship of in-person events and fees around training and registrations. To survive, the Community must realign our collective focus on our core mission, and for the Foundation to support that mission.

We need to survive, re-focus on our mission, and thrive. These reforms are the most extensive structural reforms in OWASP’s history. Reform starts now because we don’t have the time to delay essential reforms..

• Survive is the bare essentials of our mission to maintain capability while we wait to fully re-open. It includes a proposal to document a business continuity plan if we are in danger of becoming insolvent. We hope never to invoke it, but this planning is essential.
• Re-focus on our mission. We need a new mission statement for the next 20 years. We have to get back to the core idea of OWASP - our mission. We need to focus on enabling the Community to run our Community, rebuilding for a DevSecOps era, and return effective control back to the Community. OWASP must focus and invest in strategically visible activities by the Community, with accountability for outcomes.
• Thrive. COVID has shown us that we need more than just to be a small OWASP to survive. We need big ideas, with new sources of income, so we can fund more activity of each type, with accountability and compliance with regulations, compliance requirements, and tax codes.

The 2021 Operating Plan was drawn up with a few basic philosophies or non-functional requirements. These philosophies help objectively determine if something is mission-critical or not, reaches ALL of our participants and leaders for ALL of our activities, is cost-effective, and protects the Foundation by being accountable through “trust, but verify” and compliant with all known regulations, compliance and tax requirements.

Our goals are ambitious: ensuring that we can safely re-open as soon as possible, rebuild our mission from the ground up, and ensure that OWASP is here for another 20 years and producing a bumper year of activities driven by the Community.

Key Principles

The key principles driving reform is to empower the Community, task the Community with our mission, and for the Foundation to enable activity via automation and self-service to improve customer experience.

Board Authority and Ownership

The Board are the community’s ultimate representatives: elected community members who have their own vision for OWASP. OWASP’s fundamental strategy, policies and oversight is reserved for the Board alone, which is true of all Boards. The Foundation is here to execute each Board’s strategies, policies, and to build in oversight and safeguards to protect the Foundation and our mission.

No Board can bind a future Board, and no Board is bound by past Boards, except a basic requirement that changing bylaws and policies requires a supermajority.

Policy Reform

Policy reform is vital and must be run on an agile, Community-centric, and fast fail basis. Some of the reasons for Community disquiet is that existing broken policies were left to rot for far too long, and other policies were openly hostile to contributors, members, leaders, and developers.

A new way of building Community-agreed policy in a transparent way, a policy review process that is a true review, and for the Board to review and approve new policies based upon recommendations from relevant Committees and the Foundation. This is the approach well tested by most successful representative democracies, some for hundreds of years.

Policy development is not for everyone, but because it applies to everyone, it must be utterly transparent, outcome driven, accountable, and have built-in safeguards.

Devolution to the Community via Reformed Committees

OWASP has grown tremendously over the last 20 years. We must scale OWASP, but in an OWASP-like way: enabling Core Committees to be responsible and accountable for their subject area, developing programs and ideas, advising the Board on policy or bylaw changes, and so on. Committees are not a shadow Board, so controls must be put in place to protect the OWASP Global Board of Directors from usurping their strategy, policy, and oversight roles, whilst giving Committees real power to drive the next generation of contributors, generate big ideas, and deliver mission focused outcomes.

Culture

The culture of OWASP has been especially difficult in 2020. We need to work with our Community to recommit to volunteering, our Mission, our Core Values, and our Code of Conduct. We need to return to being one large family, assuming the best possible intent of others and in all things, and work together to improve our organization, our projects, our chapters, and our Community. Volunteering is just that: volunteering your time, skills, and funds to help our mission.

Come on that same journey, and be rewarded because you helped out our incredible worldwide Community with your passion, your knowledge, your skills, your connections, your time, and your funds. We need them more than ever.

Let’s do incredible things together! Join a chapter, become a member, be active in a Committee, stand for the Board, mentor a student, work on a project! These are the things that make OWASP better and achieve our mission.

Operational Key Requirements

Outcomes, not activity

We need to work smarter, not harder. Being busy, but not producing mission-related outcomes is a huge opportunity cost, which reduces Community and staff satisfaction, reduces or eliminates mission outcomes, and costs precious funds we cannot waste.

All policies, procedures, and activities will be outcome-driven, and not just simply activity. Instead of “we spent $250k on our program last year”, we need to say “75 leaders achieved measurable goals, including 8 new flagship projects, 40 new chapters, 10 new regional events, with the Foundation investing $250k in total.”

This requires ensuring that where reform creates a way of spending money such as Awards, Expenses, Grants, or Scholarships, that the process for obtaining them in clear, simple, transparent selection criteria, details the mission related outcomes, who will be doing it, and by what date will it be complete.

This is the core of accountability, and it will ripple through everything we do at OWASP to drive activity, document outcomes, improve the value of our mission spending, and help reduce fraud.

One Touch

The goal is to only touch a service ticket once to resolve, or for the process to be self-service through automation. If a process requires multiple handoffs, the policy is broken.

Reduce Friction

Many of our priority items are member driven but hosted by the foundation. We need to ensure that the foundation can run priority activities in a self-service mode that deals with at least 80-90% of all common activities without staff intervention. This must be in accordance with policy, all of which must be endorsed by the Community.

Automation

Business as usual activities will be automated compliant with policy to improve member services, scale, and provide consistent outcomes, and to free up staff for priority duties.

Conduct a cost review and refactor

Review each essential service to determine if there is a lower-cost alternative that could meet our requirements, renegotiate with the vendor, or reduce our usage or plan to eliminate “nice to have” but not essential features.

Build Value and Revenue

Many of our most essential activities have historically operated as a cost center. We will review and make plans to determine if the activity can be made profitable, or if it will remain a cost center.

We will review and make plans to determine if each priority activity can be made profitable, or if it will be de-prioritized in a BCP situation or remain a cost center if truly core to our mission. Nearly all priority activities other than Events and Training have historically operated as a cost center and funded by our events income. We should continue to try to do them even though the confidence in them being profitable this next couple of years are minimal, but offset costs by implementing value and revenue for each.

Resiliency

We need to ensure that all of our systems and processes are resilient in terms of failure, staff leave, and so on.

Transparency and Safeguards

Clear, transparent, and enforceable governance

Reform requires reformed governance. There are two current issues:

• Adhocracy, where policies are cherry picked to have a desired outcome, and unfavorable decisions are litigated time and time again until either someone gives in to the desired outcome, or the original decision is overruled. This is completely unacceptable and must stop.
• Potential for shadow boards. Devolution to the community should not result in an end run around the OWASP mission, or be in conflict with or bypass the Board’s strategy, policies, and oversight roles. Governance should be in place to limit the potential for a small number of participants or members to drastically change the OWASP way, self-deal, or work against the community’s will.

This will be addressed in several ways:

• The owasp.org policies, once improved, will be the only source of policy. Handbooks will help folks navigate policies, but all processes will be managed to policy. Particularly common activities will be automated to policy, with safeguards and auditing built in. This will make it harder for an individual to argue against an outcome, as the result will be consistently applied and managed to policy.
• Foundation staff and Committees will be given clear authority to make decisions that stick. Many policies will have a co-approver or co-signer with the Executive Director or Board depending if significant contractual or financial risk is involved, but for most decisions, the first decision will be the final decision unless clearly against OWASP policy, our mission, or our bylaws.
• Committee reform will remove informational background to a future Committee Handbook to be built and maintained by Committees, and the residual policy brought into line with the Robert’s Rules of Order, Newly Revised 12th Edition for the formation of a standing committee, and finally give Committees access to the standard expense, travel, grant, and other policies that apply for all other leaders. Additionally, Committees may create and fund grants, awards, or travel within their scope through an annual budget request.
• Lastly, any Board or Committee officer with a vote will be required to recuse themselves if they have a perceived or actual conflict per Robert’s Rules of Order, Newly Revised 45:4 and 45:5. In practice this means if a Board member or Committee member brings up a motion that will benefit themselves in some way, they must declare the conflict or address it if it is brought to the attention of the Board or Committee, sit out discussion, and not vote on the matter. For example, if the Grants Committee is considering a grant for the OWASP Top 10 project, and a Top 10 leader is on the grants Committee, then they must sit out the discussion and vote.

Accountability for Spending

To allow automation and scale, we are moving to a “trust, but verify” model for expenses and grants. What this means is that we will infer good intentions for all, and audit suspicious activity rather than review each and every item, which has been both contentious as well as forcing the Foundation to make value judgements on all expenses, projects, or chapters.

There will be three main methods of expensing for OWASP leaders and Committee officers:

• Small expenses, those under $50, require only a Jira ticket and a receipt.
• Expenses over $50 USD to the expense cap, will require a Jira ticket and receipt, and a second approver. This will normally be a project or chapter co-lead, but in the absence of a second leader, the relevant committee (i.e. projects committee for a project expense) will be the second approver.
• Expenses over the expense cap will require either pre-approval of a simple proposed budget, or as a grant under the grants policy. This is to permit larger chapters to function, by submitting and sticking to an approved budget. We recommend chapters with large monthly expenses over the expense cap to obtain bartering sponsorship for the location and food and beverage. Chapters will be free to consider these companies as chapter sponsors, and if their annual barter spend exceeds that of a Corporate Membership, OWASP will grant that company complementary Corporate Membership under the barter arrangement.

There will be sanctions for abuse, including inability to use the system that was abused, revocation of membership under the Code of Conduct, and referral to local authorities if the matter rises to that level.