Wednesday 11 April 2012

Why OWASP can't pay OWASP Leaders

Since I was the one that created and executed (initially alone and then with Paulo) the only Seasons of Code that OWASP did (AoC 2006 , SoC 2007 , SoC 2008) I know first hand what can be done, what works, what doesn't work and its side effects. In fact it was that experience that made me have such strong views on this topic.

There is a subtle but very key distinction that we need to have in this thread. And that is the issue of 'OWASP paying OWASP leaders'

Hiring interns or other professionals to work on specific projects/tasks is fine (specially if they are doing what our OWASP leaders and contributors don't want to do). The main problem happens when OWASP leaders can be part of the pool that can be paid by OWASP (again nothing wrong with them being paid by a 3rd party to work on an OWASP Project (like what already happens today)).

So why it is very wrong to pay OWASP leaders to work on OWASP projects?

Let say that there is 2000 USD available to pay an OWASP leaders to work on his project
  • Changing of the social contract  - The moment money is introduced, invariably the target individual is going to make a math calculation (what is his current daily rate?, how much he earns at the moment?, how much his current boss bills for his time? , etc....).The end result is that we moved from a 'contributor' model to a 'service provider' model
  • A rate for an Worldwide audience? - given the truly global presence of OWASP, $2000 might not be a lot for a successful security professional (or conference speaker), but it is good money in countries like Portugal/Italy, and if you go to India/China it is a lot. So how do we do this? Surely it doesn't make any commercial sense (for OWASP) to pay a guy from London or the US, right? Can't we get a LOT more hours and effort from somebody that lives in a cheaper country! I'm sure there are places in the world (or on that we can rent a team of workers for $2000 for a month !
  • Prevents multi-national teams from occurring - What happens when you want to get a couple resources involved from different countries? Are you going to pay them the same? And if not, is that really sustainable? There is a huge amount of HR theory that shows that collaborators are much happier (and productive) when they don't know how much money their colleges earn (but how can you do that in an OWASP environment like OWASP where all financial deals must be disclosed)
  • A lot more money will be needed - This is another massive problem. If we REALLY want to get the best talent, and REALLY want to take a professional approach, then we will have to buy the best talent, which is expensive AND will need to be paid a good rate.

    And why should we pay them so much? ... They will deliver, right? Aren't they the best? Why shouldn't we put 40k or 100k of OWASP's money in their hands?

    Well, apart from the fact that those 100k would not 'create that super-duper deliverable' (we are talking about big projects with complex problems that need LOTS of work), the problems I'm raising here would be dramatically multiplied
  • Nobody is independent at OWASP - Here is the catch, it is impossible to find somebody (or a group) inside that OWASP that has any kind of independence to be able to make a real solid decision (everybody has an agenda, a pet project/chapter/conference, a particular vision for what OWASP should be doing, etc...) So who is going to make the call?
  • Little secret - on the last OWASP Seasons of Code, all (decent) proposals got funded - so how did we avoided this problem in the last OWASP Seasons of Code? I.e. how did we actually selected the owasp leaders who deserved the funding? In what turned out to be an amazing feat of maths and mappings, we actually funded every decent proposal that was summited (remember that OWASP was MUCH smaller than it is now, and there was still space for a number of new OWASP contributors to join the party)
  • 'He/she are the ones being paid, THEY should do that' syndrome - This is another problem that happens when there is somebody that clearly is being paid when others are not. Yes we will still have this problem when they are paid outside of OWASP, but to be on the same 'level' as somebody else and they are being paid, really creates a bad vibe
  • Lots of negative energy is created - For me the point of the last Seasons of Code, was not to pay people!

    It was to motivate them, to empower them and to give them space inside OWASP.

    This is why It was so important to me that no good proposal was left out, since the objective was to motivate people to do their best (not to get a group of OWASP contributors to start fighting each other)
  • It breaks an OWASP Contributor heart to receive a NO - We also had a couple cases were great OWASP leaders/contributors, turned to the board (where I was at the time) and said. "..Hey I have this idea, can you give me 20k / 40k so that I can spend the time to do it? ... you know I can do it!, I have a good track record !..". And it was pretty obvious that when we didn't support that idea, that OWASP leader was really not happy
    • How to say NO to a big contributor - If  OWASP leaders could be paid by OWASP, it would create situations where it is very hard to say NO to a big OWASP contributor, even if maybe he is not as qualified to do the job as the other candidates (there are always emotions involved).
    • 'I could had done better with that money' syndrome - And then after the work is done and delivered, the one who got paid, is now a sitting duck for sniper fire that will pick his/hers work apart
    • What to do when the leaders don't deliver? - We also had this on the last OWASP Season of Code, where a couple really Large (with capital L) OWASP contributors, took a good chunk of cash and didn't really do a good job! So what do you do? Are we really going to buy that fight and shame that person in public for doing a bad job? Also, how to you handle other OWASP leaders/contributors that also worked on that task but didn't get paid.
    • We can't even count the leaders that we have today, can we review their work? At the moment we can't even keep track of our current projects and still have a lot of project review work to be done. Are we (OWASP) really in any shape to review commercial/paid work?
  • What about the other big contributors - Also take into account, that there are a number of OWASP leaders who have spent years of their life working for OWASP projects
    • For example: My Wife would kill me (if other owasp leaders got paid) I spent 18 months without any pay to work on the OWASP O2 Platform. I still have debts today from the lack of income I suffered during that period. My wife was really unhappy with that (understatement of the century) and my kids gave me a very hard time. But they supported it, because they accepted my passion and focus on 'doing the right' thing. I'm not asking for any money from OWASP, BUT if others are getting paid, then that would completely change the dynamics of my relationship with OWASP (at least it would for my wife)
    • What about Jeff and Dave? These two, even had to use some of their own money to buy some OWASP assets and release them to the OWASP community (surely they should be repaid that?)
    • What about Denis, Andrew, Daniel, Matteo, John .... (the list would go on and on and on...)
  • Slippery slope:
    • What about the conference organizers - shouldn't they also get slice of the profit they generate?
    • What about the successful chapters? - specially the ones with lots of attendees and generated funds?
    • What about those hard-working board and committee members? - should they also be paid for they countless hours?
    • This will bread corruption and favouritism - which is human nature given the right environment
  • Killing the golden goose - If you look carefully, we already have an amazing capability to 'convince' highly paid individuals to work for free and dedicate their energy into something they believe. For example if you add up all the 'money' (in time) that is 'donated' to OWASP every day or month by its leaders, contributors, participants, you would be amazed (for example it would probably cost 1,000,000$ (1M$) to pay for the talent that we were able to assembly at the last Summit (and even then, I don't think that if we were paying the attendee's a fee for their time, we would had been able to assembly that crowd)
    • Not Paying OWASP Leaders is a self-defence mechanism - Give the massive web of trust that OWASP has (just add up all its leaders), it is much easier to trust them with OWASP funds when they can't pay themselves or a friend (it also dramatically simplifies the rules of engagement)
  • Let's get 3rd parties to fund those OWASP leaders -  Jeff and John proposed a great model with the OWASP Project Partnership Model which is how we can get OWASP leaders/contributors to be paid for working on OWASP projects. I don't know who said  '..the real sign of a product's value is when somebody is willing to pay for it...' but it is very true. In fact, it should be a sign of maturity and market-acceptance, the fact that somebody (company, government, etc) is ready to invest on that project.
  • Prevents OWASP from finding better solutions (to Money) - Finally this is (for me) the key reason why paying OWASP leaders is a very BAD idea.

    We (OWASP) need to figure out what are the social/commercial models that work for OWASP (and make us productive).

    Clearly contributing to OWASP makes business sense. If it didn't we wouldn't have the sustainability and energy we have.

    There are countless stories of OWASP leaders getting better jobs, being promoted, increasing their income, learning key skills, etc... There are also a number of companies that regularly support OWASP. They don't do it because they want to be nice, they do it because it makes commercial sense to them.

    So what we REALLY need to do, is to rationalize what makes OWASP work, and see if we can improve the current model, so that we can have more and more people being paid to work for OWASP Activities. 
I could continue, but hopefully some of these points will clarify why OWASP can't pay OWASP.

Wrapping up, this is actually a great opportunity to move OWASP to the next level.