DRAFT d5 for DISCUSSION AND COMMENT
- 1 Overview
- 2 Goals
- 3 Operating Plan Themes
- 4 Simplify
- 5 Unify
- 6 Grow
- 7 SWOT
- 8 Budget
Vision: Global and open resource for software security
- Create and share best practices and tools for InfoSec community
- Increase connectedness and engagement within the community.
- Position the Foundation for growth.
- Professionalize administrative and operational tasks and practices.
- Redesign financial model and membership benefits.
- Optimize business operations to overachieve financial and membership targets.
- Manage three profitable global conferences planning four in 2020.
- Successfully relaunch website and community toolset by June 1.
- Increase relevance and reputation of OWASP measured by 5% increase in web traffic.
- Improve satisfaction with OWASP by survey measured a 5% increase.
- Increase membership by 20% and Corporate Sponsorship revenue by 25%.
Operating Plan Themes
- Simplify: Reduce the complexity of advancing the mission of the Foundation
- Unify: Create and nurture a “One OWASP” culture within the community
- Grow: Increase reputation of Foundation that will grow involvement and influence
Single Source of Truth
The CRM will be the single source of truth for membership data, chapter metrics, along with chapter and project leaders. Review existing systems for managing community data and work to resolve gaps in functionality and data integrity. Retire legacy features/options in tools where appropriate to increase usability. Encourage leadership to use Foundation sourced tools, in particular, event and chapter meeting registrations, to increase transparency and achieve organizational efficiencies. Automate where direct time savings can be projected and live with manual processes when ROI is unclear or insignificant. It is not expected that OWASP will migrate to a new CRM system.
Retool Business Operations
Continuously audit business practices for inefficiency, fairness, integrity, transparency, and alignment against the Foundation mission. Document all points of data and money in/out of the Foundation. Seek to consolidate where possible and identifying new tools if appropriate. Use ticketing systems to ensure inbound requests meet predefined service level agreements (SLAs) while providing meaningful and accurate status information to requesters and assigned parties. Review and suggest changes to improve every aspect of the Foundation’s work product from members, sponsors, chapters, projects, invoicing, accounts payable/receivable, and events. Develop and implement a technology roadmap for Foundation engagement, communication, security, and institutional resiliency. Ensure documented practices are followed for onboarding and offboarding stakeholders of the Foundation, and annually audit those practices. Document human resource function with an updated Employee Manual and staff management processes. Publish an expense reimbursement and travel policy for the Foundation.
Project Planning and Budgeting
Each year the Executive Director, along with staff and consultation with the Board, will develop an Operating Plan and Annual Budget for the Foundation. The Operating Plan will be presented to the Board for approval no later than 30-Sep, and the budget 30-Nov, of the prior calendar year. The Operating Plan will minimally include measurable goals and the major initiatives of the Foundation. A quarterly check-in on the plan, its goals and KPIs will be provided to the community. Also, any staff-led initiative that costs more than $10,000 or requires more than 40hrs of staff time, will have a publicly documented plan. The Foundation will create and share project and budget templates for event organizing committees.
The Foundation will end the practice of allowing members to attribute and/or split their annual membership dues to chapters and projects. All donations and membership dues/fees to the Foundation shall be considered unrestricted gifts for the benefit of the Foundation. Attributing a gift directly to a project or chapter will be discouraged and only permitted on individual gifts and fees greater than $1,000.
The Foundation should revisit a modernization and vision-casting on how we can build community around our cause. We need to define funnels to capitalize on inbound interest in our content and engage new visitors in OWASP. Our approach should avoid tools that are designed for closed and less visible interactions and where possible, leverage existing vibrant communities. We will explore designing pathways to engagement for every visitor journey in our work - from website visits, to content, to chapter meetings and event attendance. Lastly the Foundation will explore authentication solutions if third party tools are selected.
To protect the financial assets of the Foundation, a set of documented treasury controls will be developed to cover our existing processes. These processes should balance freedom and bureaucracy designed to simplify business operations while always ensuring good audit control. All initiatives of the Foundation that are expected in incur more than $50,000 of spending will have a budget to be approved by the Executive Director. Policies will assume best intentions of lower cost items, while ensuring scrutiny on higher price items. Semi-annually the Foundation will audit signatory and password access for citicial systems, including but not limited to banking, credentialing, and publicly accessible assets. Critical passwords will be changed on a semi-annual basis.
A set of Key Performance Indicators (KPIs) will be monthly published in a publicly accessible format, that measure the Foundation’s performance against goals. Minimally these metrics will include financials, SLA on workflows, membership, event, project, and chapter metrics.
Global AppSec Events
Each year the Foundation will develop and host Global AppSec events. This year the Foundation will host three; one in May in Tel Aviv and two events in September in Washington, D.C. and Amsterdam. Before June 1, the Foundation will have locations, dates, and event organizing committees for four 2020 events one each in the U.S., Europe, Asia, and Africa. Each event will continue using previous formats that include keynotes, session tracks, and in-person training. Event budgets shall project at least 30% profit margin for the Foundation and will include deep registration discounts for chapter and project leaders.
Regional AppSec Days Events
In 2020 the Foundation along with local organizing committees will develop and host ten AppSec Days events. Spread throughout the year, these events will be one or two day regional conferences of 250 to 1,000 attendees. Each event will include a keynote, session tracks, and in-person training. Event budgets shall project at least 40% profit margin for the Foundation and will include deep registration discounts for chapter and project leaders. Existing Regional events like AppSec Cali, LASCON, SnowFROC, Seasides, AppSec Day Australia will be rebranding and are included in this event category.
Event Organizing Committee Benefits
The backbone of our event strategy are the volunteers of each Event Organizing Committee. Going forward, an agreement will be signed by the leaders of each Event Organizing Committee outlining the roles, responsibilities, and benefits of hosting an OWASP event. Organizing Committees sunset following an event and must be restated each year. Beginning June 1, the “event profit-sharing split” policy will be replaced with a set of Event Organizing Committee Benefits. The volunteers that help organize, run, and staff our events should get direct benefit from their work. A new system will be designed that provides these benefits relative to the paid attendance of an event. Event committees can determine their own governance to allocate benefits that will be shared amongst the committee.
OWASP is a member-led organization and our work products of projects, events, and local connections is only possible with the enthusiastic engagement of our members. A revised set of membership benefits will be implemented prior to June 1 which will be designed to strengthen the value of our low cost membership dues. Regional differences will be applied to any changes to our membership pricing. Paying members of the Foundation will minimally enjoy an owasp.org email address, event and training discounts, and early access to OWASP materials. The Foundation will review and deploy updated processes for onboarding/offboarding members, while also defining user journey funnels to recruit members. The Foundation will review, and if necessary revise its Lifetime and Honorary Membership policies and practices. Finally we will explore a badge/point reward system for volunteers and leaders of the Foundation’s work.
Following a refresh of Chapter and Chapter Leader Guidelines, the Foundation will require Leaders to accept an online agreement annually. The Foundation will provide online services like Meetup for Chapters to schedule and manage their Chapter meetings. Semi-annually staff will audit chapter activity to ensure chapter leaders are being good ambassadors of the Foundation in their local community. Per the December 2018 Board Resolution, the Foundation will rework chapter funding toward a Central Fund model for all chapters instead of maintaining local chapter balances. Local chapters will be encouraged to directly solicit sponsors for supporting their chapter meetings.
Following a refresh of Project Leader Guidelines, the Foundation will require Leaders to accept an online agreement annually. The Foundation will provide online services like Github hosting for project repositories. Semi-annually staff will audit project activity to ensure project leaders are successfully moving their work along as expected. Projects can be promoted or demoted based on their work product and activity. As above, the Foundation will rework project funding that migrate project balance toward a Central Fund model.
Staff and leadership shall always be responsive and respectful of our member and nonmember communities. Our interactions should always encourage deeper commitment and engagement in our mission. Annually the Foundation will conduct, and then publish the results, of a Membership Survey focused on their perspectives and use of Foundation tools and projects. The Foundation will explore ways to more closely engage the Board and staff with the Top 20 chapters and projects. When possible, the Foundation will host member-only lounges and feedback sessions at Global AppSec and AppSec Days events.
Support formation and information flow process with Board
Today our institutional name and the events we host are not protected by copyright. The Foundation will endeavor to register the following marks in the United States, European Union, and the United Kingdom: OWASP, Open Web Application Security Project, Global AppSec, and AppSec Days. Additionally the Foundation will register our figure mark (logo) in these same three domiciles. Once completed, the Foundation will develop and share a Trademark Guidelines document for events, chapters, and projects along with implementing these changes on our websites and event names. At this time, the Foundation does not expect to fund any enforcement activities.
Consistency in branding instills confidence and trust between the market and a brand. Having a brand that reflects the work product, values, and mission of an organization is a valuable asset for growth. To that end, the Foundation will develop a new figure mark (logo) to replace the current “wasp in circle” mark. A set of 2-3 finalists will be developed and we will solicit feedback from the OWASP community. Once selected, a branding system will be defined for a variety of executions including events and chapters. Following launch, the Foundation will abandon previous marks. Unique Chapter Marks will not be protected and the Foundation shall discourage their use by chapters.
Before June 7, the Foundation will launch a new website designed to engage visitors and professionally convey the value of our collective work. Rather than just reskinning our current wiki or placing a simplified landing page in front of our site, we plan to migrate to an entirely new platform. Website 2.0 must better connect with our developer audience and be valuable when visited on a variety of devices. It must be possible for elements of our site to be managed by our communities or through automation and any platform change must retain these attributes as well as ensuring continuity of analytics, permissions design, and redirect of inbound links. A proof of concept will be complete by April 1. Once Website 2.0 is launched, the wiki will be maintained through 2020 for historical purposes.
The Development team will research and define new and larger corporate sponsorship packages to fund the operations of the Foundation. A list of 50 target companies will be defined and our goal will be to close no less than ten of these accounts to multi-year agreements. The Foundation will also explore retooling event sponsorships looking to define multi-event or annual agreements to grow the size of our exhibitions and reward our larger corporate sponsors.
Working together with partners in the technology and infosec community will help raise the visibility and reputation of the Foundation. A formal plan and budget will be developed to support these efforts. This plan shall include provisions for a tiering of events (like BlackHat, regional BlackHat, regional BSides) and will include guidance for engagement. Generally, the Foundation will not directly promote third party events or activities to our membership. Additionally the Foundation will explore comarketing opportunities with organizations like Github, Mozilla, Google, Microsoft, Apple, and other global InfoSec companies, seeking no fewer than two engagements prior in 2019.
It is important to the livelihood of the organization, that Projects get the resources and attention they need to be successful. No less than once per quarter, the Foundation shall proactively solicit feedback and requests for resources from each Project. That information shall be provided to the Board for action where appropriate. The Foundation will seek new ways to “highlight” Project work in our marketing, on social, and highly featured projects on our website.
Marketing Plan for 2H19
Prior to May 1, the Foundation will develop a Marketing Plan for the second half of 2019. This plan should be designed to leverage the launch of the Foundation’s new web presence, branding, and co-marketing agreements. The plan will minimally include a content plan, press and analyst relations, social media, and event promotion activities.
Explore Online Training and Certificate Program
A potential new revenue source for the Foundation could be online training. In the 2nd half of 2019, the Foundation will explore the development, launch, and promotion of a new Online Training and Certificate Program. The plan should include a discussion on costs, potential product offerings, partner recommendations, pricing, and member discounts for this service.
In all of the Foundation’s work, we shall strive to be inclusive of underserved communities like students, women in technology, and those living in developing economies. Our membership and event registration pricing should always include accommodations for these communities. Additionally a plan shall be developed to increase participation by 25% in each of these the communities in the work of the Foundation.
- Remarkable search-driven traffic (50K/month)
- Positive reputation in InfoSec
- Sitting on ~$800K cash
- ~$1M annual corporate sponsorship revenue
- When events run well, highly profitable
- No member benefits = 2,600 paying $50/yr
- “Open” moniker manifesting into anarchy
- 70% of cash tied up in “lightly restricted” funds
- Staff measures work not results
- Distrustful culture
- Little to no planning/budgeting
- 6M visitors and 250M page views in 2018
- Content is legit, need better packaging
- Leverage reputation for growth
- Standardize conferences for profitability
- Enormous untapped sponsorships
- Irrelevancy as security expands into new markets
- Drastic changes could splinter community
- No trademark protection
- Loose legal discipline
- Outdated governance model