When I first put my name in the hat for the OWASP elections in the fall of 2013, I thought I knew what I was signing up for.\u00a0 I thought that my seven year history with the organization in a number of different roles (Chapter Leader, Chapter Committee Chair, AppSecUSA Chair) had me well prepared for the duties of an OWASP Board member.\u00a0 I told my wife that it wouldn’t be a big deal, mostly something that I could do in my spare time while at work, and that it would feel good to be able to make a difference on a bigger scale than I’d done to date.\u00a0 I ran for the Board on a platform of wanting to support the growth of the OWASP chapters around the world and wanting to drive visibility, and ultimately buy-in, back to the community.\u00a0 I told myself that as passionate as I was with these things as a community member, it was time to either put up or shut up.<\/p>\n
Here I am, six months later, as an elected member of the OWASP Board of Directors and I can honestly say that no prior experience could have prepared me for this.\u00a0 It’s not a good thing or a bad thing, it’s just very different than I expected.\u00a0 As a community member, I remember being at the AppSecUSA conferences and struggling with how to introduce myself to these “famous” OWASP Board Members.\u00a0 I was a just a chapter leader struggling to come up with ideas to engage the Austin security community while these guys were literally trying to change the world.\u00a0 They were the figurative “Rock Stars” of my little security world.\u00a0 Needless to say, I see things a bit differently now, but it’s probably not what you think.<\/p>\n
When I look at my fellow Board members, I do still see those “Rock Stars”.\u00a0 I can’t even begin to tell you how much I look up to guys like Jim Manico for literally spending every day of his life trying to make the world more secure.\u00a0 I constantly have to tell myself that even though I don’t consider myself a security rock star, the community saw something in me and put me on the Board for a reason and I continue to hold myself responsible for executing on the platform that I laid out in my election materials.\u00a0 But what I’ve come to realize now, that I didn’t realize before my election, is that even though it feels the other way around, it’s really the community, not the Board that holds the power in OWASP.<\/p>\n
When I look back at the discussions that we’ve had as a Board over the past six months, other than setting strategic goals, the vast majority of our meetings have focused on operational and governance issues.\u00a0 Through this process, I have come to the realization that while extremely important to keeping OWASP, as a non-profit organization, afloat, this isn’t the kind of exciting world-wide impact stuff I thought I had signed up for.\u00a0 As an example, my first two months as a Board member were spent in large part re-investigating a situation that a previous Board had closed the books on long ago.\u00a0 In the process of trying to help the individual involved, I was twice accused by that individual (and acquitted) of violating OWASP’s Code of Ethics.\u00a0 Talk about gratitude.\u00a0 Since then, it seems like it’s been putting out one small fire after another.\u00a0 More recently, I’ve spent many hours working with the Board and the Executive Director to grapple with an employee who resigned from the organization only to have members of our community question whether we, as an organization, did enough to keep them here, without knowing all of the details.\u00a0 It blows my mind how the Board can have unanimous support for an item, feel confident that it’s in the best interest of the organization, and still be called into question as to whether we are somehow being underhanded in our decisions.\u00a0 It’s like we sometimes forget that the Board is made up of seven people, from all over the world, with vastly different beliefs, desires, and even visions for OWASP.\u00a0 If you can get that many people, that diverse, on the same page, then there’s something to be said for that.<\/p>\n
So, I guess in a nutshell what I’m saying is that while I feel that it’s quite the privilege to be serving on the OWASP Board alongside some of the people I respect most in this industry, there is definitely a part of me that feels like the stuff that OWASP does that has the most profound impact on global security isn’t what we do on the Board, but rather, what the community does in our Chapters and Projects.\u00a0 The Board is there to support you, the community.\u00a0 To create the policies to make you successful.\u00a0 To provide the staff to make your lives easier so that you can spend your time doing things that accomplish OWASP’s mission.\u00a0 In addition, I want to dispel any notion that the Board is some sort of an Ivory Tower.\u00a0 There should never be an “us vs them” mentality at OWASP because the Board is made up of people who have been, and in many cases still are, in the trenches right alongside the community.\u00a0 The Board, to put it simply, is just a group of Chapter Leaders, Project Leaders, and other members of our community who, like me, decided that it was time to put up or shut up.\u00a0 People who, for whatever reason, the community elected as our leaders to evangelize the OWASP mission and make the community that we hold near and dear to our hearts successful.\u00a0 To think that anyone would volunteer to be a Board member only to destroy our community is absurd.\u00a0 While I may not necessarily agree with everything my fellow Board members say or do, I have never questioned their loyalty to OWASP and I hope you don’t either.<\/p>\n
With all of the above having been said, I feel that it’s also important to say that being an OWASP Board member is also an amazing opportunity to be a catalyst for change.\u00a0 Over the past six months the Board has stepped up to the task of driving visibility and control back to our community.\u00a0 We’ve instituted a new polling system<\/a> that the Board have used to take the pulse of the community on key issues.\u00a0 Michael has taken on the responsibility of weekly calls with the community<\/a> in order to keep them informed of key issues and allow them to provide feedback.\u00a0 And we are currently working on bringing back the committees<\/a> under a new structure that will encourage participation and empower our leaders to take action.\u00a0 OWASP even won the SC Magazine Editor’s Choice Award<\/a> at this year’s RSA Conference.\u00a0 Regardless of how you’ve felt about OWASP in the past, I feel quite strongly that the future for OWASP is so bright we’re going to need a good pair of shades.<\/p>\n