CTO Checklist
*shamelessly copy-pasted & inspired by https://github.com/stockandawe/saas-startup-cto-checklist , credits to @stockandawe & @danielwestendorf
Day-to-day execution & Project Management
Overview
A checklist of all things to consider for CTOs of early-stage startups.
Who is this for?
The CTO, first engineer, cofounder, or anyone at a early-stage startup who is accountable for building application.
Mental Model
Its also important to build the mental model before you go through all of the checklist, these references helps:
- https://athenian.com/blog/7-mental-models-for-great-engineering-leadership
- https://panjigautama.com/engineering-lead-materials/
- https://www.amazon.com/Great-Mental-Models-Thinking-Concepts-ebook/dp/B07P79P8ST
Checklist
Before you start building
- Choose the boring technology
- Focus on tech that helps you build your product, not keeping up with fads. New tech popularity is fleeting https://mcfunley.com/choose-boring-technology
- Set the golden path / silver path together with your team
- Ensure consistency and avoid unnecessary discussion/doubt across the team https://panjigautama.com/software-fragmentation-the-golden-path/
- Have an opinion/a point of view in how you plan to work along with what you plan to work on
- Repository (best to pick something that can give you lot of perks out of the box e.g. feature flag, deployment) https://about.gitlab.com/
- Coding Standards https://github.com/Kristories/awesome-guidelines
- Git Workflow https://www.toptal.com/software/trunk-based-development-git-flow
- Setup Quality Gate (e.g. minimum unit test) or Pre-Commit Check https://github.com/Bahjat/pre-commit-golang
Documentation & Tools
- Start a wiki - put all of your documentation there (tips: create template as well e.g. RFC/PostMortem template)
- choose the one that can give you flexibility to comment and collaborate https://slite.com/ or https://www.atlassian.com/software/confluence
- Pick a Platform as a Service/cloud computing that you are most comfortable with
- Minimal devops & easy deploy > cost efficency or performance
- AWS/GCP is the king, Azure is nice, but they can be considerably expensive for early stage startup - unless you get free credits / enroll in startup programs
- DigitalOcean is rising (by the time this doc written, 2022) and Heroku is also portable enough.
- Structure Organizational Unit and Resource Label to have proper & trackable billing structure to helps on Budgeting
- Have a CDN instead for providing assets from your web server
- Setup Continuous Integration (CI)
- Require CI to pass for PRs to merge
- Enforce quality gate as part of CI
- Favorable for Managed Services for Commoditized Systems/Components
- Feature Flag
- Unleash / Gitlab Feature Flag
- Analytics
- Mixpanel
- Business Intelligence
- Redash
- Marketing
- Moengage / Appsflyer
Architecture
- Pick a lane
- Server Side Rendering v/s Client Side Rendering
- Monolith vs Microservices
- Pick a framework that you are most comfortable with
- User authorization and policy-based access, enforce authorization checks for all third-party services
- Sooner or later, you will want to setup MFA/2FA
- Start with password-based authentication. Eventually you will need to support SSO (keycloak, jumpcloud, auth0 could be an option as IdP/Identity Provider)
- Where will your marketing site and company blog run
- If your marketing site is built within your app, you will become the bottleneck for growth/marketing
- Having your app running on app.yourdomain.com from day 1 might make it easier to switch later
- Avoid use of naked domains for hosts. They're inflexible when migrating between services.
- Use third-party website builder if possible (e.g. wix.com, mailchimp)
- Eventually you will need to provide an API Gateway
- Set up servers with IaC (Infrastructure as a Code)
- Automate DB backups, and regularly test restores (if self-managed)
- Setup uptime monitoring early with appropriate notification processes
- Never restore/run production data to non-production environment, always use dummy data!
- Never allow different services to manipulate other service data, always go through the API
Observability & On-Call
- Opinionated observability
- Third party tools might pricey but they typically helps to reduce cost of maintenance & integration
- Grafana could be painful but save a lot of money in the long run, proceed with caution
- NewRelic, Datadog, Honeycomb helps a lot of ensuring whats matter (e.g. easy integration, easy to use dashboard and query)
- Client Side monitoring should also on the Day 1
- Sentry, Firebase Crashlytics could be a good option
- Setup proper and healty on-call
- Set opinionated communication and incident escalation process
Code
- README should describe steps to setup dev environment from scratch, always up-to-date
- Adapt a style guide from day 1
- Start adding unit tests from day 1(compromise on coverage)
- Decide on comments or no comments in code
- Use linters to help standardize code as well as make code reviews better for everyone
- Set and document guidelines and best practices for logging
- Set and document guidelines and best practices for exception handling
- Set up runtime errors and exception reporting
- Set up the ability to track changes to your records at the database level for auditing or versioning(framework migration or flyway.db could be an option
- Define and document process and expectations for code reviews
- Early code will likely hit product limitations before performance/scalability becomes an issue; focus accordingly
- Seed development env databases with dummy
Engineering Team
- Hanlon's razor: Never attribute to malice that which is adequately explained by ignorance/stupidity/lack of knowledge.
- Golden path to the rescue
- Define first principle
- Opinionated Process
- https://panjigautama.com/engineering-north-star-metrics/
- https://panjigautama.com/on-incident-post-mortem-process/
- https://panjigautama.com/tech-debt-management/
- https://panjigautama.com/defect-bug-management/
- Always be looking forward and "recruiting"
- Cold-Call on various social media (Linkedin)
- Company & Personal branding through public (e.g. conferences) & private talks (e.g. mentoring)
- Once you have at least one more engineer, define engineering levels
- Set up a structure to allow for experimentation
- https://teamtopologies.com/
- https://www.audible.com/pd/Team-Topologies-Organizing-Business-and-Technology-Teams-for-Fast-Flow-Audiobook/B07VZ2JKQP
- QA: You will need QA earlier than you think you do, and invest on automation as early as you can
- When you are no longer effective in managing the team, look for a Manager/Director/VP of Engineering who is 10x better than you
- Choose to manage or write code. Doing both will result in poor performance of both.
- Decide whether you will be a setup for remote or not and if remote, what "type" of the remote team you will be
- https://www.holloway.com/g/remote-work/about
- http://klinger.io/post/180989912140/managing-remote-teams-a-crash-course
- Remote teams give you a large talent pool but have unique management challenges. Hire for skill and autonomy if hiring remotely.
Day-to-day execution & Project Management
- stand-ups, sprints, retros, milestones
- Use simple "project management" to keep a healthy product development rhythm, no matter how small your "team"
- Kanban, start ScrumBan before going full scale with Scrum
- https://panjigautama.com/scrum-agile/
- A team member's failure likely stems from a decision you made (or didn't make)
- Hire Technical Program Manager, they will make your day-to-day easier and manageable
- Report Agile Project Status with a Big Visual Information Radiator for your stakeholders
- Google Sheet to the rescue
- JIRA dashboard helps
Product
- Use "feature flags" to release new features and selectively enable them for existing customers.
- Decide prioritization technique with the team (engineering and business)
- Don't make the thing more awesome, always look for how to make your users more awesome
- To make a decision, look for answers in analytics and metrics
- Reporting: Sooner or later, the data you can query from the database will need to be turned into reporting features for your customers
- Customer-suggested solutions are usually wrong. Dig into the "why" before weighing the "how"; the need is usually legitimate
- Never implement a feature just for one customer; it will hurt you more in the future than help you in the short term
- Exception of paid/sponsored features, which should take maintenance and support into consideration
- Ensure existing customers want a feature before you start building it
- Potential customers always want the moon; rarely will just-one-more-feature! start landing customers. Choose features many leads want, not just a few
- Have a vision for your product and work towards it. Passing on customers because of features that don't fit your vision will be painful, but will pay off in the long run.
- Aim for a "simple" product. Simple is not easy, but it's what your customers and users need. The craft of product is doing the hard work of figuring out the complexity to make using it simple for your customers.
- Support deep links; your users and your support staff will thank you
- Branch.io to the rescue
- Invest on the SEO together with the Digital Marketing to helps on campaign
Support
- Have an Internal Tools Admin interface from day-1
- Best to stick with no-code/low-code approach like https://budibase.com/ or https://retool.com/ , there will be lot of changes and you dont want to spend a lot of time building internal tools from scratch
- To ensure the "health" of your application, set up a status page
- Uptimerobot , status.io helps
- Provide an "impersonate" feature to Admins to help experience what the customers are experiencing
- Have a support ticketing system in place from day 1
- FreshDesk, JIRA service desk helps
- Define support schedules and communicate them to your customers; enforce them with your support staff
- Customers who "need" 24x7 support will be willing to pay a premium for it
- Define and document supported Browsers/OS versions from day-1
- https://beta.caniuse.com/ is your friend
- If you plan to support IE, ensure that you and the team are setup to test and debug bugs in IE
Security
- Go through the SaaS CTO Security Checklist
- Prepare checklist to build a simple SIEM
- Run dependency management, broken dependency can cause you big headache
- Run static code analysis security tool for your frameworks
- Look into a third-party pen testing and code audit service/tool sooner than you think you will need to
- Implement a bug-bounty program
- https://www.hackerone.com/ or similar
- Compliance
- Get familiar with the top 3 compliance standards in your industry
- Create a skeleton of what it would take your company to get the top 3 compliance certificates in your industry
Misc
- Find a way to mentor someone (within or outside your company)
- https://adplist.org/ helps
- Join a community of CTOs, engineers, technical leaders who you can knowledge share with
- In your day-to-day, balance big projects and small enhancements/bug fixes’
- Group email address for ownership of all external services
- Use your password manager's sharing feature to ensure access doesn't rely on you personally
- All dependent service's payments on a company Credit Card, best if it can be converted to Invoice/Wired-Transfer for manageable financial purposes
- Role changes, aquisitions, canceled card, etc could make this painful