Monday, 3 December 2012

OWASP Revenue Splits and the "Non-profits have a charter to be innovators"

Seth Godin recent post on Non-profits have a charter to be innovators is really spot-on, and very accurately describes the problem that (I believe) exits today at OWASP

When Seth mentions that non-profits usually say: '...We're doing important work. Our funders count on us to be reasonable and cautious and proven, because the work we're doing is too important to risk failure...',  he could be speaking on behalf of a number of OWASP Leaders, since I have heard many variations of that phrase at OWASP before (in fact you will see such variation later on this post)

Contrary to what a lot of OWASP core leaders (the ones that care and spend time on 'OWASP the entity') believe, OWASP doesn't have a lack of funds problem!

OWASP has a 'how to spend money' problem 

and a

'Not spending enough OWASP funds' problem!


If you look at the current situation, you will find:

But, although there is enough money available, the amount spent from those budgets is very small (again I wanted to point to the real numbers, but couldn't find them)

So does OWASP really needs fund raising? 

Does it really need an improved Conference/Chapter revenue model as proposed by New Profit Sharing Model Proposal (which is where 'OWASP energy' is being spent)

Does it really need more rules and 'Project Stage Benefits' with special carrots for projects being given budgets? (see current Samantha's ideas on it here)

OWASP's problem is not that it doesn't have enough funds for its projects, chapters, committees, etc...

The problem is that the funds available are NOT being spend!

This means that the current focus should on finding ways for the available funds to be spent

Maybe one day OWASP will have the great problem of having to regulate and control the spending of the available funds

But that is not the problem that exists today! 

And as programmer, my view is that the way to takle a big problem, is to solve the ones that we have today, and then deal with other issues later.

To see if I could point OWASP on the right direction, on the New Profit Sharing Model Proposal thread I asked:  



"...Is there a place where I can see/read the current objectives and rational behind the profit sharing? Basically: 

    • why it is done? 
    • what are the objectives that we are trying to achieve? 
    • based on the past 12 months (and what happened with the use of those funds), have those objectives been meet? 
    • what is working and what is not working? (with the current profit sharing model) - what is the % of the funds allocated that have been spent in the last 12 months? 
    • where have those $$$ been used for? Also, can you point me to an analysis (or list) of all the expenses made by the chapters that received a $$$ share? (and their balances) ..."

And Michael's response is one I have heard many times before, and is exactly the kind of problem Seth Godin talks his  Non-profits have a charter to be innovators post:

"...The new policy is straightforward and also strikes a better balance between declaring foundation funding needs to keep the overall OWASP machine moving and also chapter desires to raise funds and foster chapter/regional growth. ..."

What is interesting about that thread and its responses, is that the key issue (which I was trying to get to, with my questions) is "The current funding model for chapters and projects is not working! simply because the money is not being spent!" (and btw, OWASP has enough funds coming in via its Memberships to keep the 'lights on')

So instead of 'refining' the current OWASP revenue splitting model, my view is that it should be dramatically changed to a model similar to the GSD project.

For example, here is how it could work, where only the following rules would be in place:
  1. OWASP chapters and projects get 100% of the funds they generate, and have 6 months to spend it
  2. After 6 months that money goes to a global Projects and Chapters pot/bucket/account, which ALL chapters and Projects can access (and spend from)
  3. No OWASP leader can be paid using these funds
  4. There is an 'approval by default' on spending requests (with maybe a request for more details' mode (see  GSD project for an example))
And that's it!

This would put the focus and the energy into spending the money, which is what OWASP should be doing.

Because, just like Seth says:

"...Go fail. And then fail again. Non-profit failure is too rare, which means that non-profit innovation is too rare as well. Innovators understand that their job is to fail, repeatedly, until they don't...."

And in OWASP's world, this means, that if every Six months we don't have a list failures, ie places where OWASP money was REALLYYYY badly spent, it means that we are not trying hard enough (or course that we will also have a list of good uses of OWASP money, but those tend to be ignored by the peanut gallery)

See, I know how to spend OWASP money, in fact I am by FAR the one that has spend more OWASP funds ($400K+ on Summits $250K+ on OWASP Seasons of Code, and others). And I can speak by personal experience, that it is very hard to spend OWASP money. I takes a LOT of energy, time, commitment and an ability to accept failure.

At the moment spending money is VERY hard at OWASP, because:

...the culture doesn't promote that spending

...the culture doesn't reward spending

....doesn't reward failure

....doesn't reward action


AND THAT's what need to be fixed!

But, the first hurdle, is accepting the real problem, and as you can see by the New Profit Sharing Model Proposal thread, we are not there yet. Only after accepting the fact that OWASP has a 'spending the money problem', will a real solution be found (I'm proposing one here, but I'm sure other solutions can be found that are better).

What really matters is if in 6 months time,  a very high % of OWASP available funds has been spent.

And I hope it does, since we need to spend those funds if we are going to achieve some of the ideas I posted on my I wish that OWASP in 2014...  :)

Unfortunately, things/actions/ideas/projects/events "that could happen but didn't" is something that is very hard to quantify and to mesure. And if creative ways are not found to mesure them, then the status-quo is what is rewarded.

For example, why hasn't Seth spoke at an OWASP conference? or Summit?

Clearly Seth will add a lot of value to OWASP, but unless we (OWASP) explicitly go after Seth, he is not going to turn up. But what will happen in Six months time, where Seth still hasn't been at one of OWASP's events! Will that be seen as a failure, as a missed opportunity? or will that not even be on the radar?

At the last two Summits, there was an idea to bring guys like Seth to it, so that he could share his views and ideas, but at the time there was not enough energy and focus at OWASP to make that happen (we were still trying to make the 'Summit work' and spent (for example) a lot of time discussing the need to have a 'fixed schedule',  instead of getting guys like Seth to be part of it). 

Maybe for the next OWASP summit (see Some proposed Visions for next OWASP Summit) that will happen :)