Thursday, 23 May 2013

Sarah Baso as OWASP Executive director, how it broke the model, structure and culture of OWASP employees

(note: I don't have a lot of time to write the detailed analysis that I wanted to do,  but as time is passing by, I wanted to go on the record with my thoughts of that happened. So think of this post as a brain dump of my views on this important topic for OWASP)

In April 8th the OWASP board announced that OWASP Creates Executive Director Position.

My view at the time (and still is) was that OWASP Executive Director Role (Not yet), specially because:
    What we need are another Kate, Sarah, Kelly or Samantha, they still work FAR too much for OWASP and my worry is that they will implode one day. Not sure that they need a boss to tell them what to do, if anything I would delegate to them the powers currently 'assigned' to the Executive Director.
What happened next surprised most OWASP leaders since a couple days later the OWASP board announced that Sarah Baso would become the new OWASP's New Executive Director

Which of course means that there was never an effort/attempt to fill that position (externally or internally), and that the decision of that appointment was done much before the 8th of April OWASP Creates Executive Director Position post.

BIG DISCLAIMER:  before you read the next part, it is good to take into account that:
  • I was the one that found Sarah Baso for OWASP:
  • During the OWASP Summit we worked a LOT together, with a really amazing collaboration and work environment (yes, there were a couple speed bumps, but Sarah was one of my most trusted helpers and really delivered when it mattered)
  • I have sleep a couple times in her house (when in Minneapolis) and when in London she also spend a couple days in my house
  • She is an a O2 Platform user: Batch PDF creation from OpenXml file (by O2 user)
  • She is a friend and deserves that I spend the time to write these words (remember that the real friend is the one that speaks what is on their mind (and cares enough to spend the time))
  • I have not spoken with Sarah since this appointment was made
  • I am not speaking on behalf of the other OWASP employees (in fact their silence in this matter speaks volumes)
So as you can see I know Sarah very well and have been part of the efforts to bring her to OWASP.

But the appointment of Sarah as the OWASP Executive Director doesn't feel right to me, and from my view is another reason why the current OWASP board needs to be disolved and re-created from scratch (see An Idea of a new model for OWASP).

Ironically, right in the middle of this situation, lies a really good decision by the OWASP Board (which for an group that is famous for not making decisions, it's a great move and evolution). I'm talking about the delegation of power and budgets to the OWASP employees, which at least is a step in the right direction, by putting the power and responsibility for key OWASP operational issues in the hands of the OWASP employees.

The problem is that (from my point of view), this 'appointment' has a number of issues:

Issue #1: Break of the OWASP Employees model, culture and social-contract

Lets be clear here, with this move, and with the powers given to Sarah, she can hire and fire other OWASP employees, namely: Kate, Samantha, Alison, Kelly and Matt

This is a massive mistake because it transformed the OWASP Employees (the OpsTeam like I like to call them) from a coesive and strong team, into a fragmented, hierarchical, bureaucrat and 'political' structure.

It is very important that the OWASP employees feel empowered to fight for OWASP and its multiple activities (projects, chapters, conferences, initiatives, tours, etc...). But without all being 'equals' this is very hard to do.

Issue #2: Lack of transparency on how/when the decision was made

This is a topic that I can't speak without getting into 'conspiracy theories' so I will just say that for an Open organisation like OWASP, this is probably the most 'non-open/behind-the-scenes activity that I have even seen'

The rest of the analysis I leave to you :)

Issue #3: The way the appointment was done is a case-study on how not to do it

Not only there was the false impression that there would be a 'call for candidates', the way that the OWASP board first pushed it as an appointment, and then (after questions where raised) re-phased it as an 'Promotion from within', shows a massive lack of common sense, and more importantly lack of understanding of the OWASP leadership community.

I'm not on the board any more, so I don't know the details of what happened, by my understanding is that this was not done in a united/coordinated way (by all members of the OWASP board). Which is another bad move, due to the sensitivity of the situation and the massive change of the OWASP operational structure.

Issue #4: Sarah is not THAT much better than the other OWASP Employees

This is a though one to say on the record, but unfortunately Sarah is in a position where we need to look objectively at her appointment and ask 'compared with the other OWASP employees, does she deserve the promotion?'

I.e. is Sarah that much better and qualified than the other current employees: Kate, Samantha, Alison, Kelly and Matt

Remember that we can't use the measure 'Sarah is working really hard for OWASP and she has done great stuff for OWASP'

Because, ALL current OWASP employees (Kate, Samantha, Alison, Kelly and Matt) fit that bill.

In fact OWASP is very privileged to have such amazing team, which is actually quite qualified for the job they do.

And remember that by promoting Sarah and making her the 'boss' of the other OWASP Employees is basically saying that: 'Sarah is much better then the others and she deserves to be in power'

Issue #5: Sarah has no CEO or Executive Director experience

Again, if we are going to look at this objectively, Sarah doesn't have the qualifications for this job. Now It is great to give people opportunities, but for me the position of CEO/Executive-Director of OWASP should be given (one day) to somebody:

  • with a proven track record in that role,
  • that is clearly 'above' the current OWASP employees, 
  • with past experience in running large teams of organisations with open culture like OWASP (for example a past senior executive of Mozilla, Wikipedia, Apache, etc...) 
Issue #6: It is not fair for Sarah that she has been robbed of the opportunity to earn this role

Ultimately the biggest loser here (at least in the short term) is Sarah. She deservers better than the 'cold' reception that she got from the OWASP leadership community, and me writing posts like this.

Note that I'm not saying that Sarah could not 'one day' become the OWASP executive director, but not like this, and not like it was done.

For example, if there was supposed to be an 'promotion from within' then that should had been a democratic process from within the OWASP employees, namely there should had been a vote where only the OWASP employees would vote and chose amongst themselves who would have the extra powers

Also the lack of public support by the other OWASP employees and 'heavy weight' OWASP leaders speaks volumes, and show how divisive this move was.

This role really needs to be given to somebody that has a HUGE amount of political capital to spend (and get things done). Without that grass-roots support, any major (or minor) change is going to be a struggle, specially given the distributed nature of OWASP community (and opinions :)  )

Issue #7: Sarah doesn't need the extra power, is the OpsTeam who need it

I also fail to understand why in the current size of the OWASP employees (the OpsTeam) there is a need to have an 'Executive Director' with absolute powers over the others?

What decision is Sarah going to do with that power? 

Fire one of the employees? I hope not, since none of them deserve that and it would be a crazy move (even worse than the current appointment)

Also, there is already a good separation of duties of the current employees, so they should be empowered to make decisions, not being given an extra management layer and 'chain of command'

If I talk with Kate, Samantha, Alison, Kelly or Matt, on an topic that they are currently responsible for, I EXPECT them to have the authority and power to deal with the issue at hand. Not to have to go to the board or Sarah and 'ask for permission or decision'

Issue #8: It is not fair on the other OWASP employees that they didn't had a change to apply

Again I don't have much inside track on what happened and who-knew-what-when.

And since there is no documentation about the decision, it is fair to assume that the other employees never had a chance to apply.

This is where process and respect matters. It quite possible that on a parallel universe, Sarah would had become the Executive Director in a way that was highly celebrated and endorsed.  In this parallel universe, after an open, transparent, democratic and pragmatic evaluation/process, Sarah would had emerged as the perfect choice. But that would had required a completely different process and sequence of events.

The issue here is not that Sarah was chosen, the issue is how it was done. Note that although I hired a number of people I knew personally to work on the OWASP summit, all those efforts were done in the open and there was plenty of opportunity for others to apply and take those 'paid roles' (and there was budget for more talent (but we couldn't find it))

Issue #10: Sarah already had a full time job at OWASP: Conferences

So if she is going to take on more responsibilities and roles, who is going to continue the amazing work Sarah was doing at the Conferences?

The other OWASP employees are already maxed out!

If Sarah keeps doing it, why the appointment?

If Sarah drops parts of it, OWASP will be losing energy and focus on one of the areas that is currently working really well!

Issue #11: I'm disappointed with Sarah by her allowing this to happen

Of course that most of you will not care about by the fact that I'm disappointed, and maybe even Sarah wont.

But I was very disappointed by Sarah allowing this happen (specially because she didn't took the opportunity to use her new powers to make it better (see first points of 'How to fix it' section below)).

This fells like a 'power grab' and Sarah was not able to resist the offer.

Well ... I expected more from Sarah, and she missed an opportunity to show the human and professional qualities that she has.

I hope to change my mind in the future, but I have to say that at the moment I loss some of the respect I had for Sarah :(

Of course that this doesn't matter since I have no more power at OWASP.

I'm also disappointed by the lack of public critical thinking at the OWASP's leaders list, and the few number of OWASP leaders that actually take the time (and still care enough about OWASP) to write about their views/opinions (note: I'm not even going to post this blog into the OWASP leaders list (it would be great if somebody else cared enough about OWASP that they posted it there, together with their views on this post)).

I don't claim that I'm 100% correct with my views and that I have all solutions, but the only way to fix things is to have open and franc discussions/threads about what is going on. And once the 'issues' are identified, it is important to also proposed solutions.

.... which leads me to:

How to fix this

We can't go back in time, so what we need to do now is to look at ways to fix this

Assuming that there is an agreement that something should be done, here are my proposed actions:
  1. change the model so that all OWASP employees are 'equals'
  2. put a rule in place where the OWASP employees can only be fired by a majority of the OWASP leaders (by vote)
  3. Cross post or link this blog entry from the OWASP's official blog ( together with other related threads / responses (after all, OWASP is about being open, and this current blog post contains an analysis of OWASP by somebody who has done a lot for this organisation (me :) )
  4. publicly apologise to Sarah for putting here on such though position
  5. publicly apologise to Kate, Samantha, Alison, Kelly and Matt for the unnecessary stress created
  6. publish details for how the decision was made (and when), so that we have a good documentation of what happened and future generations of OWASP leaders can learn from past mistakes
Of course that given the current structure and political mess that is OWASP at the moment, it is probably more likely that we will have an unthinkable '5 days-in-a-row without rain and cold here in London', than this happening :)

Good luck Sarah, and how can I help?

Since probably Sarah is one of the few ones that is still be reading this post, I would like to first say to you:

I'm sorry ...

... for writing this email, and hopefully one day you will appreciate it and see that I'm writing this because I'm your friend and still care about you and OWASP

Good luck ...

... with your efforts to making OWASP an amazing organisation

Please prove me wrong...

... by showing how your appointment as Executive Director was a turning point for OWASP and that what happens next will make this post look like the most 'stupid thing that I ever did'

Let me know how I can help...

... I expect that you will not be happy with this post, but remember that I love OWASP and that I'm writing this because I still care (in fact, a worrying sign for me is how long I took to write this, since there were multiple times last month where I started 'not caring' enough to stick my neck out, and do what I believe to be the best for OWASP (in this case, write this post))

 Good luck OpsTam, and how can I help?

Kate, Samantha, Alison, Kelly and Matt (OpsTeam), since you are also reading this, I would like to also say to you:

I'm sorry ...

... for posting something that might make your live harder.

Now you know and I know that you didn't ask me to write this, and have barely taked to me since the 'appointment', hopefully Sarah (and the OWASP Board) will also believe that, and not give you any trouble for this public criticism of their actions.

Sarah, I hope that you view this post as an opportunity to connect and listen to your 'employees' and create something positive

Good luck ...

... since your job at making OWASP work just got more complicated and frustrating.

Let me know how I can help...

You are the heart and soul of OWASP and nobody cares about OWASP as you do :)

Please keep doing your amazing work for this crazy community, and as active member of that community, I'm here to help you in as much as I can