Nailing The CTO Job

nailing the cto job


  1. what is a CTO? chief Technology officer1 2 3 which means everything…and nothing you’re responsible for using technology to make your company successful
  2. what does that mean? generally to help create and deliver your company’s product/service to your customers which is kind of the most important thing…
  3. what is a CIO? there is no standard definition but maybe…1 2 3 a CIO works ON the Tech Team a CTO works IN the Tech Team
  4. nailing being a CTO use technology to create competitive advantage for your company easy to say…hard to do…
  5. how do you do that? make sure your WHAT and HOW are awesome 1 2 3 WHAT = innovate using the best technologies available HOW = be the quickest and best at doing it
  6. top tips 1) create urgency 2) bring clarity 3) achieve delivery
  7. more top tips 1) hire really smart people 2) create small teams 3) give people problems to solve…not solutions to do
  8. even more top tips 1) deliver early and iterate 2) test and learn 3) focus relentlessly on business outcomes…
  9. provides high impact temporary employees on site or remotely to make people successful what’s stopping you?
  10. thank you rorie 0800 246 5735 Five Minute Guide Five Minute Guide five minute guide


  1. provides high-impact interims for people who want to get things done… We’re not consultants, definitely not recruitment consultants, or an agency…we’re high ROI temporary team members… Everyone, including the CEO, is an interim still “doing the do”… Our focus is making the people who hire us successful… we provide…
  2. we also provide top tier ‘Contractor’ level talent at very budget friendly rates. matches top talent based anywhere in the world to clients based everywhere in the world. our different services… deploys high impact ‘C’, ‘Director’ and Growth Hacking talent.
  3. We don’t advise…we come in, take accountability for things and do them. We’re team players and we enhance a person, team, or company’s ability to achieve goals by doing things with them not for them… We have the best talent in Europe…ex Amazon, Betfair, Google, SAP… We’re low ego, high ability and obsessively focussed on client success… what makes us different… We think that the more people you help become successful, the more successful you become…
  4.  things like this… Launched on-demand apps, managed Indian offshore team, helped find permanent CTO…growth hacked the SEO traffic… Retail/ecommerce / on-demand app Turned around an unhappy development team, re-platformed to a global scalable micro-services based platform… On-demand app Ran the Service Delivery Team for a year to improve site reliability and introduce DevOps… Big comparison site Took control of the website, hired a development team, launched new products and services, found, hired and handed over to a permanent CTO before leaving… Video start-up Coached the new CTO. Took responsibility for a major area of the IT Team, allowing the CTO to replace an underperformer and deliver much better services… Gaming Coached the IT leader and helped him set and execute a strategy to power the business forward much more quickly… Charity giving platform Sorted out the development team structure and operating model. Found and handed over to a permanent CTO… Consumer information Growth hacked the business to massively improve the site’s traffic and revenue… Comparison site start-up
  5. We only use people who have been there and genuinely done it. Our people are ex-Google, ex-Betfair, ex-Amazon… There are no long contracts or tie ins with us…easy in and easy out when we’re done… We work with our clients to get things done…we want to make the client’s people and teams better… We don’t hire graduates and put them on client sites after a 12 month training course like other companies! One Big 6 professional services contract is 230 pages long…it can take more than a year to get it signed! The Big Six want to do things for clients and make themselves indispensable… the other
  6. George Berkowski Head of Product, Hailo The “How To Build a Billion Dollar App”​ book “The change the member brought when coming in as Interim VP Engineering was “truly amazing”​ and “we started to feel we were firing on all cylinders”
  7. Robin Spira CTO, FanDuel “ helped bring urgency, clarity and delivery to one of our business critical initiatives working *with* us not *for* us. I would definitely recommend them” _____________ Marvin Sanderson CTO, Xanadu “The member worked with our team to bring clarity to urgent issues, supporting the team and building a roadmap and plan to deliver results efficiently. We experienced a definite change as a the result of involvement. I will definitely recommend and re-use them in the future” what our clients say…
  8. Michael Phillips Founder and CEO, broadbandchoices “Our interim CTO had great vision and blended this with his experience of leading people and transforming technology architecture to add business value” _____________ Lucy Walker Director of IT, Facilities and Finance, Camelot “ have been brilliant. They have really helped us iterate our strategy towards one delivering both tactical improvements and big picture strategic shifts. I would definitely recommend them” _____________ Phill Graham CTO, Gamesys “I’m really impressed with our person. He is a very likeable guy, has built great relationships and has earned respect from both hands-on technical and board members – which is not easy to do…” more of what our clients say…
  9. rorie devine founder and ceo ____ Rorie is the only person to have featured on the cover of CIO Magazine twice, has been awarded “IT Leader Of The Year” by Computing Magazine and is featured in the book “How To Build a Billion Dollar App”​ saying that the change he brought when coming in as an Interim was “truly amazing”​ and “we started to feel like we were firing on all cylinders“.​ Rorie was recently described as “one of the best business technologists in the country“, but doesn’t take himself too seriously and understands that it’s all about getting results…quickly. shannon maher cxo ____ Shannon is an MIT graduate and has run Engineering teams for Google in London, Zurich and California. He also recently won Best Website, Best App, and Best Development Group awards mark parsonage head of cxo/programme director ____ Mark is one of’s rising stars. He has led digital transformation at numerous challenging organisations such as Yell and BT, and recently successfully completed a cloud migration for BT. He ran Yell Labs and produced many groundbreaking products and services. people like us…
  10. thank you 0800 246 5735
Agility When Your Organisation Needs It Most

Agility When Your Organisation Needs It Most

Agility Where Your Organisations Need It Most...



Everyone’s doing it, trying it, or talking about it. No longer just the preserve of software development teams, ‘Agile’ is becoming more pervasive in all parts, and at all levels of many organisations.


So where and when is agility most important in an organization, and which tool to use?

During a Major Incident, the importance and urgency of effective decision making rapidly increases.

You may quickly enter uncharted territory; have to interpret incoming data from many sources; work across functions in hastily assembled teams and quickly make decisions that will save your organization from impending disaster.


I think it’s during a Major Incident, when your organization faces the greatest immediate danger, that it needs to be able to demonstrate the greatest levels of agility.


A Major Incident may start off as a single ticket being raised, and investigated by one or two people in your immediate team. Small, contained, it is easily managed.


As the impact of the issue becomes more apparent, the complexity can quickly rise.

You may need to arrange internal and external comms, to a range of stakeholders, via multiple channels such as email, social media, corporate web sites, customer contact centers, and helpdesks to name a few. 


you need to get on and actually fix the problem and return the service to normal as soon as possible.

Pulling in expertise from different parts of the business to try to identify the root cause, put a work around in place and start working on a fix, and deal with any potential impact of the original incident.


As the team swells with members drafted in from across the business it becomes harder to keep everyone on the same page, interpret all the different incoming sources of information, agree a plan, make effective decisions and provide consistent messaging to all those stakeholders.


As your rapidly growing team assembles there is little time for the Forming, Storming, Norming and Performing cycle to play itself out. You need to perform now!


In this situation, the Kanban Board is my agile tool of choice. A Kanban board can easily be created on the nearest white board or on a wall with the help of a few Post-It Notes (other sticky notes available).


In its most simple form, you pull tasks from left to right through three stages, from ‘To Do’, into ‘In Progress’, into ‘Done’.  You can then add horizontal ‘Swim Lanes’ that map to different parallel streams of activity.


The board quickly fills up with a back log of tasks, showing what has been prioritized and what has been accomplished across the different streams of activity. One benefit of Kanban is that it allows you to add and ‘pull through’ a new task at any time.


This allows you to inject new work and re-prioritize tasks as the situation evolves. By creating your Kanban board in a newly requisitioned war room it quickly becomes a center of focus, something for team members to gather round to share updates with the rest of the team working on the Major Incident. 


It’s also great for showing nervous stakeholders outside of the team what is being worked on, and what has already been achieved.


The Kanban board can provide a structure for update meetings, allowing the newly formed team to quickly establish a rhythm, saving valuable time. You may have input from technology, infosec, external comms, customer contact centers and content teams.


With all these people in the room, it helps to maintain the focus of the meeting. By allowing each stream lead a turn to talk through their cards on the board, giving updates on items that were ‘In Progress’, moving them to ‘Done’ if complete, calling out the items that have moved from ‘ToDo’ to ‘In Progress’ and capturing additional tasks and adding them to the board as the other teams provide their updates.


Based on the updates provided and the tasks to be worked on you can then agree when it makes sense to meet again as a group for the next status update. In between status updates, team members can pop into the war room and update their part of the board or look at the progress of the other streams tickets as they move across the board. You may continue to have status updates for a few hours, a day or a week.


It just depends on how serious the incident was but if you’re carrying out the role of Major Incident Manager at the first sign of trouble, get a war room, assemble your team, throw up a Kanban board, clear your diary, start collaborating and go agile…

Give Us A Shout...

Top 10 Tips For An Effective Digital Transformation

Top 10 Tips For An Effective Digital Transformation

Digital transformation deserves better than a buzzword and a marketing concept...

It is often associated with long, expensive and hazardous projects led by big consultancy firms, as well as expensive and (vastly) under-utilised technology. It should not be so.


I have helped deliver digital transformations fast and with a limited cost. I am pleased to share practical tips from 10 years hands-on experience with international companies, so that your company too can thrive in the digital world.


Tip #1: understanding the digital ethos

The irony in the digital world is that we, people, live and breathe digital in our everyday lives, when we shop online, exchange with friends and family on Facebook, check in on our smartphones, pay our taxes online… However, understanding the implications of how companies can grow in our everyday digital reality is clearly a different challenge when we put our corporate hat on.

The digital ethos is about:

  1. nurturing your customers’ satisfaction, by delivering a seamless experience and active communication with them.

  2. executing flawlessly on your brand promises.

The digital ethos is also about constant improvement, learning and outward looking, to keep up with a fast changing market.


Tip #2: digital transformation is all about the customer

I disagree with the idea that loyalty has gone.

Indeed the success of the GAFA is a story of strong loyalty driven by remarkable products:

  • Google as a search engine dominates as it is simply the most relevant and constantly tests and invests to stay so.

  • Amazon got me in because of their wide inventory, perfect delivery and impressive customer service.

Customers are loyal to those companies because they trust them. The improvements brought by those companies are based on a systematic test and learn approach, which is a form of automatic listening to the customers even without them noticing.

The market research I did for my customers consistently showed me that branded terms drive a clear majority of the search traffic in most verticals. Customers care very much about Brands, and traditional advertising (TV, radio…) is still very powerful.

However, to be relevant, Brands have to ensure that they keep their customers satisfied, by addressing any pain points, poor execution or bad customer service experience.

The customer feedback is also a priceless opportunity to improve their offering and innovate relevantly: the customer is the real asset for most Brands, shame that so few companies have customer KPIs in their CEO scorecard or annual report.


Tip #3: digital transformation is all about the staff

Can you name a great Brand with poor staff morale? You cannot sustain a successful business if you don’t build a strong team who feel proud of their company, are strong advocates, and are ready to work beyond 9 to 5 on projects which they are excited about. Your staff also need to be genuine customers of the company (don’t force them), providing them with this healthy external view of their own company.

It is also a great time to fully recognise the value of the operation and customer service staff:

  1. they are the face of the company and have a decisive influence on the customer perception.

  2. they are the eyes and ears of the company and can provide some essential feedback.

The operation staff understand the details of how the products and services are delivered and will have a critical input in opportunities to improve the service more relevantly than any external organisation consultancy firm. They need to be nurtured and engaged.

The staff culture will bring you the digital ethos. You might still need to complement your core team with digital talent, or coach your team how to do digital by bringing interim staff to develop the process and transfer the skills.


Tip #4: a digital transformation is data driven

Every sperm is sacred laughed Monty Python.

In digital, so is every interaction and every item of spend as they form the basis of actionable insights to make better decisions across the company: how can we drive retention, how can we increase satisfaction, where can we invest profitably, which are the pain points we need to address, where should we focus our attention?

The issue is that before you know it, you can be drowning in data. This is one of the biggest challenge companies face: how to effectively “gold pan” your digital data? To solve it, you need to combine 3 skills which don’t come together often:

  1. business acumen (you need to understand what the business is about as well the economics of revenues and costs by product, customer and channel).

  2. digital proficiency (understand the digital levers and prioritise them based on the former).

  3. data wizardry (how to quickly and then consistently provide the right information to execute the key processes).

This is very much my speciality, passion and business; and I am really proud to have seen businesses do a fast turn again whilst cutting on their marketing addictions, by focusing on those areas that mattered.


Tip #5: a digital transformation is all about the culture

Combine the previous tips, and you start getting the picture of what a digitally transformed company looks like. They are:

  1. customer-centric as opposed to inward looking.

  2. fact based rather than opinion based (let alone hipo Highest Income Person Opinion based).

  3. information is shared and connected rather than standing in silos.

  4. they favour collective intelligence rather than ego.

It is a strong team culture where the energy is focused on collectively beating the outside competition.


Tip #6: it starts from the top

The digital transformation needs to touch all the parts of the organisation, cut across silos and foster a sharing culture. It cannot just happen or be contained to a specific team or department.

No digital transformation can happen unless they are sponsored by the CEO, and the C suite embraces the digital ethos: the C suite creates the cohesion by setting a compelling vision, and embodies the company values by leading by example.


Tip #7: it is not about technology, even less about money

Obviously, having modern tools such as analytics, CRM tools, ability to gather customer feedback and act on it, investing effectively in marketing is important, and technology can support companies execution very effectively.

However, none of the internet stars was ever created by hiring hundreds of big 6 consultants, or splashing money on expensive technology: digital transformation projects relying on technological promises will fail more often than not.

The focus on technology misses the digital ethos and culture dimension, they move the focus away from daily execution and absorb precious management and staff bandwidth: very often, process improvement generates better benefits than new developments.

Technology led projects also pay themselves by reducing staff, sometimes at the detriment of customer service or operational excellence.

Money is even more questionable as the technology is increasingly cheap as it evolves very fast: investing a lot in a tool which can be obsolete by the time it is implemented is not always very effective.


Tip #8: there is no silver bullet

Companies are bombarded by the latest tool which can turn around the business in the blink of an eye: I have got news for you, there is no magic wand or silver bullet.

You as management of the business and only you own the future success of the company, by proper planning and mobilising your workforce. We can help you there, using simple but effective audit and planning methods to identify your key areas of focus, and developing effective plans and processes accordingly.

This is really my business: help businesses see the wood for the tree, and bring people together around a compelling project. More Dumbledore than Harry Potter, really.


Tip #9: you need to focus on what you are best at, and work with trusted partners

There are very few pure digital or technological companies. Whether you are a travel agent, an airline, a retailer or a law firm, your company has a clear product and services proposition, and customers will keep on working with you based on the quality and consistency of those products and services, and how well you treat them. Period.

In a fast changing and highly technical data and digital world, it is hard to hire and retain individuals and build strong teams from scratch. Competition is high, and you also need to give their fair share of daily challenge to individual who are motivated by problem solving.

It is also very difficult to build a pragmatic but effective digital architecture to support your business. The good news is that we can help you on both aspects, recommending and implementing simple, effective tools which will not break the bank but deliver high value. We also train your people to look at the data they need to constantly improve the company performance.


Tip #10: it is beautifully simple

You just realise that digital transformation is a new name for business re-engineering, or no more than a reformulation on how best to create a business for the long term.

It is about developing a compelling customer proposition, focusing on the execution and customer service, communicating effectively (Brand is really the formulation of the company proposition), underpinned by a great company culture based on facts, trust and accountability.

Having done this a few times now for small, medium and big companies, I will be delighted to help your business thrive.

I cannot recommend enough the read of the attached article: What is still baffling me is how fresh and accurate it is despite dating back to … 2001, yes, that’s right, 16 years ago and counting.

Give Us A Shout...

Corporate incubators – the best or worst of both worlds?

Corporate incubators – the best or worst of both worlds?

The news that Coca-Cola has closed down its’ Founders startup incubator has led to the usual raft of “I Told You So’s” saying that it’s because corporate startup incubators don’t work – but are they right?

I have been involved with three big companies launching internal startup “incubators”/”Labs” teams so far…and what have I learnt?

Firstly I think it is done for good reasons.

Startups normally have good people, energy, good ideas, leading edge tech, a low cost approach, a high risk appetite and a willingness to challenge orthodoxies. They just want to get stuff done.

Big companies normally have deep pockets, millions of customers, a great brand and experience of operating at scale.

Surely the best of both worlds would be for big companies to launch startups? What could go wrong?

Well, quite a lot as it happens.

Mistake #1 – Not defining what you want the startup to achieve

In other words what will success look like?

It sounds simple but there is spectrum of “innovation” ranging from far horizon R&D to tactical (incremental) improvements to existing products and services.

What is wanted/needed? Success needs to be defined and solved for.

In general the startup should not be given special treatment…”success” is to create a growing business that attracts and retains customers.


Mistake #2 – Not getting total organisational buy-in and executive sponsorship

Sooner or later the startup will be stopped dead in its tracks by a blocker if the whole of the organisation isn’t behind it – from the top downwards. With the best will in the world active and passive resistance will be met and the startup needs to be able to wheel in very senior people to call bulls*t and unblock things.


Mistake #3 – Integrating the startup so tightly that it effectively becomes another corporate department

The whole point of a startup is to do something different so if you insist it uses existing people, existing corporate assets and the current approaches you will get what you got. You need to achieve a loose coupling whereby the startup has the freedom to chose between doing something new and leveraging corporate infrastructure case-by-case based on what is best for the startup.

Mistake #4 – Getting the wrong people to “be” the startup

If you are going to create a startup you need to do what startups do. This is for a team to self-select great people passionate about what the startup wants to do. If you ask one of the big system integrators/consultants to create a startup within your company you might end up back in the worst-of-both-worlds territory. The people in the startup don’t need to be existing or new employees either necessarily – they just need the talent and drive to deliver the goals. Organisations like can supply high impact interim talent at short notice into these kind of situations very successfully. Possibly the best loved UK retail brand will soon be launching a new customer service (that is very different to its’ current business) using this approach and the person in that team is part of a startup that stands comparison (in terms of talent and effectiveness) with any of the many startups I’ve seen.


​Mistake #5 – Not integrating the new product/services back into the Mothership

We created a Labs operation when I was CTO of Yell and we did nearly everything right. We hired great people, they developed a great micro-culture, they produced some really innovative products and services (including a really cool augmented reality app way back in 2010) but we never really managed to integrate the new things back into the existing business and deliver customer impact. For that reason it has to marked down as a failure overall.

Corporate startup incubators can be a graveyard for ambition (and there are a lot of traps for the unwary) but it can be done successfully – Telefonica’s launch of giffgaff and British Gas’s Hive are just two examples that come to mind.

As with a lot of things, in this area experience is a great teacher and nothing beats getting people involved who have been there, done it and have the scars to prove it.

Rorie Devine is an Interim CTO, CEO and Growth Hacker for

To Be Successful Get A Mentor

To Be Successful Get A Mentor

To Be Successful Get A Mentor

There are no silver bullets in being successful in business but the data (and a lot of anecdotal evidence) shows that as well as bringing in the best possible talent (from naturally) the other critical thing you can do to maximise your chances of success is to get a mentor.

In the Leena Nair, Chief Human Resources officer at Unilever, says “women who are mentored have a higher chance of being appointed into senior roles”.

The Business Finance Taskforce set up a website to help SMB’s find a mentor here.

What is a mentor?


A mentor is someone willing to offer guidance, help, advice and support to make you as successful as possible in your professional life. The more applicable their experience is (and the better their inter-personal skills are) then more beneficial the relationship may prove to be. Mentoring can be conducted face-to-face ¦ phone ¦ hang out as little or often as suits the mentor and mentee.


What is the difference between coaching and mentoring?




  • Is normally part of a long term relationship. Getting the right mentor and mentee chemistry is critical.
  • Done 1:1 online ¦ face-to-face as often as works most effectively for the mentee and mentor
  • Can look at high level ¦ big picture issues and underlying enablers ¦ constraints




  • Can be time bound and for a fixed duration…whatever is needed by the mentee
  • Can be done in a group ¦ workshop setting with people facing similar challenges
  • Can focus more on short term challenges ¦ goals to set people up for success in the near term


A mentor might ask a mentee…


  • Tell me about what’s going well ¦ not so well for you at the moment
  • What would success look like now? what would success look like in three years?
  • What things are under ¦ out of your control? what is stopping you?
  • What was the last thing you learnt?
  • What is your plan?


How can you find the right mentor?


If you don’t know someone you can approach directly to be your mentor the next best thing is to talk to us at

We have a network of >50 successful people from all business sectors and stages and we will match you up individually with the perfect mentor for you.

Please give us a shout on 0800 246 5735 or

More detail on our newly formalised mentoring programme can be found here.


What do people say?

I’ve been working with an CTO coach and have really appreciated and valued their expert advice. I would definitely recommend them for technology business leaders who want to progress their career.

Mark Tindal Head of Integration and Development (at the time) KCOM


They are calling us the “Uber for talent” at because we provide interim talent where you need it, when you need it and only for as long as you need it…

What is the Difference Between a CIO and a CTO?

What is the Difference Between a CIO and a CTO?

There is no universal definition but to me;


Has a bias to working “in” the team rather than “on” the team.

Has a bias to look “in” rather than “out” from the Tech Team.

Is passionate about Technology and how it can be used to create competitive advantage for their company.

Reads Hacker News, Slashdot, has and uses a GitHub account.

Might have come up through the more “technical” routes of Architect, Development Manager etc.

Is the primary technology evangelist and advocate in the company.


Has a bias to working “on” the team rather than “in” the team.

Has a bias to look “out” rather than “in” from the Tech Team.

Is passionate about getting a positive ROI from the company’s technology spend and how much competitive advantage is being created for their company.

Reads, and is thinking about doing an MBA one day…

Might have come up through the less “technical” routes of Service Delivery, Programme Director etc.

Very much views technology as a “how” not a “what”

Of course a company wants/needs both of these perspectives to varying degrees during different stages of its growth and it’s why having a CIO and CTO might be the optimum structure once a company has reached the appropriate size/maturity.

Need to top-up your talent? Check out the “Uber of talent” – talent where you need it, when you need it and only for as long as you need it…

Win In IT And Business

Win In IT And Business

How To Win in IT & Business...

I’ve just sat through a very interesting and informative presentation by Sir Clive Woodward (the World Cup winning England Rugby coach) at the “Art of Work” seminar from SAP and Microsoft Azure to announce their strategic partnership.


What is perhaps a bit less well known about Sir Clive is that he is also a very successful business man having founded a number of businesses in areas ranging from IT Leasing through to speaking and coaching high performance teams.


The theme of Sir Clive’s talk today was using technology to win and he pointed out that in both business and sport


Whoever Wins in IT Wins


3 D Learning


Sir Clive talked about the 3 D’s of learning


Discover – get ideas on how to improve from anywhere and everywhere. Be a sponge.


Distil – select and simplify and communicate the best ideas.


Do – practice practice practice to implement the good ideas. This bit is critical – other people can have the same ideas but the quality of execution is the most important thing.


Sponge v Rock


Sir Clive made the point very well that people that are successful in both sport and business have one really important thing in common in that they are receptive to new ideas and approaches (they are like a “sponge”) rather than rigid and unchanging like a “rock”.


Sir Clive described how that he felt he wasn’t a great ideas person but he was very good at spotting good ideas so he used to invite people from all walks of life to observe how he worked in England Rugby training camps with one condition – at the end of their time with the team they had to suggest at least one thing the team could do better.


Sir Clive said that without exception the 50 or so people who attended the camps came up with good ideas on how to improve.


Sir Clive recalled that one of the things that made the leaders in his World Cup winning team so effective was their deep knowledge of the game and one of the ways this had been achieved was the use of the Prozone system.


After watching the Prozone animations of the game the England players were asked to present back to the coaching team their thoughts on


How they played

How England played

How their opposite number played

How the opposition played


Sir Clive said it was a very worthwhile exercise for both the players and coaching staff that always brought out useful ideas and concepts.


Overall it was a very thought provoking presentation from a proven winner that made a lot of points about how collaborative leadership and encouragement of individual and team “self” awareness are critical ingredients in the formation of high performing teams.


What do’s clients say?

Defence Against The Dark Arts Credential Stuffing Attacks

Defence Against The Dark Arts Credential Stuffing Attacks

Defence Against The Dark Arts

Credential Stuffing attacks are where an existing list of usernames / email addresses and cracked passwords are replayed against your site by an attacker to perform Account Take Overs (ATOs).


The list of usernames / email addresses and their passwords are available on the dark web, and often originate from previous Database breaches like linked-in where the old ciphers used to encrypt passwords were weak and so have been cracked resulting in full login details for list of millions of users being available for replay.


Because so many users reuse passwords – replaying this list against your site will result in some valid logins for the attackers – and the they exfiltrate any personally identifiable information (PII) from the users account to then potentially sell.


PII are adollar or two depending on completeness – but if they can harvest 1000s or millions of PII entries by accessing that many accounts on your site – it’s lucrative business.


Various tools such as exist for performing these types of attack – and if the infiltration is ‘low and slow’ it’s very hard to detect a few failed logins per second amongst all the noise


Prevention / Preparation


Keep max login retry limits low (though in credential stuffing they have a username/password combo already this is minimal protection).

Make sure you rate limit based on sessionIds add a Captcha and reverse-Captcha by default on login, you should ‘feature toggle’ Captchas so it doesn’t have to be on all the time annoying your users.

If you want to get sophisticated you can make this risk based – so the Captcha only springs up when some aspect of the user is suspicious.(Google’s ‘recaptcha’ is pretty clever and non intrusive these days and does risk profiling too).

You still need a reverse capcha too though as this can be left on all the time as it’s invisible to users – there may be circumstances where product folk want to lift the ordinary user Captcha
ensure you’re returning 401 and 403 HTTP codes appropriately in your login validation code (this will facilitate efficient firewall rules).

if attacked you could set some irules for repeat 401/3 from a single IP be a ban on the Ip for 10 minutes for example, this not so easy if you just 302 to /failedlogin.html as you’ll have lots of other ligitimate 302s

Make sure you consider you APIs too – an API gateway of some sort should offer throttling mechanisms

Consider something like Cloudflare, Ravelin or their competitors – they do lots of profiling and filtering of supicious IPs and tools, or ATO plugins and may solve your problem invisibly upstream

Make sure you’ve built the capabilities for Password Reset and Account Suspension for corralling any compromised accounts.

Implement user device profiling, where each new device a user logs in from is recorded and exceptions flagged to users for validation – numerous libraries exist for this
Ensure you close the loop in verifying users email addresses and if possible phone numbers too.

Implment 2FA (2 factor authentication) or MFA ( Multi Factor Authentication) – the gold standard of login verification where users have some kind of key generator with them 9Authy / Google Authenticator Yubikey).

Though this may not be applicable for high volume sites with non technical users, offering it gives you options for expert users.

Do a red team simulation for credential stuffing to see if it gets spotted by your team.

During registration, consider a spot check on new credentials to or similar — and potentially warn them about strong unique passwords if their username/email is known (careful messaging required!)

See also OWASP’s guide on this at




You need separate monitors / alerts on:

failed logins

A spike on failed logins is a clue for brute force and credential stuffing
logins for non existent users,
A spike in logins for non existent users is a clue for credential stuffing – these are the mismatched emails / usernames you don’t have on your system being stuffed in
have a long look at both failed login monitoring alert sensitivities, assume the worst on any prolonged tickle.

successful logins

A spike in successful logins only could be a clue someone’s stolen your user credentials from your DB (though why they’d then swarm your login page is a mystery)

Accounts locked due to repeated failures
again indicative clue to brute forcing

Any other key metrics you capture around login or account traversal (changing card details, changing user email addresses) should also be emitted and measured for unusual activity
these are post breach, so not ideal – but still very worthwhile in case you miss something subtle initially

The detection thresholds on these login attempts alerts should ideally be sophisticated and use correlations, anomaly detection and machine learning – it’s the only way to really spot the low and slow subtle attacks


When under Attack


Turn on Captcha

Look for patterns in the attack, are there clues to specific hack tool – perhaps repeating user agent strings, odd protocols like TLS1 or timings that you may be able to profile.

you can set some irules for repeated 401/3s from a single IP to ban on the IP for 10 minutes for example.

Dump suspicious IPs from threat intelligence reports or with high volumes altogether

Or rules to filter on unusual user agents / matching TLS profiles (though this may collateral damage or shedding some real users)

Block IPs outside your customer geography location if possible, any other way of shedding suspicious traffic?

Check threat intelligence sources looking up the dodgy IPs you see for more info

Slow down logins, irritating for users, but throttles the attack

Are accounts being compromised, if so is there a pattern – can you get ahead if so?

Try to catch the traffic as lose to the perimeter of your network

Check this isn’t just a feint for something worse. Check your other alerts for signs of intrusion to backend systems while they’ve kept you busy chasing this login tidal wave.

Call the Police
Call the FBI / GCHQ / Cyber authority in your geography

They can perhaps perform ‘Upstream Disruption’:
Shutting down sites the tools being used are deployed on
Identifying and Arresting individuals performing the attacks
Throttling traffic at ISPs or even further upstream



Have an incident plan ready – it’s a fair bit of planning but pays off in a crisis.

Comms is key:
Internal folk (tell them don’t say too much)
Different customer classes (tailor)
Regulatory bodies in your industry

Your Suppliers
be careful of any precedent for refunds / goodwill
Consider getting hack insurance in advance
Police – report as a crime
Gchq / FBI
involve your legal team and have them run their eye over comms.

How To Be A Successful Interim CTO

How To Be A Successful Interim CTO

I get the impression that a lot of people are actively looking at interim CTO assignments now who might not have considered them in the past.


So what is the same/different about being an interim CTO consultant or full time employee, and how can you maximise your chances of success if you make the leap?


In my experience very few people get treated any differently day-to-day in interim CTO roles than “permanent” employees..the fact that you’re an interim CTO won’t be a big issue but the expectations of you as an interim CTO can be higher.


You might be expected to be an expert on more things, and you’ll probably be expected to have a measurable impact – perhaps more quickly than a new full time employee would be.


You could also get more latitude to challenge the orthodoxy, not be expected to navigate the company politics so carefully, and have your change agenda considered more dispassionately.


So how do you make sure you’re successful in your first interim CTO consultant role?



The first (and maybe obvious) point is to choose the right role.


Don’t set yourself up for failure by taking an interim CTO role with a team size, company culture or business model you’re not absolutely confident you can add real value to. Ultimately what you “sell” is your reputation and track record – don’t be tempted to risk it by taking on a role you’re not 100% right for.


Once you have found the right role, and before you start, make sure you are very clear about the brief. 


Make sure you really understand what success will look like in the potential role.


Sometimes a company’s real wants and needs can’t be articulated clearly and you have to use your experience and intuition to read between the lines about why they want to hire you. Make sure you understand whether you will need to be a good cultural fit or being counter-cultural is one of the reasons why they want to hire you.


When you start get the basics right..always arrive on time and dress similarly to the prevailing dress code in the team.


At the early stages of any assignment make sure you don’t write cheques you can’t cash by promising unachievable things. There is no surer way to destroy your credibility (and make enemies of other people) than by promising things that can’t be done. It’s a subtle situation may have been brought in to increase urgency and delivery so any goals you agree need to be ambitious but achievable.

So..what is the most important thing to do when you arrive?


It is to listen..never make the mistake of joining with a “here’s the tell me about the problem” approach.


In your first week try and meet as many people in the team as possible.


It’s important for you to get to know the team, and them to get to know you, so scheduling 30 minute interviews with each team member to ask the sort of questions below will very quickly create a picture of what you’re walking into.


Example Interview Questions

  1. Are you enjoying it here at the moment?

  2. What are our key responsibilities as a team do you think?

  3. As a team, what do we do well do you think?

  4. What do we need to get better at?

  5. Who are our stars?

  6. Does anyone in the team need help to be more successful?

  7. How could we get more customer outcome focussed?

  8. How could we move faster?

  9. Would you recommend working here to a friend?

  10. What three things would you do if you were me?

  11. Anything else we should talk about?


After the interviews an interesting exercise is to allocate any team member mentioned as a “star” in question 5. a +1 and any struggling team member mentioned in 6. a -1. Adding up all the scores will give a quick but surprisingly accurate team talent map.


Question 9. can also be used create a quick team “NPS” score.


At we like to end the first week of a new assignment with a “Week One Playback” with the person that sponsored the appointment. It’s a great opportunity to discuss the SWOT (Strengths, Weaknesses, Opportunities, Threats) found so far and calibrate it against what the sponsor wants.

Remember to add value to your client in any way you can as well. It’s not just about the goals. Doing things like sharing their job postings on LinkedIn, mentioning them in any interviews you do, retweeting their tweets, liking their Facebook page, and so on, all help.


Don’t “penny pinch” the client either. What “goes around comes around” so if taking a phone call or sending a quick email in non-client chargeable time helps solve a problem or keep momentum up then do it. You’ll be judged on your impact at the end of the day.


The last thing to remember is…to know when to move on.


You know when you’ve achieved your goals or hit the diminishing returns point on the value curve.

Don’t wait to be replaced. Proactively suggest a new way to add value to the client if one is appropriate, or move on to your next challenge with another successful engagement under your belt.


So there you have it. To be a successful interim CTO consultant you need to chose the right role, deliver as much value as you can, and then move on as soon as you’ve done it.


We summarise it at with our motto of “Be Of Value”. If you do that at all times you will be successful.


Being an interim CTO consultant won’t be for everyone but if you get your sense of accomplishment from delivering business impact and enjoy variety and challenge then maybe it’s for you?


Interested? Give us a shout on or 0800 246 5735 for an informal chat…