OWASP Operating Plan 2021 - Survive

Survive

Adopted by the Board of Directors 2020-09-22

Survival is about making choices – what to do, what to do better, what to do less of, and most importantly, what not to do. Instead of stopping some activities, we will devolve them to the Community, and encourage the Board to fund them through grants.

Survival activity will have between three to five key objectives or results (OKRs), such as reviews, refactoring, and reforms detailed below applied to each in that category, along with any notable new activities.

The goal of Survive is to review and refactor the business as usual activities of the Foundation, and decide what is essential, priority, minimize costs, devolved, or lastly, what should be stopped. The Foundation’s primary functions should be to assist the Community in running OWASP’s core activities, provide a funding vehicle for these activities, and provide oversight to protect the Foundation, the Board, and its members from fraud, self-dealing, and unreasonable costs.

  • Essential Some outcomes are essential, because without them, the Foundation cannot exist. Although not the top-scored activities, they are generally higher in the priority list.

  • Priority Outcomes the Foundation will focus its energy, resources, and funding. These must be mission-aligned, particularly if these are the only activities going to the end of 2021.

  • Minimize Costs Important outcomes that we would like to have, but we need to reduce overheads, minimize friction, and automate the function as early as possible, so that staff time can be freed for priority items.

  • Devolve Many current Foundation responsibilities will be devolved to the Community through relevant Core Committees, where for philosophical reasons, those activities should have remained. Any activity that the Community cannot reasonably run, provides better value from a shared services model, or requires legal or compliance oversight will have significant Foundation input or be run directly by the Foundation.

  • Stop These functions offer little value to the Community or to the OWASP Foundation, either with little reach (i.e. the number of members who benefit directly from the Foundation doing this activity), low impact (i.e. the Foundation will be better off without them), the confidence level that we can refactor or make it work low, and the effort is too high or cannot be pushed to the Community.

Essential Activities

Essential services are those without which the Foundation cannot exist.

Sponsorship

Corporate Membership and event sponsorships are likely to be the top income source for the Foundation in 2020 and 2021. Corporate donations and sponsorship are essential for the Foundation. We need to increase the number of Corporate Members and event sponsors, provide a tiered membership plan and return to flexible membership fees to allow more organizations to become members at a price point they can afford.

OKRs:

  • Corporate Membership. Currently 55 members, year-end 2021 goal is 75 members, with global representation.
  • Event Sponsorship. All AppSec Virtuals, quarterly training, and virtual native events will be sponsored, including free virtual events.

Activities:

  • Event Sponsorship Prepayment Plan. We will establish a layaway pre-payment plan. 50% upfront, periodic payments by Stripe Billing, and 30 days prior to the event to finalize their event sponsorship.
  • Contract review. We will be working with qualified legal counsel to ensure all corporate membership and event contracts are clear on what happens in the case of event cancellations or postponements, with a view to extending the term to future events.
  • Review and refactor a tiered Corporate Membership plan in concert with Corporate Membership town halls to provide input and endorsement of changes.
  • Reinstate flexible pricing during the pandemic
  • mplement Stripe Billing for monthly corporate membership
  • Implement Corporate Membership Regional pricing - same criteria as Regional pricing membership
    • $2,000 instead of $5,000
    • $6,000 instead of $15,000
    • $10,000 instead of $25,000
  • Startup Corporate Membership pricing for startups in the first 12 months, max 24 months of membership
    • $800 for developing regions
    • $2000 for all other countries
  • Restoration of Corporation Membership vote per our existing bylaws
  • Corporate Members may join the Corporate Advisory Committee, if formed
  • Add bartering to the Donations Policy. The Foundation will work with the community to reform how bartering sponsors are treated on our website and in local, regional, projects, and other event types.

We may need to distinguish between supporting and financial Corporate Memberships, and it will likely mean more logos on certain pages, but the reality is without acknowledgment of the bartering or similar arrangements, many chapters or projects would cease to exist. For example, for many years Mozilla funded the development of OWASP ZAP. They should have been treated similarly as other corporate sponsors. To not have full-time ZAP development would be an incredible detriment to the OWASP mission. Bartering sponsors will not be considered as Corporate Members, so will not have a vote, but can be recognized formally on the OWASP website, project documentation, chapter pages, and chapter intro slides.

Fundraising

The only way we can do all of the things in this Operational Plan is with a large and secure source of funds, that is self-sustaining and scalable. Individual one off grants or donations are great, but without a way to build a future source of income without high overheads, means we cannot do the big ideas.

During COVID, diversification of income sources is critical to our survival. However, administration overhead and fees can eat away at the amount donated.

Board and Community Connections

Our Board and Community know everyone in our industry, and many in our target audience: developers. We should be reaching out and shaking those trees to see what can happen: partnerships, happy accidents, and of course, donations, sponsorships, and in kind assistance. None of us should be shy in asking our connections to look at OWASP and help our mission.

Partnerships

We have been approached by more than one Foundation to partner with us, such as the OpenSSF, which could potentially fund specific grants for project work. We should investigate these partnerships, particularly where there might be mission or financial synergies.

OKR’s:

  • By December 2020, create a grants, awards, scholarships, and other finance reform policies to allow fundraising to reduce friction in granting OWASP unrestricted and restricted donations, as well as disburse funds with accountability and transparency.
  • Reform donations. We will be implementing a simpler, non-restricted donation and sponsorship program using Stripe Billing, which will allow individuals to donate once off, or a recurring sponsorship.
  • Quarterly Fundraising and Membership Drives. We need to be cognizant of the current COVID crisis and not be tone deaf that money is tight for everyone, but there must be a set of fundraising drives to encourage donations to the Foundation.

Activities:

  • Ask the Board to fundraise substantial donations on the Foundation’s behalf. A key duty of non-profit Boards is to fundraise on behalf of their non-profit organization. We will encourage but not require members to do the same.
  • Donation transparency. To mimic all the typical controls of a restricted gift, we will make available transparency to all expenses, grants, by grantee, leader, chapter, project, or Committee. This will allow donors and sponsors to determine if their donation or sponsorship has the outcomes they wanted.
  • Restricted donations. There will be a cap of 25 restricted donations per financial year for truly large donations. We will not be removing the $1000 limit on donations, with a straight 10% admin overhead fee to cover costs relating to accountancy and IRS compliance requirements for restricted gifts. There were 4 such donations in the last 12 months. We would like all 25 restricted donations to be used up with substantial program or grant donations.
  • Promote donations, fundraising, and bequests in the Connector and on our social media at least monthly.

Accounting and Finance

OKRs:

  • Implement 30-day terms rather than paying as soon as we receive an invoice.
  • Ensure accounts receivable is within industry norms.
  • Ensure our accounting processes and Virtual Inc deliver on time payments 95% of the time.
  • Develop a break-fix procedure for all aspects of accounting, so that failures in access, tools, or sites is resolved quickly to prevent disruptions

Other reviews and activities

  • A review including cost comparison into bringing accounting in house, along with all costs and associated benefits.
  • Currently, our accounting is performed partially by our staff, and mostly by our outsourced provider, Virtual Inc. After reforming our finances, the Foundation will enter negotiations with Virtual to determine if we can reduce our monthly costs and improve the processes that we need to run the Foundation.
  • Provide escalating sanctions for debtors who exceed industry norms, including sending AR to debt collection once it exceeds more than 90 days instead of writing it off at the end of the year. This includes controls around sponsoring future events until the past debt is fully paid, or other arrangements can be made.
  • A review looking into removing any non-batch / SWIFT / Stripe payment mechanisms. This year, as we had to cancel a few events – something that was completely out of our control. Some participants had used PayPal. It took us nearly six months to refund them due to PayPal restrictions, policies and procedures. This is completely unacceptable and cost us many hundreds of staff hours and Virtual Inc fees. We will look at all the ways we can be paid, and all the ways in which we can refund or pay participants or members and eliminate all non-essential payment mechanisms.

As we have provided Insperity benefits to our staff as part of their employment, and our current Virtual Inc fees include a portion of this, we do not envisage changing benefits, which are critical for US employees, as there’s no state-based safety net.

Business Continuity Plan

OKR:

  • A BCP will be drawn up with the Board and approved by Board vote to coincide with the 2021 budget in November 2020.

Objective Metrics to kick in at predetermined points. It is likely that the objective metric to invoke phase 1 (fundraising and diversification of income) will have already been started.

Once invoked, monthly BCP transparency reports will be provided on the OWASP website until no longer needed.

All staff have trained at least one other staff member in their job function, with regular job-sharing once training has concluded.

At the time of the September 2020 Board meeting, OWASP has approximately 12 months to come up with a survival strategy that works, or the Foundation will need to enact drastic cuts to services, function, or even existence. During 2020, the Board and the Foundation have been trying different approaches to cost cutting, such as the Budget Forecast Z, as well as running virtual events and training. This is doing okay, which might reduce the run rate or extend our horizon, but without significant finance reform, and extensive effort on the part of the Board, Community and Foundation to chip in together, the Foundation has a bleak future.

COVID has amply demonstrated that many organizations, including OWASP, have no business continuity plans. An initial staged business continuity plan (BCP) will be developed, primarily focusing on our ability to respond in a timely fashion to the COVID pandemic and related economic downturn.

Metrics will be agreed with the Board on when to initiate reducing, refactoring, or eliminating activities, staffing, and finances to avoid shifting goal posts, and to allow proper and orderly planning. This plan will be shared with the Community and all progress related to addressing the key drivers that initiate the BCP stages.

The BCP is focused on survival and growth: the core of OWASP must survive, with a focus on membership drives, fundraising, donations, and sponsorships around increased activity, along with investigating partnerships or friendly acquisition by like-minded Foundations to continue our mission – hopefully unchanged.

If raising revenue or partnerships are insufficient to meet agreed benchmarks, a staged and orderly refactoring, reductions or elimination of costly activities, bringing outsourced activities in house, reducing staff costs, finally an orderly shutdown of OWASP’s entities with fair retrenchment packages for staff and dissolution of the Board.

CRM

OWASP must complete the transition to Copper CRM. Currently, our source of truth for membership is MailChimp, and our source for truth for corporate sponsors is Copper CRM. We cannot easily provide membership automation using MailChimp, and we cannot easily ascertain key facts, such as “was a membership continuous to allow a member to stand for the Board?”

The full transition of all OWASP activities to Copper CRM will be completed by July 1st 2021, including membership, contacts with the wider Community, corporate membership and directories; Committee membership, management and leadership; partnerships and signed MoU’s; speaker bureau; events and training workflows including sponsorship of global and regional events; Projects management, membership, and leadership; Chapter management, membership and leadership; integration with Stripe Billing to allow subscriptions for membership, donations and sponsorship; integration with our accounting system and ticketing system; automation of BAU self-service, and GDPR compliance.

Priority Activities

Priority activities are the reason the Foundation exists. If the Foundation does not do these activities, even in “survive” mode, then OWASP would not exist in its current form. The primary motivator of priority is not to do the activity, but to ensure that priority activity results in mission related outcomes in a cost effective, frictionless, and scalable way.

Philosophically, the Foundation does not control or participate in any Community activity, but enables that Community or mission related activity, and helps promote our mission. Any priority activity that the Foundation is called on to make a value judgement is not aligned with our mission and not scalable, and should be devolved to the Community via Committees.

Priority Goals

Policy Reform

The current policy landscape is difficult and contentious, and does not currently take into account COVID restrictions, whilst looking forward to an evergreen, scalable approach with Community endorsement.

Qualified Professional Advice Required

Up until recently, none of our contracts, bylaws, or policies have been reviewed by qualified legal or financial advice. This creates tremendous legal, contractual and financial risks for the Foundation, and directly affects elected Directors, who have a fiduciary responsibility along these lines.

  • By the end of 2020, all contracts, bylaws, and reformed policies will be reviewed by qualified professionals.
  • As part of the meta-policy reform, governance will be added to the Policy Development Process to ensure qualified professional advice is obtained and acted upon prior to Foundation or Board approval of contracts, bylaws, and policies.

Meta Policy Reform

By the end of 2020, a reformed and transparent Policy Development Process will be developed and approved, incorporating the existing Policy Review Process, and formal ownership of policies and oversight by the Board needs to be established. This is essential to re-establishing trust in our policies by our Community and members and providing certainty to corporate sponsors.

Committee Reform

Devolution cannot work if the current Committees cannot act, have funding, or use our expenses. Additionally, we have seen some behaviors that might lead to shadow Boards and activities contrary to our mission. The Committees 2.0 policy must be revised with the Board to reform Committees 2.0 so that the Board sets the strategies, owns the policies, and provides oversight, whilst the Community runs and advises the Board in relation only to their specific area with assistance from the Foundation as necessary.

A model, similar to that of most functional representative democracies will give the wider Community (including non-members) through Committees the power to craft policies and programs aligned with the OWASP Mission, reviewed by a panel of OWASP Members, and finally advising the Board of their intention to create or run a program, revise a policy, or similar. Finally, the Board in its strategic, policy ownership, and oversight roles, will review the recommendations or advice, and decide to approve the policy or program creation. The Board will likely decide to allow a Committee some latitude in executing mission aligned and strategic programs in its area by providing a grant budget item.

Lastly, we need transparency in Committees, as they are currently not required to meet at least quarterly with published calendars and meetings, use Google Groups for official Committee communications, and record their sessions and make them available to the public.

Finance Reform

The current costly and contentious balances will be disbanded, to be replaced with a remarkably simple self-service expenses process, a grants program, and revised regional events funding model. This will allow all chapters, projects, and Committee leaders to expense fair and reasonable expenses, all members to gain funding for mission related outcomes with the accountability that IRS compliance audits require, and finally to establish autonomy for budgets and spending to regional event organizing Committees by seeding new regional events on a case by case basis a single time, and then the organizing Committee is responsible for ensuring that an event is staged and there are sufficient funds to run the next event. They can then choose to fund grants or initiatives as they see fit with any profits in excess of the necessary float for the next year’s event. This relieves the Foundation of the burden of maintaining balances, which are a fiction at best, and ensures all chapters, projects, and Committees can participate in our mission.

Lastly, each Committee (chapters, membership, projects, events, etc) should develop a plan to become profitable to fund OWASP’s mission. This will require a new vision for donations and sponsorships that both adheres to IRS and EU tax rules and regulations on restricted gifts, whilst balancing out the unrealistic desires of some to have no obvious sponsorship or advertising, improve bartering arrangements at the local level, and provide transparency for donors to ensure that nearly all if not all of their donation is used for their intended purpose. OWASP needs finance reform to minimize admin costs, which will assist with fundraising, donations, and sponsorships as external entities gain trust in our transparency and governance of donated funds.

Membership Reform

A key aspect of OWASP is its very unusual, and possibly unique among member organizations – ad hoc and relatively open membership model, where 83% of leaders are not members of the organization. Our bylaws define a closed membership model, which is contrary to many leaders’ expectations that they would receive complimentary membership in return for volunteering their time.

The OWASP Board decided on September 12, 2020 to keep the existing membership model but reform the following:

  • Active leaders, determined through activity criteria and automated discovery, will be eligible for complimentary membership.
  • Honorary Membership will be awarded at the Board’s discretion, and become more of an award than “free” or complementary membership.

Additionally, as a result of the 2019 audit, membership revenue recognition must be updated to fall into compliance with IRS revenue recognition regulations and GAAP.

  • Pending professional advice, revenue recognition of memberships is likely to become unrestricted donations, to permit immediate recognition of revenue.

Membership reform must take place with the Community’s assent, with a transition plan from the current situation, to incorporating all bylaws, policies, processes, and covering all membership types: regional, standard, lifetime, student, corporate, honorary and complimentary leader memberships. This transition should be completed by no later than December 2021.

Travel Reform

  • Before travel resumes, the travel policy will be reformed under the reformed policy development policy, to require
    • Open the policy to Chapters, Projects, Committees, Board and Foundation staff, replacing all previous unique travel programs,
    • Virtual options are used in preference to physical travel
    • Review the class of travel for flights under and over 7 hours
    • Require adherence with Foundation travel booking and expensing procedures
    • Add accountability, checks, and balances to deter unnecessary or unauthorized travel
  • By November 2020, a 2021 budget allocation for likely staff and Board travel will be determined in concert with the Board to provide a contingency in the unlikely event that physical travel can resume in 2021.
  • By July 1, 2021, a corporate travel agency will be appointed that allows integration with our billing and accounting platforms, which all members and staff will be required to use, rather than reimbursement. This is to provide accountability, lower costs, usually free change fees, and compliance with our travel policy.

Events

The Foundation will prioritize and focus on delivering:

OKRs

  • By November 2020, an Event strategy to include a calendar of events, OWASP 20th celebrations, and depending on the financial performance of AppSec Virtual in October, either 2 AppSec Virtual events or 12 native virtual events per the strategy.
  • By November 2020, Devolve authority for approval of small to medium regional events to the Events Director, with above $20k co-approval with the Executive Director.
  • Within three months of the formation of the Events Committee, build an “Events in a Box” regional handbook to document local, regional, virtual, and training events, with associated on demand organizer training to assist new regional event organizers hold successful and profitable events.
  • By the end of 2021, hold AppSec Virtual in October 2020, and depending on the outcome of the AppSec Virtual debrief or a Board vote on holding all virtual or hybrid options, either two more AppSec Virtuals in 2021, or virtual native events throughout the year.
  • Plan for small physical AppSec SF in case this becomes possible.
  • By the end of 2021, a calendar of events for 2022 should exist and many of those events planning be well underway, including physical and virtual events depending on travel restrictions.

Operational Activities

  • Plan for physical events in certain locations as health guidelines permit, but Board approval will be required for all Foundation physical events in 2021. The event strategy contains details concerning the postponed AppSec San Francisco, which depending on COVID circumstances, may either be a physical or virtual event.
  • Plan for a third Global AppSec. Work with the AppSec Australia Day organizers to determine if this could become the third Global event in 2021 if conditions permit, or 2022. No matter if the event is held as a regional or global event, an Australian physical event would require the establishment of an Australian tax entity due to its sheer size and Australian tax compliance requirements.
  • Standardize a Memorandum of Understanding for partnership events. By October 2021, create a legally sound MoU that contemplates co-marketing arrangements with partner events or organizations to speed up the process of signing annual arrangements. We envisage this will be used by nullcon, TWCSA, potentially the LATAM tour (although we hope that regional event and regional chapter reform will allow LATAM to return as a standard regional event), and potentially several other conferences.

Additionally, as part of devolving Events to the Events Director, once a budget has been approved, large expenditures within that budget should be considered pre-approved, and only require either ED or ED + treasurer co-signing, depending on the size of the transaction.

Operationalize Temporary Sanctions

With the uptick in unacceptable and toxic behavior by several participants and members violating the OWASP Code of Conduct, a policy will be developed to operationalize temporary sanctions of the Code of Conduct, with the aim to allow upto 30 day immediate suspension of OWASP participation by the Executive Director of flagrant cases, whilst a Compliance Committee review takes place, for a final determination and vote by a majority of the OWASP Board. The current bylaws only permit full revocation of OWASP membership, which considering the open membership and participation model, is clearly not aligned with reality. This policy will likely require the relevant bylaw (section 4.03) to be changed.

Training

The Foundation will prioritize and focus training in the following ways

  • Planning and running four quarterly virtual native training events in 2021.
  • Review the virtual and in person training splits in consultation with the trainer Community.
  • Review and implement diversity of trainers with the WIA, Diversity, and Inclusion Committee to promote new trainers from underserved communities to present at premiere global and local events, prioritizing new research, new tools, and new ideas.
  • Running training tracks at AppSec Virtual (and any AppSec Global events that might be held).
  • Review the transparency and composition of the Call for Training Panel process.
  • Assist regional events with training on a fee for service basis.

Minimize Cost Activities

Several activities that we have a capability of delivering today are still important to the Community, and belong operationally to the Foundation, but are costly either in terms of negative income, excessive staffing or outsourced costs, or require extensive and demanding volunteer time.

We will automate common activities, review costs, determine if the activity could be made profitable in its own right (such as providing shared services for a fee or donation), or if the activity can be optimized or refactored to improve productivity, reduce costs, or non-essential items deferred until times are better. Some of our most important functions are in this bucket, so we must be cautious of making too many cuts. The goal of minimizing costs is to refactor the activity permanently, so that the Foundation can grow faster once recovery is underway.

Marketing

Marketing is essential to our survival. Our marketing must be authentic, relevant, and widely shared because it is interesting and on topic for our desired audience (developers and appsec professionals). Currently, it is promoting our events, which whilst important, does not have a great deal of reach nor interaction.

The following activities will be undertaken:

  • By October 2020, apply for and use the free Not-For-Profit Google AdSense advertising (up to $10k per month)
  • By December 2020, complete a review of the current marketing efforts with Virtual Inc with a view to renegotiate activities and costs after the conclusion of AppSec Virtual.
  • By December 2020, devolve operational Community marketing to the Outreach Committee, particularly the Facebook Community page.
  • By January 2021, create and implement a content marketing plan, and 12 month calendar of themes, incorporating all aspects of our mission and activities, including global and regional marketing.
  • Continue to publish the Connector monthly, but also look at ways to improve our communication with our Community, as fewer and fewer folks read emails.

Staff

Staff are essential to the OWASP mission, and without them, the Foundation and many of the OWASP mission critical functions would not exist. The growth of OWASP took off after the Foundation was created in 2004, so there is no model with zero staff that makes sense for our mission. However, one of the major expenses for OWASP is staff.

OKRs:

  • All existing hiring position descriptions will be closed immediately.
  • Staff raises and bonuses will be aligned with CPI and prudent financial practice, which may mean asking staff to sacrifice real world increases for 2020 and 2021. We will work with staff to accept non-monetary exchanges in lieu of raises, such as increased four day weekends around public holidays as just one example, until we can return to normal.
  • If any staff leave voluntarily, they will not be replaced for the duration of 2020 and 2021 without Board approval.

On a personal note, I hope the Community realizes that everyone is hurting, and with a 80% cut in our income in less than one year, we need to manage the tension between retaining staff who are dedicated to our mission, or being financially responsible and losing staff to better paying jobs.

Shared Services and Automation

Shared services will be improved, with a view to chapter, project, and Committee local control, with a primary OWASP account to provide continuity if leaders, chapter, Committee, or project become dormant. This is not about providing the OWASP Foundation control, but to maximize premium features, negotiate a much better or free rate with our shared services sponsors, and ensure activity doesn’t incur overheads such as a Zoom account or AWS account fees, which can sometimes be substantial.

Shared services imply sharing, which is what OWASP is about. We will implement self-service resource sharing functionality to help manage contention for scarce resources on a first come, first served basis.

On a case by case basis, dedicated services will still be available, but on an exception basis only, to be renewed annually.

Membership

Membership is a highly contentious issue at the moment, with reform likely. The Board will be making a strategic decision on if we are a closed (what our bylaws currently say), hybrid, or open membership. If we adhere to our bylaws, we will need to change the Community’s culture and expectations. If we are a hybrid model, we will need to update bylaws, policy and operationalize the changes. If we move to an open model, all current membership policy will need to be rewritten, and a transition plan for Lifetime members created.

2021 OKRs:

  • Current membership is 3,138, survival goal is 3500 members by the end of 2020, and 4000 members by the end of 2021.
  • Migration of membership and existing automation to Copper CRM by June 30, 2021.
  • Full self-service automation of all common membership activities by December 31, 2021.
  • Membership drives as part of AppSec Virtual 2020 (in progress), and four membership drives in 2021, including global and diversity themes.
  • Membership reform is based upon the decision by the Board, including operational reform of Honorary and Complimentary membership.
  • Prior members and leaders can apply to keep their owasp.org email address alive for a subscription fee through Stripe Billing.
  • All forms of membership, including student, standard, corporate, and lifetime membership, will have access to regional pricing, set to 2/5th’s the price of standard membership of that type, so regional pricing for Lifetime OWASP membership will become $200.
  • Stripe Billing payment plan for Lifetime Membership, with annual membership, granted immediately, and Lifetime membership granted at the end of the payment plan.
  • Renew and recruit student memberships and student chapters

Stop Activities

Some activities have little to no reach (i.e., used by a tiny fraction of the OWASP Community). They have little impact if we stopped them altogether, significant operating overheads and very low confidence that this situation could be reversed by refactoring or simply hitting pause. Even in a healthy year, the Foundation should probably not be doing this activity. In a survival year, the continuation of this activity is existential and should simply stop.

The following activities have been a drag on the Foundation for some time and were marginal before the pandemic, and existential to OWASP’s existence in a pandemic situation, which highlighted why these programs should not have been started. It’s time to stop these activities:

Review EU Entity

The EU entity has been difficult to manage, transfer funds, expensive to operate, and has not met many of the reasons for its establishment. For example, at the time of writing, our EU bank is not accessible to our accountants, and hasn’t been for over a month. The large multinational bank has not answered the phone, and not resolved our access issues, and when we have tried to use transfers, they have been blocked, have excessive fees, or the action of transferring funds re-blocks the account for days or weeks at a time, requiring a Board member to spend their valuable time to fruitlessly ring the bank again and again. This situation is completely unacceptable and must not continue.

The Foundation will review the operations of the EU entity to:

  • As a matter of urgency, reviewing if a single global bank with multi-currency accounts will better serve the community to eliminate the quite often months of inability to access our accounts (as is the case at the time of writing). The new bank should be all the things our current bank is not: able to answer the phone, resolve issues with access within a single business day, have the most basic of initiator-approver corporate account processes, and process payments with limited or no fees within the EU, and minimal costs to transfer funds between our US and EU entity.
  • Review how processes around the EU entity (not the bank) can be improved to reduce excessive delays and administrative overheads and burdens on the Foundation, our accountants, and EU members who often receive negative benefits associated with the EU entity, such as bank fees that eat up their a majority of or all of their expense claim.
  • Review costs associated with the entity, and see if they can be reduced.
  • After the above reviews and reform, by December 2020, produce a report to the Board if the cost and benefits of maintaining the EU are worth continuing, including potential upsides, such as being able to apply for work with local venues without US contracts, apply for and fund EU grants, and so on.

Reform Balances under Finance Reform

The administration overhead of balances is unwieldy, encourages self-dealing, encourages folks who have invested in this program to incorrectly think that this is their money rather than for the OWASP mission, prevents mission spending, stops many chapters from projects and all Committees from expenditures for the mission, and represents approximately 1/3rd of all of our accountancy costs.

The finance reform agenda will:

  • Abolish balances by reforming regional events, chapters and projects, to fund and allow all chapters, projects, Committees to expense reasonable expenses, and for the Board to have oversight of our expenditure.
  • Establish a simple “fair and reasonable” expenses policy with a relevant cap for chapters, projects, and Committees, with a trust but verify approach.
  • Establish a grant or finance Committee made up initially of the OWASP Treasurer, Executive Director as permanent members, and 3-5 members from projects and chapters with the largest balances to review and approve grant proposals.
  • Establish an Awards and Scholarship policy to provide transparency around selection criteria and to encourage recognition of great work and to promote our mission to the next generation.
  • Review the costs and benefits of the EU entity, with a view to making it less difficult and expensive to operate or abolish it altogether. With the reform of balances, all EU project and chapter balances will move to the US entity.

Temporary Halt to Travel

Travel is currently not permitted and will not be reimbursed until COVID travel restrictions are lifted as necessary in each region, per local health guidelines. Exceptions will be made on a case by case basis until the end of 2021. A limited budget will be requested in case of a return to normal in 2021.

Watch Star