Lessons from being on the OWASP Board

Sherif Mansour
OWASP London
Published in
3 min readNov 10, 2019

This was originally a thread on the OWASP Board Mailing list I sent out earlier this year. I thought I’d share it for others wishing to join a board of an open community such as OWASP.

*Note: I am publishing this, as I intend to write a follow-up on improving communication, between the community, staff and the board.

Date: Feb 4, 2019, 2:35 AM
Hey everyone,

I’ve been thinking for a while of writing down some thoughts on some lessons from last year.

First I’ll say that I am very excited about 2019 on the board and what we can accomplish for the community. We have already had an offsite, and now the ED & staff are working on a proposed plan based on the priorities we have set and we’ll build a budget based on said plan.

Here are some lessons I have learned from passing some motions — including having more than two global OWASP events & having Tel Aviv in 2019:

  1. Discuss the issue with the community: Be transparent, rip the band-aid, and show courage. Articulate the problem and ask for solutions (It is what it is).
  2. Discuss the issue with the staff: The staff are the ones who implement a lot (almost all) of this work so without their buy-in or proposed options — even if the vote passes — may not get done. It would be even better if the motion makes their life easier too.
  3. Work with the board out in the open on a proposed solution — you’d be surprised who turns up to lend a hand, and they ideas you get — just don’t be to precious about your ideas — pick what is best for the community.
  4. Give the board time to review — I usually present the board with a draft solution to discuss, but only vote on it in the following month to give people time to digest and ask questions.
  5. Respect and take your peers feedback to heart — No one has the exact perspective as you, be considerate, understand what people’s red-lines are and craft a proposal that keeps that in mind.

So — with buy-in and feedback from both the community and staff — BoD members would have some confidence in the motion — by being transparent and giving board members time to think about it, it could cause limited issues during the vote — and finally if you factor the board members concerns in the motion (or as best as you can) then you should be fine.

Keep in mind that anything we do — we have to do it as 7 people and not one.

This is sometimes the challenge I have seen in the past as a source of frustration.

All 7 of us have different perspectives on what will help the foundation the most — and each has different interests. So not all of us will have the same level of enthusiasm for the same thing (naturally), but it’s important to push each other forward, be constructive and think of the foundation’s best interest.

I should know, I’ve put one or two motions last year.

Many times in the past a board member would place a major change (that they feel strongly about ) a few days before a vote — and because the rest of the board haven’t had a chance to review it, it feels a bit “hey! let’s do this today” — The discussion would take too long, confusion would rise and the motion wouldn’t get voted on. Beyond that it would cause frustration for the board member who worked on it. That also does not even include vocal community members nor if the staff have the bandwidth to implement a motion (or know how to do it) even if it gets voted on.

As I look back at this article I am guessing some of you might be exhausted just thinking about it. I’ll be honest by heart sank when Tanya decided not to run, because I thought she would (and still can be) amazing as a board member. However the rewards are worth it.

--

--

Sherif Mansour
OWASP London

Father | Ex-OWASP Chairman | Ex-OpenSSF Governing Board member | Cybersecurity Executive