Industry:Minutes 2011-05-13

Roll Call
Global Industry Committee Call: May 13, 2011 at 18:00 UTC/GMT

Present:
 * Joe Bernik (Chair)
 * Sarah Baso (Secretary)
 * Mateo Martinez
 * Kate Hartmann
 * Lorna Alamri
 * Alexander Fry
 * Nishi Kumar
 * Tom Brennan
 * Jerry Hoff

Absent:
 * Mauro Flores
 * Rex Booth
 * Georg Hess
 * Eoin Keary
 * Colin Watson
 * David Campbell

Information on GIC Working Sessions at AppSec EU

 * 3 sessions on Friday, June 10 2011 (second day of the conference)
 * 1st session:GIC Outreach Presentation 10:15-11:00 am, presented by Nishi Kumar The purpose for this session is to help organizations understand why application security is important and how OWASP can help in making their applications more secure. It will give them an opportunity to learn what documentation, training, architecture, tools and infrastructure is available. The best part is all these materials are free. OWSAP provides the solution for their application security needs. We are also looking to improve collaboration by helping get more organization participating in OWASP projects. This will help us ensure that we account for the various needs of industry and develop well vetted best practices. Security For Managers And Executives - Industry Outreach Presentation
 * 2nd session: Gathering Information - Industry CISO Survey 12:05-12:50 pm, presented by Rex Booth
 * 3rd session: Industry Roundtable discussion 3:00-3:45 pm, presented by Sarah Baso with remote participation by Joe Bernik Discussion format based on questions such as: How can GIC become more relevant and work to achieve a better working relationship with industry verticals? What ROI would companies find valuable when sponsoring/supporting OWASP?


 * Goal(s) of the GIC sessions at AppSec EU: As also discussed on the last two calls is to overall work toward achieving the GIC's 2011 committee initiatives -- most importantly 1) Engage in discussion with the appsec community (and various industry verticals) to learn how GIC can become more relevant in the context of Industry. 2) Communicate with people not currently involved in OWASP about what OWASP and OWASP Tools can offer their organizations and determine what things are not currently being offered to them that would make them interested in sponsoring/supporting OWASP.


 * Eoin also will be rolling out his GASS Survey (on survey monkey) during the conference and we hope to work that in to one of the sessions. SB putting together a flyer to market the survey (and link to the survey).

Discussion items for Call
AppSec EU working sessions:


 * Update from NK on her presentation and session:
 * A few more minor updates to make before working session including removing a few slides so the time for the presentation is 45 min.
 * She also plans to hand out a flyer (and other OWASP materials such as Live CD if possible) summarizing her presentation and what she/the GIC/OWASP can offer companies. SB putting together flyer and then JH and NK will review.
 * Target audience is industry leaders and C/Executive level employees
 * Goal of presentation/session is to focus on the business impact of OWASP/OWASP tools. Comments - need to make sure presentation is not too technical as many of the individuals who are targeted with the presentation will not have a high degree of technical background. Should be general takeaways.


 * Update from Rex on his CISO survey and session - N/A (Not on call)


 * What questions (if any) should be included in the roundtable discussion?
 * What does OWASP need to do to become more relevant?
 * Why aren't you an OWASP member/corporate supporter?
 * Why don't you use/aren't you interested in the current resources made available by OWASP? Not relevant? Too generalized?
 * Would industry specific information be helpful/relevant/useful for you? EX: financial industry information


 * Other miscellaneous thoughts and discussion points:
 * LA - companies are often interested in customizing documentation tools, but are restricted by the OWASP "share back" policy
 * TB - Outreach efforts/presentations need to be scalable -- global presentations translated into many languages
 * One ROI we could suggest to companies is that they can contribute/sponsor a specific project --> They can work with the project leader to create a roadmap outlining expectations of both parties and then a commitment to maturation of project
 * NK - Not clear on difference between two different surveys GIC is currently working on. Eoin's GASS is a general survey for anyone interacting with appsec in their company. Rex's proposed survey is very targeted/specific to CISOs


 * Joe Bernik - feedback from FS-ISAC conference
 * OWASP does not have a sufficient level of governance or stable governance to get targeted value. We need to look to orgs such as ISC2, ISSA, etc. for their governance structures.  Right now we are too informal and appear to have a lack of commitment (perception is key).
 * Without CEO, changing this industry perception maynot be possible. Additionally, the CEO or head of operations needs to be visible in industry.


 * Working with Membership Committee to gain Corporate members/sponsors:
 * GIC working sessions (especially roundtable discussion) will hopefully help us understand what we are missing.
 * Goal of working session(s) will be to come up with written documentation/proposal for targeting new corporate members. This may include a new level for corporate support ($2500 Silver/$5000 Gold), discounted fee/admission to events, access to documentation.
 * SB to schedule meeting with GMC and GIC at end of June

Next Meeting
TBA