Chapter Handbook/Chapter 7: Organizing Chapter Meetings
There are a variety of meeting formulas that have been used by existing local chapters; the most traditional of which is an evening speaker meeting. For this type of meeting, the chapter leader will organize one or more speakers to present on one or more topics in a lecture or question & answer format. Needless to say, chapters have adapted this formula in many ways to suit their members or geographic area. Meetings have been organized over breakfast, lunch, or dinner as well as at a bar having a conversation over drinks. Some chapters serve food during the meeting or after the meeting on site, others will invite meeting attendees to a bar nearby for food and drinks after the meeting. Meetings have been organized as social or networking events, roundtables, panel discussions, or even as a remote presentation.
Chapter leaders are encouraged to try a variety of formats to determine what will be the most successful for their audience and area. Also, it may work best to have a variety of formats throughout the year depending on the speaker and meeting space availability.
Virtual meetings may not be ideal to encourage networking and community building within your local chapter, but they are certainly a good alternative when the chapter is not able to find a venue or having trouble bringing in a speaker. OWASP has a GotoMeeting account already available for chapter leaders (paid by the Foundation and provided for free for the chapters). If you would like to set up a meeting or the GotoMeeting login credentials, contact us.
Before - Planning the Meeting
In order of importance,* these are the key pieces to holding a chapter meeting:
- Great speakers / topics
- While the order of importance has been debated by chapter leaders, the general consensus appears above. Additional pieces (discussed more below) that some chapter leaders have said are “key” in their regions: sponsors and attendees. The list above is meant to be a starting place and a list of essential items for planning your meeting; it is assumed that once you have these items in place people will attend the meeting and sponsorship will follow thereafter.
Getting a Speaker
OWASP chapters are encouraged to get local speakers. Your chapter may also use international speakers, but you will quickly need funds to cover travel costs if the speakers cannot pay for the travel themselves.
One technique for bringing in international speakers is to coordinate your meeting with another event that the speaker may be attending or speaking at nearby. The intended speaker may be willing to arrive early or extend their trip by a day or two to speak at your local meeting.
Also, the OWASP Speakers Project is available to help local chapters or application security conferences to find OWASP related speakers. https://www.owasp.org/index.php/Category:OWASP_Speakers_Project
If you have found an international speaker who is not able to pay for the travel themselves, and your chapter does not have the funds to cover the travel costs, you may be able to apply for “OWASP on the Move” funds (outlined below).
OWASP on the Move
In order to better support local chapter meetings and (web application) security events, the Global Chapters Committee started a travel-support program for OWASP presenters.
The OWASP on the Move program allows local chapters to have OWASP presenters on site; it is not for speakers to attend OWASP conferences. This program allows 3 parties to find each other:
- Local chapters events that want to attract an OWASP speaker
- OWASP speakers to entertain OWASP presentations and that want to see the world
- OWASP sponsors that want to support spreading the OWASP message
To find available speakers in your area, see the OWASP Speakers Project
The way it works is really easy.
- Upfront the chapter leader submits an OotM request (event details, who to cover, etc...) via http://sl.owasp.org/contactus
- The request will be reviewed by the Global Chapter Committee. If the request is within the rules (see below), it will be rapidly approved.
- The speaker, who made the travel/lodging expenses, submits a reimbursement request with receipts after the presentation is performed.
- The reimbursement is approved and processed.
OWASP on the Move Rules:
The following rules apply for the OotM project:
- Primary funding would be deducted from the local chapter budget.
- A chapter without sufficient funds for a speaker may request the Global Chapter Committee vote to approve the use of OWASP funds.
- The normal maximum amount per speaker is $500 USD
- Only in special circumstances the maximum amount per speaker can be raised to a maximum of $1000 USD
- There is a proposed limit of $2,000 USD on the amount of money provided to any individual per year (*see 'further funding' below)
- There is a proposed limit of $2,000 USD on the amount of money provided to any chapter per year(*see 'further funding' below)
A chapter can use the sponsorship 4 times a year, with a maximum of 2 speakers sponsored by OotM for one single event.
- Further funding: for active chapters or speakers who have reach the proposed financial limits, further funding is possible but will depend on available budget, since priority would be given to chapters below these thresholds
OWASP on the Move funds are not to be used by speakers to attend OWASP conferences. If assistance is needed to attend a conference, contact the conference chair.
The payments are tracked online OWASP_on_the_Move_-_Payments
Many chapters do not have every speaker sign the OWASP [Speaker Agreement] as part of their agreement or confirmation for the event. However, if you think OWASP values and principles may be an issue or are concerned that the speaker does not understand the terms of the arrangement, you may consider sending them this speaker agreement: https://www.owasp.org/index.php/Speaker_Agreement
There are an infinite number of possibilities for a meeting location - local college, business, library, or even a restaurant or pub. Plan as far in advance as possible - good meeting spaces are often available at little or no cost (local colleges and universities are often willing to give meeting space for free), but they fill up quickly.
Also, it is important to consider accessibility when looking at locations: Where will the attendees park? What is the average travel time for attendees? Is there a security checkpoint? What happens if attendees have not pre-registered, can they still attend? Can you serve food at this location?
While having a permanent or stable meeting location for your chapter meetings may be convenient for planning, it is also important to consider any conflict of interest (or appearance of conflict of interest) your meeting venue may convey. For example: vendor neutrality is one of the core values of OWASP, but this doesn’t necessarily mean that a vendor cannot host a local chapter meeting. As long as the meeting is free and open and doesn’t violate other OWASP principals, a vendor’s office space may be a great location to hold a meeting. That being said, holding every meeting at this vendor’s office to the exclusion of other available and willing venues, may give an appearance of impropriety.
Setting a Date and Time
Most OWASP meetings are currently held during the week (Monday through Friday). Additionally, while meetings have traditionally been held in the evening, an increasing number of local chapters have found success in hosting breakfast (early morning) or lunch events.
When setting your meeting date and time, be sure to consider:
- Will your anticipated venue will be available?
- Will you be able to find a speaker for this date and time (many chapters will book the speaker first and then choose a date and time that works for him or her)?
- Have you allowed sufficient travel time for attendees that are coming from work?
- Are there any local or regional events or holidays that will conflict?
Posting Meeting Info on the Wiki
General information about what should be on a chapter’s wiki page can be found under “administration” below. As soon as you know the time, date, and location of your meeting, be sure to post it to your chapter’s wiki page. Additionally, most chapters post information about the upcoming meeting such as: meeting agenda, speaker background, summary of the topic(s) to be covered by the speaker/meeting.
This is one possible "template" to use on your chapter wiki page for listing meeting details:
- Fill in date and timeframe
- Fill in meeting place
- 18h00 - 18h30: Networking / Food, Drinks
- 18h30 - 19h00: Fill in
- 19h00 - 19h30: Fill in
You can copy and paste the wiki code for this “template” here: https://www.owasp.org/index.php/Sample_Chapter_Page
Many chapters provide food or refreshments before, during, or after their meeting. This is not a necessity for a chapter meeting, but something extra you might consider if you have the funds in your chapter account or are able to get a sponsor to cover costs (or provide food directly). It is also possible for meeting attendees to split the cost if they want food at the meeting; however, no one can be excluded from a meeting based on their ability or willingness to pay for food. Meetings must remain free and open.
If you need to decide on the amount of food ahead of time, line up the refreshment logistics based on RSVP'd attendees.
Sponsors & Affiliates
In order to organize events, an OWASP chapter often needs to find sponsors. These sponsors may provide meeting facilities, refreshments, etc. While sponsorship is good, it is important to avoid the commercialization pitfalls that may accompany it. The following is specifically prohibited:
- Providing sponsors with a list of people registering for or attending any event. This might even be illegal in certain countries due to privacy laws. The sponsor can collect leads in itself, for example by offering a prize for people providing contact details.
- Providing the sponsor with a commercial or product centric presentation slot.
So what can sponsors get?*
- Many thanks, and hopefully a very good feeling of helping the community.
- A table top style mini booth where they can put up a "roll up" poster or two and hand out your brochures and freebies. This might not be possible in certain meeting facilities.
- Logo on the local chapter or event page.
- All of the OWASP sponsorship options are detailed on the OWASP Membership page:
At the local level there are options for both Local Chapter Supporters (90/10 split with the Foundation, 90% directly supporting the local chapter) as well as Single Meeting Supporters.
Here are some tips that chapter leaders can use to promote their meeting (and increase meeting attendance):
- At a minimum, the date, time, location, speaker, and topic should be listed on your chapter’s wiki page and an email announcement sent out to your chapter’s mailing list.
- When sending out direct meeting invitations, use google calendar invites through your @owasp.org email account. General email assumes that people will read it in a timely manner and will remember to place it onto their calendar. By using the google calendar invitations, this task is done for them.
- Make sure that your upcoming meeting is broadcast through a variety of channels. In addition to posting the meeting to your chapter’s wiki page and mailing list, consider blogging or tweeting about it, as well as posting it on social networking sites such as LinkedIn, Facebook, Meetup, and myowasp.
- Post your event to sites such as Yahoo Events and partner with other user groups to cross-market (i.e. ISSA, .Net SIG, Java SIG, SIM, DAMA).
- Acknowledge the fact that even if people cannot physically attend, they may be able to participate remotely. The OWASP Foundation has an account with http://www.gotomeeting.com that is free for chapters to use. Account requests or details can be requested can be requested through: http://sl.owasp.org/contactus.
- Many people are tired and hungry, especially after a long day at work. While you cannot cure tiredness, you can at least try to feed your attendees. Pizza is cheap and it is relatively easy to find a sponsor.
- Make sure the topics you choose are broadly applicable and not just targeted at one group (i.e. penetration testers, software developers). Part of making web application security visible requires you to choose (or solicit) speakers that appeal to IT executives, enterprise architects, business analysis, legal and compliance, etc. If a particular group does happen to be the “target audience” at a meeting, try to change things up for your next meeting.
Most new chapter leaders are given edit privileges for the OWASP calendar at the time their chapter is created, but if you taking over leadership or have been the leader of a chapter for a while, you may not have permission. Calendar edit privileges can be requested through http://sl.owasp.org/contactus.
How do I add my chapter’s local events to the OWASP calendar on the wiki home page?
- Log into your owasp email account (via google apps/gmail)
- Open another tab and go to the OWASP wiki home page. [www.owasp.org]
- Click the button on the bottom of the event calendar box that says "+ google calendar". This will integrate the OWASP event calendar with your owasp gmail account.
- Add the local event to your OWASP account google calendar (as you would if adding it for your personal calendar or setting up a meeting invite)
- In the "calendar" drop down menu there are likely 2 (or more options) - select "OWASP Event Calendar" and save. This should populate the event calendar on the OWASP home page. Note that your personal event calendar is likely in your home time zone, but the OWASP event calendar is in GMT. Google should do the proper time conversion for you.
Posting your meeting on the chapter’s wiki page and emailing an announcement to the chapter’s mailing list are the prime methods of letting people know about OWASP meetings. Some other useful methods are:
- Ask your speakers to send invites to their circle
- Ask people on the list to forward to people in their organization.
- Use your own personal contacts. Since OWASP is not a commercial organization, this would be usually acceptable by your business contacts. Again, this might actually help you keep in touch with them.
Meeting invitations/announcements should contain a request to forward it to other interested parties.
You might also want to use event invites instead of e-mail messages. These services provide different advantages such as integration with the attendee calendar and RSVP management, but on the other hand might seem more commercial and obtrusive.
You can send event invites using the following tools:
- RegOnline - people can register for your meeting (and you can send invites and follow up emails) using OWASP’s RegOnline account. If you do not have access and would like to use this for your next chapter meeting, please request an account through http://sl.owasp.org/contactus
- Direct calendar invites: one can do that using a dedicated Google calendar account.
- The tool most used by OWASP chapters is: Eventbrite, which is free for non-profits.
- Others use: Meetup, which while not free is priced very low.
- Yet others use a meeting Doodle.
- You can always just use Excel to track the individuals that reply to your email invitations.
To extract the list of mailing list members you can use the mailman roster page available at: https://lists.owasp.org/mailman/roster/owasp-<your-list>.
Note! Whatever tool you use, personally responding to each person who has RSVPed greatly increase the rate of people who actually attend. Just write back "Great! see you in the meeting" or whatever fits your local culture and is short.
The OWASP Foundation can provide you with OWASP books, shirts, pens, lanyards, flyers, or other materials that you might need to jump-start your next meeting. The cost of these items will be billed to your local chapter. If you would like OWASP Merchandise for your meeting or local event, but do not have the funds to cover it, you request that the costs be covered by the Global Chapters Committee. Requests can be submitted through the OWASP Merchandise Request Form.
You may want to send your speakers a PowerPoint template to use for their presentations. Here are some options:
- OWASP Impress Template (Open/Libre Office)
In order to ensure that presentations remain vendor neutral and don’t turn into platforms for a sales pitch, it is recommended that you screen the presentations before the meeting.
This may also be a good time to remind your speaker about the terms of the Speaker Agreement (or make sure they understand what is expected of them).
The OWASP Foundation has an account with http://www.gotomeeting.com that is free for chapters to use. Account requests can be requested through the http://sl.owasp.org/contactus and details on using GoToMeeting can be found here: https://www.owasp.org/index.php/Chapter_Leader_Handbook/GoToMeeting. As soon as you have scheduled the meeting date and time, the remote participation can also be scheduled so you can include details on your chapter’s wiki page or in your emails.
Although it is not necessary, giving speakers a small token of appreciation such as an OWASP t-shirt, mug, or pen set is encouraged.
The following is a recommended communication schedule for notifying members about an upcoming meeting:
- Three weeks before the meeting - send meeting invitations and make sure meeting information has been posted to your chapter’s wiki page.
- One week before the meeting - send reminders about the meeting to your mailing list and through other social media (LinkedIn, Facebook, Twitter, etc.)
- Upon registration and again one day before the meeting - send confirmation to people that have signed up to attend the meeting.
During the Meeting
Arrive early! Ensure that everything for the meeting space is set up before the first attendees will be arriving. Here are a few things you may need to set up or prepare:
- Registration & badges (if any)
- OWASP merchandise and signs including banner
- Remote participation
- Sponsor booths/tables
- Catering - Will food or beverages be served before, during, or after your event? Where will the food be located? Who is providing the food? Will someone need to meet the delivery person at the front door of the building?
- Equipment - projector, sound system, and any special items that may have been requested by the speaker(s)
If you have the equipment, you may want to consider recording a video of your meeting and posting for members who were not able to attend the meeting. This is also a nice resource for chapter leaders or event organizers to use in the future to screen a speaker or learn about his/her style.
The OWASP Speaker Agreement includes authorization for the speaker’s presentation to be recorded and posted. If you plan to record the meeting, you should make sure the speaker is aware and has agreed to the reproduction of his/her presentation.
Spread tasks across many individuals in order to ensure that your meeting runs smoothly and all of the tasks before, during, and after the meeting are handled in a timely fashion. There are usually people that attend the meetings who are willing to want to help the chapter be successful, but are not able to commit to a chapter leadership role - that doesn’t mean they aren’t willing to help out on a meeting-by-meeting basis.
- Job announcements:
Some chapters encourage recruiters or other individuals who are hiring in their area to come for their meeting and make the job announcement in person. At the beginning of the meeting they ask anyone who is hiring to stand up and introduce themselves and who they are looking for. Then at a break or after the meeting, attendees can get in touch with them. This encourages recruiters/employers to invest a small amount of time in your chapter (attending the meeting) and also gives both the person hiring and the people looking for jobs the benefit of face-to-face contact.
- Present an OWASP Update:
Always cover the OWASP mission and goals at each meeting to reinforce it to the attendees of why and what the purpose of the chapter is. Explain the web application security problem in a general way to attract a large crowd and to educate the new members and guests.
Additionally, if you or any of your chapter members have recently attended an OWASP conference or other event, this is a good time for a short (5-10 minutes) presentation about the event.
- One or more speakers - if you have a general time frame for the speaker(s), make sure to let them know. Also, if you will be having more than one speaker, consider whether you will have a short break between them for attendees to stretch their legs and get refreshments, or whether you will want the change-over time to be quick (and attendees remain in their seats).
Collecting CPE Forms
Send out CPE credits to attendees that requested them or explain to them that ISC2 (as a example) is a self certify -- if organizations such as those want to designate someone to collect and validate they are welcome to do so, but that is not a responsibility of OWASP Chapter Leaders.
Collect feedback on the speaker from attendees:
- There are a number of sites available that have feedback templates or allow you to build your own survey: formsite.com, surveymonkey.com, zoomerang.com, Google form, etc.
- A speaker feedback form developed by the NYC/NJ Metro Chapter is also available for you to use. The NYC/NJ Metro Chapter distributes copies to meeting attendees and asks them to complete them and hand them back in at the end of the meeting. Then the chapter leader (or another person willing to keep track of feedback) quickly adds the totals up to get an idea of which speakers they would like to ask back again to present.
- This is also a good time to capture potential topics or speakers for upcoming chapter meetings. What would meeting attendees like to learn about? Is anyone at the meeting willing to give a presentation in the future?
There are a variety of ways to incorporate networking or social interactions into your meeting format. While some chapters designate specific meetings for networking and socializing (no speaker, just meet at a local restaurant or pub), it is more common to allow time for socializing after the meeting. Some meeting venues will be able to host this, but more than likely you will want to relocate to a restaurant or bar nearby. Consider asking the speaker(s) to join you so that guests can have an opportunity for follow up conversations. This time also fosters building a local OWASP community where the guests get to know each other and what is going on in the local appsec community.
After the Meeting
Review event, lessons learned, what can be improved with the other chapter leaders or board members. Go over any feedback collected at the meeting.
Meeting Minutes (and Photos)
Post meeting minutes to document what was covered at the meeting, including any announcements or decisions that were made. Pictures from the meeting are also encouraged.
Posting Presentations and Recordings
In addition to any meeting minutes and photos, try to collect the presentation from the speaker to post on the chapter’s wiki page.
If you took a video recording of the meeting, you should post that as well. Vimeo is commonly used to host the uploaded video, which can then be linked to your chapter page.
Once you post meeting materials such as minutes, pictures, presentation, or video to your chapter wiki page, send a follow up email to meeting guests thanking them for attending, letting them know about the next meeting (if you have the information), and directing them to the material on your wiki page.
If you collected any new email addresses, this will also be a confirmation that you have added their name to the mailing list.
Certificate of Attendance
It is not standard practice for OWASP to issue Certificates of Attendance for Chapter Meetings. Your chapter nominating someone hold onto a meeting sign-in sheet after each meeting. Meeting attendees are still responsible for submitting their own CPEs, but then the Chapter Leader (or whoever is keeping track of the sign-in sheets) can go back and audit against the chapter’s sign-in sheet if (ISC)2 or another organization audits them.