Friday 11 April 2014

On the unrealistic expectations on OWASP board members, and the 'myth of the OWASP Board member'

Following Michael's original OWASP.next post to the leaders list (regarding his OWASP.next post on the OWASP blog), Dennis replied with a number of examples of rotten leadership  which I don't really agree with and posted the text bellow as my reply

For a while I have been saying that putting such 'expectations and requirements' on board members was going to cause a lot of friction and this is just another example of it

I don't actually agree with Dennis analysis. But the reason I don't agree is not due to the fact that he is correct (or not) in his analysis. My view is that it is completely unrealistic to put  such a high level of expectation on OWASP board members, specially in terms of their: behaviour, morals, actions and words. My biggest problem with current/past board members is on lack of action, decisions and delegation of duties :)

But the biggest problem with the line of thinking that 'OWASP Board members must behave differently' it that it also:
  • perpetuates the 'myth of the OWASP Board member' : which is the idea that things can only happen at OWASP if one is on the Board. Not only this is simply is not true, this myth creates a negative energy cycle between 'the ones NOT in the board' (who don't feel empowered) and 'the ones on the board' (who realise that being a board member doesn't actually help to get things done).
  • provides an 'focus of blame' since there is this expectation that 'somebody else should be doing it'. The reality is that OWASP leaders must realise that they are the ones that need to 'get on with it' and not expect the mythical OWASP board members to 'come and save the day'
  • provides a way to 'shot down the Board Members' since they are in impossible position (dammed if they do and dammed if they don't)
The only OWASP leaders (board members or not) that actually make a difference at OWASP, are the ones that put the hours/ days/weeks) of effort, energy and commitment on a particular idea, vision, project or initiative (as an example, if you look at the current/past board members, the areas where they have added a lot of value to OWASP, have not been in cases where they actually 'needed to be on the board' to archived those results). 

I have written on my blog on what I believe to be a better model for OWASP,  you can read at An Idea of a new model for OWASP (for the TL; DR crowd: 'Give the power of operational and financial decisions to the OWASP OPsTeam and let the OWASP board be just one focused on 'values and community')

Also written in Nov 2012 was the I wish that OWASP in 2014 .... post which I hope that you will share with me the feeling that THAT is what OWASP should feel like :)

On the topic of thinking and blogging about OWASP could be, I have been trying LeanPub as a publishing medium and have publish a 'beta book' one called Thoughts on OWASP (which you can read more about at: Published Beta version of "Thoughts on OWASP" eBook 

I also put the contents of that book (which is at the moment a collection of my blog posts on OWASP and other philosophical ideas) on this GitHub repo: https://github.com/DinisCruz/Book_Thoughts_OWASP

Here are the links to the main Sections (now in Markdown since they are in the GitHub repo):