Outcomes from August, 2013 Board Off-Site

Leaders,

The board met for 8 hours on August 19th before AppSecEU for a board off-site. I wanted to provide a recap for those that may be interested.

Topics:

1. 30 minutes - Open session - Air any concerns
2. OWASP Board - purpose, requirements, expectations
1. Orientation Process
2. Conflict of Interest Policy
3. Attendance Expectations
4. Board Size
3. Financials
1. Looking at 2012, 2013 & paths for growth
4. Legal
1. Europe entity board representation
5. Corporate Involvement & Support
1. Review feedback & proposals
2. Draft skeleton of plan
3. Define next steps
6. [1 hr] [closed portion] - 3 month review of the ED role

Outcomes

Corporate Involvement at OWASP

First, thanks to those that provided thoughts and feedback on the governance thread regarding corporate involvement. It was great to have feedback from OWASP leaders in this complex area.

Corporate Membership - Tiered Structure - The board voted to move to a tiered corporate membership model. This enables organizations to support OWASP at a variety of levels. We are still flushing out the final details and we'll soon update the membership matrix. However, there will be 4 tiers ($2,000, $5,000, $20,000, $50,000) with varying benefits provided to the corporate member for each level. For those interested in chapter splits for corporate supporters it will be the following:

$50,000 Corporate Membership - $8000 to local chapter - 16%

$20,000 Corporate Membership - $4000 to local chapter - 20%

$5,000 Corporate Membership - $2000 to local chapter - 40%

$2,000 Corporate Membership - $800 to local chapter - 40%

Corporate Member Logos - Moving to Acknowledgement Page - To provide a single clear page that acknowledges our corporate member supporters we will move the corporate logs from the bottom of the OWASP home page to a dedicated acknowledgement page. The home page will have clear graphics that encourage viewers to click and view the acknowledgements page.

Project Branding & Sponsorship - Project sponsorship by corporate members is a complex item with many positives and negatives to each approach. The key is to provide clarity and guidance. Without these it is not easy for corporations to engage and while many will act with the best interests of OWASP we spend unnecessary cycles debating if individual decisions are correct. The board discussed the issue at length and outlined 3 different potential programs in this area.  We hope to provide a clear plan that will allow us to engage supporters and all understand our overall process.

Next steps:

- The board has outlined 3 different potential programs for project branding and sponsor. We will clearly document each option including the positives, negatives and other considerations for each option.

- We will circulate these programs to leaders for review. At that time we will ask for any other suggested programs or additions/clarifications to the positives/negatives/considerations of each program.

- Finally, this particular item will be added to the annual vote for a decision by the OWASP members. This particular item is complex with many different potential paths. We as OWASP need to decide which option is right for us. A clear listing of options along with an informed listing of the trade-offs for each option will allow the larger OWASP membership to lead in the decision making on this item.

Board Changes

Board Orientation Documents - An official board orientation set of documents will be created that includes a stated conflict of interest policy (in addition to what we have in the bylaws), 2 required reading short books on non-profit foundations, requirement to read previous financial reports and 990, and links to our to-be created governance page. All board members will sign and acknowledge completion of the orientation by Jan 1, 2014.

Conflict of interest policies will also be extended to all employees and those in decision making roles for global conferences. We see this as a natural step to mature OWASP and better align with non-profit requirements. This is not in response to any concerns.

Board Size - OWASP bylaws specify the board must be between 5 and 7 members. Currently the OWASP board is 6 members. We voted to extend to 7 members. The 2013 election will now seat 4 spots instead of 3. The newly elected board members will begin their terms Jan 1, 2014. At this time we'll see the board officially expand to 7 members.

Quarterly Board Meetings - The board voted to move board meetings from the current schedule of monthly 1 hour meeting to quarterly 4-6 hour meetings. The schedule of meetings will be set by the board in December before the year. It is likely the the board meetings will take place on Saturdays or on a dedicated day before a large OWASP conference.  This change is a result of the success of the longer format board meeting and also a result of the Executive Director role that has enabled full time involvement and focus on OWASP operations. This will take effect in January, 2014.

OWASP Finances
Financial Audit - Every 3 years OWASP has engaged an outside firm to audit OWASP finances. We decided to move up our next audit since the organization has grown substantially over the past few years. The next audit will occur in 2013 for an audit of the 2012 filed information. All tax filings and audit information can be found here: https://www.owasp.org/index.php/OWASP_Foundation#Tax_Filings

Review of Finances - Sarah and team are doing great work understanding OWASP finances and also mapping these into quadrants to reflect income/cost impacts and also value to mission. More information coming soon, but this type of understanding of our income and expenditures will allow us to continue to increase the value return on OWASP funds.

Michael Coates | OWASP | @_mwc