Events Special Meeting announcement and Doodle

[Andrew van der Stock]

Hi Board,

I would normally wait for our monthly board meeting, but time is of the essence. We had a event debrief today, and a lot of the decisions about next year requires the Board to authorize one of two strategies:

* Two or three major events, likely to have more risk, more income, and there's a chance that sponsors could be hard to come by if a recession hits

* Twelve or so smaller events, with potentially just one Global AppSec in Australia, likely less risk, definitely lower cost, and consequently likely less income.

We need to get a decision for the events strategy, as we need to publish an events calendar, and it's already a bit too late to run a CFP / CFT for a February event. I need at least a quorum of 4, but I would prefer the full Board if possible, as this could potentially approving spending $300k of our ever decreasing operating budget with the potential to earn at least that much or hopefully, far more.

I have sent a Doodle to all of you, including the Board elects, who can observe but not vote, with the exception of Martin, who is obviously a continuing Board member and has full voting privileges.

thanks,

Andrew

[Sherif Mansour]

Hi Andrew,

What’s the recommended approach from then events team? How much less revenue are we talking about between the two events? What are the operational efficiencies would we benefit if we also invest in the events tool?

-Sherif

--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/1ee22ac7-39fe-4674-a455-3d38fa14c50fn%40owasp.org.

--

Sherif Mansour
OWASP Global Board Member & OWASP London Chapter Leader 
Site: https://www.owasp.org/index.php/London
Email: sherif....@owasp.org 
Follow OWASP London Chapter on Twitter: @owasplondon 
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Subscribe to our (lightweight) mailing list: https://lists.owasp.org/mailman/listinfo/owasp-london 

Consider giving back, and supporting the open source community by becoming a member or making a donation today!

[Andrew van der Stock]

We are still working that out. Emily is going to update the event strategy with the numbers once we have them from the AppSec Virtual platform / vendor to work out likely expenses / income, and work with Kelly on likely sponsorship numbers for each  alternative.

thanks

Andrew

[Sherif Mansour]

Thank you Andrew,

I’ll need these answers in order to make an informed decision.

-Sherif

[Sherif Mansour]

Also, have you shared the strategy with Bil and Joubin so they can weigh in as well please?

Thanks,

-Sherif

[Richard Greenberg]

There does does not appear to be any evidence or indication that the events in person can take place in 2021.  I wish there was, but at this point, it would be irresponsible to get a contract with the hotel and start planning the physical event. With that said, it appears that the only option would be either 12 events or a few large virtual events. Or, a hybrid. As far as Australia is concerned, I am down under with that. 

Richard Greenberg, CISSP
OWASP Global Board of Directors
ISSA Honor Roll & Distinguished Fellow
President, OWASP LA www.owaspla.org
President, ISSA LA www.issala.org
https://www.linkedin.com/in/richardagreenberg
(424) 307-4440

   

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CAMJg_ptdv7YGHZvbXw-40mYqax%2BybHE%2BWDmvgXAK8u-d1ykObg%40mail.gmail.com.

[Bil Corry]

Does the Foundation have any multi-year contracts already in place with one or more venues?  Curious if not holding a physical event means paying a cancellation fee.

- Bil

[Andrew van der Stock]

Hi Board,

I've scheduled the special board meeting for Monday next week as it's the earliest 9 of us could meet. I will add this meeting to the website. You should have the invitations now.

I'll make sure Emily has included details around all your questions in the presentation for next week. In short, we do have some commitments. Emily is in the process of using force majeure with the event location as Ireland is currently in a lockdown and unable to have large events. Hopefully, that will turn out okay, but the SF event location has a significant cancellation fee. With the announcement of the vaccine over the weekend, Emily will detail plans on SF as a hybrid option towards the end of next year, with a requirement that attendees prove they have been vaccinated. We have met last night with the AppSec Australia organizers, and we will likely try to run that as our second Global AppSec event.

I will share the presentation with you as soon as it's complete for your review prior to the meeting.

thanks,

Andrew

[Owen Pendlebury]

Thanks Andrew 

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/5d28d351-d626-4841-9f6a-b2b9c6a66327n%40owasp.org.

--

Owen Pendlebury @pendo19
Chair OWASP Global Board of Directors

[Sherif Mansour]

Thank you Andrew, do you have feedback on the BoD questions above?

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CACH%3Df5aM3ryCbo58SAuBc%2Bqi5dP-KbzqfL8n22399vxZCZQScA%40mail.gmail.com.

[Bil Corry]

Regarding requiring a covid vaccine to attend an in-person OWASP event, be sure OWASP is up to the actual task:

1. If OWASP is collecting vaccination records ahead of time, it's protected health information in the United States and is a special class of data under GDPR for EU residents.  Not insurmountable, but definitely adds compliance overhead. 
2. If OWASP is reviewing it at the event and turns someone away at the door because their evidence doesn't meet with OWASP approval, then that might open OWASP to liability for the costs incurred to attend the event.
3. Will OWASP have the expertise to discern valid vaccination records in different languages from different countries?  If OWASP will not, then anyone can provide any proof and OWASP will be taking their word for being vaccinated.  That's a lot of effort for what boils down to covid safety theater. Side thought: would having had covid previously count?
4. The CDC does not recommend policies that require mandatory covid vaccines for frontline healthcare workers, which begs the question of why OWASP would require it for business travelers (you can watch the CDC's comments on mandatory covid vaccinations at a recent FDA summit: https://youtu.be/1XTiL9rUpkg?t=11057).
5. Vaccines may not be available to every person interested in attending, both within and outside of the United States.  Some countries may have a limited supply.
6. Different countries will have different vaccines.  Is there a standard efficacy rate that is acceptable or will OWASP accept any vaccine, even a trial vaccine that is later shown to be entirely ineffective?  What if some countries use a vaccine that has a 50% efficacy rate, is that good enough?

I could go on, but you get the idea: it gets very complicated very quickly and puts OWASP in a difficult situation as a gatekeeper.  I strongly suggest that OWASP follow the local health orders involving groups of people for the size of the event we're holding and put this on the "maybe" list and see what happens after the vaccine roles out.

Best regards,

- Bil

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/5d28d351-d626-4841-9f6a-b2b9c6a66327n%40owasp.org.

[Martin Knobloch]

Thanks Bil, and I 100% agree. I do not understand why we should not continue the path we already defined, as you too state, to hold the chapters to follow the local health orders of their (local) governments! 

As said, this has already been decided on. Nevertheless, it might be time for a reminder. 

Cheers,

-martin 

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CACtAMnNo1o6AvXkvbA%2Bz_dqsab_UdwRVcBt7%2BPBcQ0i6mTcLRg%40mail.gmail.com.

[Joubin Jabbari]

Hey Andrew, 

Do you know if we are legally allowed to ask our attendees about vaccination status with proof? Do we have access to legal counsel we can ask? Fully acknolwdge that COVID vaccination may differ in how we approach this. 

More than happy to have this discussion on Monday.  

[Joubin Jabbari]

Apologies - my mail client just loaded all of Bils great questions :) 

[Andrew van der Stock]

On the vaccination front, I believe we can ask people to assert they have been vaccinated, and to adhere to our COVID social distancing rules, such as any state-mandated face coverings if they are still in use at that time. I do not think we want to see vaccination records as that would be a HIPPA nightmare and we are not qualified to store or interpret the results. At best, with 90% effectiveness, asking for attendees to assert during registration that they have had a COVID shot and will adhere to any other COVID requirements such as face coverings is about all we can realistically do, so we minimize the risk to all attendees and staff such as myself and others who are in high risk groups or who have elderly parents who can die if we bring this home. We would like to run a reception event on the Thursday night, and I think it would be irresponsible for us to do so without taking some form of COVID protection measures, including the potential for herd immunity due to vaccinations of most of the attendees.

We have until April to cancel the physical space, a contract that has been signed already, so the financial risk to the Foundation is higher by *not* running the event late next year with the assumption that the situation can only get better than it is right now. The health risk of *not* asking folks to adhere to basic disease precautions will create a super-spreader event, and could be far legally more risky we don't enforce state and federal mandates, and any event insurance requirements. By April, we should know if the vaccine has been effective in reducing deaths and its availability to the general population (something they are claiming will be the case), and we have obtained legal advice to see if we can require folks to adhere to our code of conduct and any health requirements that we impose to ensure we don't have a super spreader event. Lastly, event insurance may mandate some or all of these requirements. We will not know until it's time to buy it, and if we enquire now, it's likely that the T&C's will change as conditions change. 

I will suggest that we postpone any deep dive into the exact COVID requirements / operational processes until we've had some legal advice on the legality of asking for it. The reality is that due to the US's incredibly poor adherence to expert health advice, mixed messaging from all levels of officials, politicization of crowds, washing hands, and wearing masks, and a politically corrupted response from various official agencies, such as the CDC's early wish-washiness on mask wearing when studies have shown for many decades that they are effective, I would advise the Board to wait until after January 20, and certainly nearer to the cancellation date in April, to get a clearer picture on what is likely to be required as time goes on. I am hoping we are seeing the absolute peak of infection, death, and official incompetence right now. I also hope that the forthcoming response will allow us to be in a position to truly make this a global event, rather than a US only event if borders aren't open by then.

thanks,

Andrew

[Richard Greenberg]

https://www.theguardian.com/world/2020/nov/15/packed-crowds-and-euphoric-leaders-australia-revels-in-covid-free-days

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/3ac1dca5-5b62-4cb9-8886-3d73266d6e8an%40owasp.org.