Unless you’re just starting a new business from scratch, it is difficult to force big security policy changes across everyone in the company.

There are lots of things you “should” be doing. Whether this is rolling out a new device management platform to ensure everyone has the latest software updates or moving everyone to use a single-sign-on platform for all company logins, if you don’t do it from day one then it simply takes time to change existing practices.

Various events might trigger a revamp of your approach to security. It might be a big customer asking for supply chain assurances, it might be trying to sell into a particular industry like finance of government, or it may even be a security incident.

Security is never “done”. Rolling out device management across all company computer equipment is a big, time consuming project. But there are small wins that employees can do that will set the organisation apart from most other businesses, because most companies are horribly insecure.

At Server Density, we used a simple checklist that everyone would verify every 6 months. Once the initial setup is done when an employee joins, it only takes a couple of minutes to verify. It addresses the basics of ensuring the doors are locked and doesn’t require any specialist knowledge for most steps. Here’s the checklist.

A basic startup employee security checklist

This is specific to the services we used at Server Density, so may need adjusting for your own environment.

1. Have you enabled 2 factor auth on key accounts?
   1. Braintree.
   2. Google.
   3. Github.
   4. [… All key company services listed here]
2. Do you have full disk encryption enabled?
3. Are you storing any sensitive or important files locally e.g. customer lists, strategy documents, private keys?
   1. If so, are they actually local or have they been placed into a cloud “dropbox” (e.g. Google Drive, Dropbox).
   2. If they are in a cloud dropbox, ensure they are either removed (and deleted from the cloud service) or encrypted (use PGP).
   3. If you subsequently encrypt a previously plain text file, be sure the cloud service has not just written a new version and you cannot restore the previous version!
4. Are you running the latest OS version?
5. Do you have a strong OS password?
6. Confirm the password activates on sleep / screensaver.
7. Are you running the latest browser version?
   1. Be sure to restart Chrome regularly so it can apply updates.
   2. Enable click-to-play to prevent browser plugin vulnerabilities.
8. Are you using a password manager e.g. 1Password?
   1. Do you have a strong master password?
   2. Is the master password different from your OS password?
   3. Are you using different passwords for every account?
9. Do you have a passcode on your mobile device?
10. Review your Google Account security
    1. If you set a backup email, make sure it also has multi factor authentication enabled.
    2. Install this Chrome Extension to protect against phishing on your Google account.

I just read a great post about what makes a good board member, from the perspective of the board members themselves. Last year I wrote about how to get feedback from your board, but that is just the last part of a good meeting.

Thinking back on the many board meetings I’ve attended as both a CEO and Non-Exec Director, there are a few characteristics which make for the best meetings.

The context is a technology startup (20 employees) with a board consisting of 4 members (x1 VC representative, x1 angel representative, x1 independent and x1 CEO). Things may be different at larger sizes, although the principles are likely similar.

The board are well informed

You can’t have a proper discussion if the participants do not have the same level of knowledge.

Part of being a good CEO is providing the board with the relevant briefing notes with sufficient time to read them, typically 48-72 hours before the meeting.

Part of being a good board member is ensuring you have read and digested all the briefing notes in advance. Any specific, factual questions should be asked in advance but comments and discussion of the items should be left for the meeting itself.

That is the minimum you have to do.

I also sent out monthly investor updates which went to the board as well. I often had discussions and chats about certain specific issues with individual board members. The balance is between having the board involved as operational executives (which is too much) and having them so high level they don’t have sufficient context to discuss and make key decisions. Only updating them in advance of the board meeting probably isn’t enough to ensure quality engagement.

The board debate a few key issues

The majority of the meeting should be taken up by detailed discussion of 2-3 major issues, briefed in advance.

Everyone needs time to consider the materials and apply them to the issues at hand. You want everyone to form an opinion and be able to discuss it in the meeting.

The best decisions happen when everyone if sufficiently informed to have a debate about the issue at hand and be able to effectively advocate for their point of view.

The worst decisions happen when the decision is made by default because some participants are defeated by someone who is simply better prepared.

There is a reason why we have an adversarial system for English jury trials and the UK Parliament – properly argued debate produces the best decisions. The same applies for company boards.

Good governance involves being a critical friend, and you can only be critical if you have the right information with which to criticise constructively.

The board meeting is structured

The agendas I provided were typically structured like this:

1. 5-10 minutes for questions on materials provided. This is specifically scoped to the numbers and written status updates.
2. 30-45 minutes for 2-3 key areas of focus. Briefing materials would have been provided in advance to provide additional context. I would try and provide a question that we were aiming to answer, so as to ensure we actually made a decision at the end rather than just had a nice chat with no resolution.
3. 10-15 minutes for CEO feedback.
4. 5-10 minutes for anything unscheduled.

The timings were important because it allowed me to provide guidance on how important an issue was and ensure that we kept on track. They were not 100% strict but did allow me to pull things together when we were drifting off track.

Note that there is no time allocated for status updates or reviewing materials – that is all provided in advance and time is only allowed for questions relating to them. It’s a complete waste of everyone’s time to be using the meeting to listen to status updates.

How far back does your email archive go? Years, decades? What kind of discussions, opinions and sensitive files would a search reveal?

What damage could be done if someone got into your email? Your thoughts on people your know? Maybe crucial negotiation documents? Things that probably shouldn’t be public?

Email is a terrible way to store information. It is not supposed to be a database – it’s a method of communication. It’s a single place to find out everything you have ever said to anyone.

Not only does email act like a repository of your own communications, documents and discussions, every single from, to, cc and bcc has a copy. You might delete something from your own inbox but it’s probably nicely replicated many times around the world.

At Server Density, we had a policy of automatically deleting all email after 1 year. We had documentation retention policies for types of files which needed to be kept and for how long e.g. financial records for 7 years. But they were all retained in systems designed for the purpose, not email.

Anything of any importance should be saved somewhere else. Dedicated cloud file storage allows you to control access, share links with expiry dates and manage versions. You can encrypt sensitive files and audit access logs.

Knowing your legal obligations to retain specific data types and deleting everything else is good practice. Combine this with sending expiring links to files in cloud storage rather than attachments and you mitigate the risk of other people’s poor security hygiene too.

Email is insecure. It’s not a good database, so shouldn’t be treated like one.

Apple are always used as the example of why design is a crucial differentiator. Having a well designed, easy to use product is regularly cited as why something is better than a competitor.

That was true in 2007 when comparing the iPhone to other phones.

It was true in 2010-2012 when comparing SaaS products to their on-prem, enterprise alternatives.

It’s not true today.

Having a well designed interface with consistent styling and a well thought through user experience is standard.

Consumer products are always a few years ahead of business products but even with SaaS products in 2018, poorly designed products only stand out because they’re now so rare.

It’s certainly not that creating good design is easy to do – it’s still just as hard as it always was. It’s just that customer expectations have changed in the same way that everyone expects “mobile” to include iOS and Android, websites have to work on all major browsers and public cloud infrastructure is the default.

If you find yourself focusing on your product being “beautiful”, “easy to use”, “design led” or leading with “look and feel”, you may need to rethink your competitive positioning.

Server Density has always had a remote working model. My co-founder and I started the company whilst we were at university in the same city (Birmingham) but not the same institution. We didn’t have any money for an office and were still full time students.

Having the constraints of no office and defaulting to remote work is crucial to making the culture work. Everyone has to be bought into that approach, especially the CEO and leadership team. It has to be there from the beginning – you can’t retrofit remote working later.

This means all communication should start asynchronously. We’ve never really used email internally at Server Density – chat has been how we work, first with MSN Messenger (!) then as we hired our first remote team member – HipChat. Now everyone is using Slack.

Being in an office means the default is to speak to someone in person. This is how you build a good in-person culture and get to know people, but it doesn’t work for remote teams. It’s why adding a remote team member into an existing office-based culture usually fails – they’re isolated from the main group.

If you do the reverse – add an office later – then it remains important that chat is the default method of communication. It doesn’t mean that you should never speak to the person sitting next to you. You can build a great, informal culture within the office.  It’s just that you have to put in extra effort to ensure everything important is done via the async communication tools, and/or via video chat.

Being careful with time is a good precedent to set. Meetings are expensive and chat interrupts are distracting. For example, we always start our meetings on time – the calendar time is when the meeting begins, not when people start to turn up. And we encourage the use of Slack’s Do Not Disturb. You can’t avoid meetings though – work to make them efficient.

You can also replicate the spontaneous nature of chatting with people you might not normally do work with, but still see around the office. We recently started a weekly “mystery chat” where everyone in the company is randomly paired with someone else, and they’re given a 30 min slot to have a video chat every week. It’s completely unstructured and you can discuss whatever you like, but has proven to be a popular way to meet and chat to everyone in the company.

Another thing we’ve been doing for years is a weekly “roundup” for everyone in the company. It’s the one compulsory weekly meeting the whole company attends where I give an update on the company progress, goals and numbers, and then everyone has a minute to say something about their week. There’s space for questions after each person has spoken, and it’s an opportunity for everyone to hear what’s been going on throughout the company.

The biggest challenge is building a sense of togetherness. Remote team members can seem isolated, off on their own or appear as independent contractors who happen to be working on the same projects. Having that sense of all working together on a single goal is important in the early days of the company and can be difficult to achieve with a remote team. We do regular in-person meetups for the whole company and I always notice a big difference in how new members of the team behave once they’ve met with everyone else.

Remote teams are a great way to find excellent people who have different goals and approaches to their work compared to everyone living in a small, geographic area. But you can’t ignore real life. Combining the two is essential.

Since I joined Seedcamp as an EIR back in March, I’ve been considering where the biggest opportunities are for startups.

These are the areas where I think we’re still in the early stages of the industry or technology, or need some real innovation to drive better outcomes.

They’re also the areas where I think the overall opportunity is the biggest. This isn’t to say other areas aren’t interesting, I think these have the biggest potential to create companies that can positively affect large numbers of people.

If I was starting a new company, this is where I’d be looking.

1. Cyber security

Even before Server Density was acquired by StackPath, I thought that security was becoming a huge issue, both commercially and within the public sector.

Everything is online and with more and more devices getting direct internet access – both tiny devices in the home and critical industrial systems – the attack surface is expanding rapidly. Technology is advancing quickly and security is not being properly considered.

Having sufficient scale to be able to make real time decisions based on analysis of data will be the key to the success of future security products. This will give Amazon, Google and Microsoft significant advantages because they already see massive volumes of traffic, and make it harder for new startups to establish themselves.

Technology gets all the coverage but human aspects of security are just as important. Most people still don’t take even the most basic of precautions like using password managers and 2 factor authentication.

The market today has too many companies making too many marketing-driven claims without really delivering a coherent set of products, at scale. It will be interesting to see what Alphabet’s Chronicle comes up with. And of course I’m very excited by the things we’re building at StackPath.

2. Space

Elon Musk and SpaceX get all the press coverage for their amazing rocket launches but this is just the beginning. This graph from Founders Fund tells you everything you need to know about the opportunity in space technology:

I think we’re in the 1980s equivalent of the internet era: SpaceX’s rocket technology is analogous to the building the first network backbone cables and the likes of Spire, Planet and Astranis are like the early applications built on the Windows/Microsoft platforms.

The reduction in cost of launching payloads will have the same effect as increasing the speed and decreasing the cost of internet access – a huge market opportunity for a wide range of applications. This begins with near-Earth satellites but will eventually broaden out into the rest of the solar system. The Google/Facebook/Amazon equivalents in space have yet to be created.

3. Healthcare

Every country has their own system, which makes it difficult to create a healthcare company at global scale. That said, out of these three areas the ability to create a positive outcome for the user is the most immediate and direct.

The problems within healthcare are somewhat obvious. Healthcare today tends to focus mostly on reactive rather than proactive and preventative. Lifestyle improvements mean that the demographic is moving towards longer life but with more chronic conditions. And the current approach to funding healthcare is very inefficient and probably unsustainable in the future (in the UK, and very, very expensive in the US).

Just like with cybersecurity, innovative use of the increasing amount of data collected by our devices seems like the are to focus on. Unfortunately, the time to market is significantly longer because regulation adds a barrier for diagnostics and medical devices. Patient safety is crucial but there has to be balance with also allowing new developments.

I would like to see the controlled loosening of regulation like has been done in the financial services sector in the UK. The result has been an explosion of startups and London dominating in FinTech. Can it do the same for medical technology, too?

Last week it was announced that US cyber security firm, StackPath, has acquired Server Density, the SaaS monitoring company I started with a school friend back in April 2009 – over 9 years ago! I’m excited to be joining the StackPath team to lead product engineering and establish their European HQ in London.

Moving into a larger organisation has given me an opportunity to consider my experience running Server Density. I thought I’d get back into my weekly blogging by writing about what I think are some things that I would do differently.

1. Read more (books)

It is only in the last 12 months that I’ve been actively reading more books, and deliberately allocating time for it. I’ve never stopped reading articles and blogs but reading a book is a different type of activity because of the level of detail.

Last summer I set up a book club with my senior team and we all read a randomly selected book each month, followed by a discussion of what we learned, liked and disliked. This led to many different internal experiments and after reading The Five Dysfunctions of a Team and Death by Meeting, completely revolutionised how I think about running teams.

My goal is to read a book a week, but a common complaint I have is that most books are too long! There’s no real reason why non-fiction should be more than a few hundred pages.

Since the end of last year, I’ve been reviewing/rating each book I read on Goodreads and trying to cover a wide range of topics. I have noticed real differences in how I approach problems and think about the world from reading history, philosophy, science, politics and biographies, not just business books. Indeed, there’s an argument that you should read more outside of the field you spend most time in.

2. Hire senior people sooner

Bringing on more experienced people who can take over running core areas of the business is something I left far too long. It was really only in the last couple of years that I delegated key aspects of the business to senior people who could do a much better job than me.

This seems to be a common problem for founders, often because they don’t want to give up control:

2/ Giving up control is hard & it was the hardest for me. I felt like everything at the beginning was important. You can't be good at everything tho. As you grow, I learned it's important to conciously give up things constantly. If you don't, you won't scale & everything suffers.

— Suhail (@Suhail) May 21, 2018

But for me it was more about having the resources to hire the right people. I focused on hiring more engineers to work with me on building out the product. Instead, I should have hired fewer but more experienced people in different areas of the business, not just engineering.

The Mythical Man Month explains why adding more people doesn’t allow you to build software faster. Rather than building a bigger team, I would instead focus on building a more effective team – senior people who have experience to make the right decisions, sooner.

Finding the resources to do this is always a challenge but I believe that founders should find the few areas they should focus on, and delegate the rest.

At the very least that means things like finance, admin, legal. But also ask what else are you spending time on that isn’t good use of your time? What are the most important one or two things you’re doing to push the business forward each day?

This is one of the things that already stands out to me at StackPath. The CEO, Lance Crosby, has done an amazing job at building highly effective teams to run the different areas of the business. The calibre of the people I’ve worked with so far is superb and they are truly empowered to take big decisions.

3. Take (shorter) holidays, more often

As an early stage founder, taking time off probably seems like the most difficult and inappropriate thing to do. When you are covering many different roles it always feels like you don’t have enough time.

But it is never going to be a good time to take a holiday.

No matter how far in advance you plan your break, by the time it comes around there will be some crisis to deal with or some project that isn’t finished yet.

Yet the improvements you’ll get to your state of mind, productivity and ability to come up with new ideas makes up for the couple of days you might not be doing “real work”.

Just like when giving up sleep to work late, you are borrowing from tomorrow to fuel your needs today, not taking a break is sacrificing your long term progress in order to complete a task right now. It may very occasionally be the right choice, but long term debt is always unsustainable.

You don’t always need to take weeks off – a long weekend where you can truly disconnect is probably worth more than a 2 week trip where you’re always checking-in.

Setting your business up so you can step away for a few days is a good way to test the resilience of your people and systems. Hiring a senior team you can rely on will make this a lot easier, and also help you find time for reading!

Originally written for the Seedcamp resources website.

How to find and hire good engineers seems to be a common problem amongst startups of all sizes. Whether you’re looking for your first non-founder hire, an executive level CTO or are building out a large team, sourcing and hiring engineers is difficult.

In this post I’ll start at the beginning with how to go about sourcing candidates – getting applications into the top of the funnel in the first place. A followup post will go into how to run the actual hiring process itself.

Groundwork – what is it like to work here?

Your first task is to put in place the foundations needed to get people to apply. You don’t need to do any (or all) of these things but they are worth the one-time investment which will pay off with a larger candidate pool in the future.

The key question you have to answer is: why would I want to work for you?

You need to provide evidence to help potential applications answer this question and then the followup: why would I want to work for you instead of Company X.

You essentially need to show off!

So how do you do that? This can be through your website and/or the job ad itself, but you should be thinking about the following:

• Where will the candidate be working if they are successful? If this is an office-based job then explaining the details about the office environment with photos and videos will help them picture where they will be. This should include basic information like the office address, nearest public transport, facilities such as showers, bike storage, desk layout and places to go to eat/drink in the area. Do you have a philosophy behind your office choice e.g. open plan offices to help people communicate, or quiet areas for engineers to get into the zone.
• How will they work? What tools and processes do you have in place? How does the engineering process work and what technologies are being used? If the team is remote, how do things actually work – chat, video calls, regular meetups, etc? These are all good topics for blog posts as well.
• What are your company policies? Publish your handbook if you can but if not, highlight key policies like holiday, sickness, maternity/paternity leave, complaints procedure, code of conduct, pay and performance reviews and how the policies might be adjusted in response to feedback.
• What are the company benefits? This is an important part of the overall compensation package but you may offer certain things to everyone e.g. insurance, car, mobile phone, equipment, travel allowance, conference allowance, profit sharing, share options, etc.

A good way to find out what to include is to ask your current team and/or think about what questions you had when you joined your first company.

Most businesses are quite bad at showing off their policies, even when they are positive and a great selling point. You can stand out by being transparent and having the candidate already partially sold on working for you before they even speak to you.

This is a good opportunity to consider whether your policies are appropriate for different types of people. Fresh graduates renting with friends have very different requirements from an industry veteran living with a family.

Showing you have thought about key things like a code of conduct and maternity/paternity leave also has an important effect on encouraging more diverse applications. With the diversity challenges in the IT industry, it is beneficial to show candidates that you have thought about this in depth and already applied policies within the company. Having to adopt policies dynamically if problems arise is not a good way to build a trusting, friendly work environment.

The job ad

The ad itself is probably the first time a potential candidate has encountered your organisation, so it has to sell both the job itself and the company. Many of the things above can be included in the ad so it works as a standalone article e.g. if it is read on a job board outside your own website, or sent via email.

Things you might want to consider including in the ad:

• A detailed list of the tasks and responsibilities that are part of the role. This should answer the question “what will I be doing?”.
• Who they will be working with and for, and what the day to day might look like. Knowing which team or group you’re going into allows you to understand the context of the role in the wider organisation, and perhaps even look up some of the people who are already working there. Understanding who your manager is going to be also gives you a view on the company hierarchy and seniority of the role. Reporting to a project manager is quite different from reporting to the CEO, for example.
• Describe the selection process so the applicant knows what is going to happen and when. If you can give timelines then that is particularly helpful (and unusual). The experience of most people of applying to jobs is like a black hole – they never hear back and even when they do, it’s on what seems like an arbitrary timeline. There is basically no reason to keep candidates on hold and you should aim to progress people within days or a week. As the process gets to the end it may lengthen because it can be easier logistically to combine interview days, for example, but the early stages of an application process should be very efficient. Consider how you would want to know the current status of the process if you were the applicant. Make the whole process exceptional and the candidate will think of your positively in the long run even if they’re not hired. You may want to work with them in the future, or they may buy your product.
• Avoid listing detailed requirements and long lists of “must have” attributes. I prefer to have more applications that I filter rather than have potentially good people self-filter because they don’t happen to hit one thing in your list. This is a particular problem with trying to improve your application diversity.
• I also like to leave off any degree requirements. Many of my best engineers have had no formal qualifications and are were self taught. Of course, this may vary depending on the types of problems you’re trying to solve – deep technical requirements or specialist topics may require certain qualifications. There is also a certain advantage to having gone through the experience of university (regardless of the subject), but it does select out many excellent engineers. Again, I prefer to filter on other criteria yourself e.g. their experience.
• Where possible use real numbers to show off about the interesting things your company is doing. This can include customers (numbers & names), money raised, revenue and the scale of the technical challenges (e.g. requests per second or dataset sizes). Some of these are vanity metrics but they help to add to the context. Engineers like to know they’re working on meaningful projects.

Where to source candidates

Unless you have a big reputation, you’re unlikely to get many direct applications with the ad solely on your own website. Even the biggest companies use various methods to bring candidates in. There isn’t just a single location that will work so you need to put time and effort into all of these.

Job boards

Job boards are a relatively quick and passive place to get your job ad out. They’re about volume so aren’t necessarily going to get you targeted candidates, but will help to increase the reach of your ad.

There are specialist job boards for different types of roles and people. For example, PowerToFly is a recruitment platform for women whereas RemoteOK is specifically for remote jobs. I recommend building a list of the main job boards relevant to your role and then posting on all of them.

Other ones to check are AngelList, weworkremotely.com, jobspresso.co, workingnomads.co and WorkInStartups.

Candidate search platforms

Direct candidate search is time consuming but is a good way for you to filter through profiles on specific search terms and then directly get in touch with people who fit the criteria.

LinkedIn and StackOverflow Careers are two popular examples, with StackOverflow being very specifically for engineering roles.

LinkedIn also has a job board product which is worth using because the ads show on your business profile and it has a huge audience, but you will be able to be more targeted if you spend the time to search profiles. The problem with LinkedIn is it is very general and I’ve found engineers are less likely to maintain active accounts and/or pay attention to messages which are often spam.

Other sites to consider using include Snap.hr, Hired and AmazingHiring.

Community involvement

Much more long term but often with good quality results, getting involved with the relevant engineering community groups will help you build a profile and meet people with similar interests. This can be specific technology meetups e.g. London Python or focused on techie-types in a certain geographic area e.g. Oxford Geeks.

Speaking at meetups and conferences is a good way to build your reputation. Aim to educate and/or tell an interesting story rather than going with the goal of selling/hiring, but remembering to mention what it is you’re looking for at the end of your talk! It is usually easier to get a speaker slot at a meetup because the organisers are usually looking for people to give talks. These can then lead into conference slots in the future.

In London, the SiliconMilkRoundabout event which is a larger scale jobs fair. They have minimum requirements for applicants so there is a quality bar to the people you meet as a company.

Education links

Although limited to graduates or academics, building links with universities and other educational establishments can help you with a regular pipeline of (inexperienced) talent. This is essential for building a company in the long term but does have training overheads because they are all going to be relatively inexperienced. Timings are also linked to academic terms so this isn’t as useful for immediate hiring needs.

Building an internship and educational recruitment program is quite involved but there is a good book on this topic: Recruit or Die.

Recruiters

I have left recruiters to last because I think they’re the least effective method of finding people.

I have written about this in more detail elsewhere but the problem is that in all cases, the incentives are misaligned. You need a recruiter who 1) is looking for good candidates that fit your criteria; 2) who will find you someone who is good to work with; and 3) someone who will will stay with you for a long time

The only way to find a recruiter who can hit all three of these is by hiring someone full time in-house. Using a success fee or retainer through a recruitment agency means the financial incentives simply don’t match. Either the incentive optimises for finding someone quickly or to create a long process which maximises the retainer income.

Hiring a full-time recruiter who you know gets your company values and will actually work in the same office and probably sit next to the person they hire is the best way to align incentives..

However, in-house recruiters have all the overhead as a full time employee so aren’t necessarily appropriate for small numbers of hires. They only really make sense for growing big teams.

A possible compromise is an exclusive, contract recruiter who is working for you for a defined length of time e.g. 6-9 months. That person can get into the company culture and take the time to find the right candidates, but then leave once they have built the team.

The advantage of using recruiters is they supposedly have good networks of people, although that is really only true for the top end executive search firms, if you’re looking for contract roles or for less skilled general administrative positions (not engineering).

The best engineers can pick and choose a small number of places they want to work at, so they don’t use recruiters. This means for hiring engineers, it’s really tricky to find a recruiter that will actually deliver.

The best way forward is either having someone full time on your team to focus on this and/or focusing on the other sourcing options above to seek out the candidates yourself. Indeed, building your early team is probably the most important thing you can be working on. Without a good team, you can’t build and deliver a quality product to your customers.

Recruiters have a bad reputation, especially for spamming.

I get a lot of emails with unsolicited CVs. Whenever I’ve posted a job ad online, I know to expect that volume to increase. At least they’re helping train my spam filters when I click the “Spam” button!

This kind of behaviour means their reputation is well deserved. The problem seems to be that in almost every case, recruiters have completely misaligned incentives when it comes to finding you good candidates:

• Success fee based recruiters are incentivised to place someone as quickly as possible and have no stake in the long term outcome of the candidate. Although they all have “refund” periods where you get your fee back if the candidate leaves after a certain period of time, the length of time is usually insufficient to properly judge whether someone is a good fit unless they crash out very quickly.

  Even if the refund period applies, they are then even less incentivised to find a good replacement because their profit margin quickly diminishes if they have to spend all the same effort again to get you more candidates.

  That is also the case if you’re too picky. I’ve worked with a number of recruiters (all recommended through referrals) where activity tails off after a period. There’s always an initial burst of profiles but as you reject them, they lose interest. This highlights the lack of incentive to persevere and find those good candidates.

• Retainer based recruiters have the opposite incentive – to create a long process with no time pressure. They get paid regardless of the success of the project or whether the candidate stays with you or not. It can mean you get a more in-depth search, and is sometimes combined with a success fee, but there is still no incentive for them to place someone or put in more effort than the minimum. After-all, they still get paid.

The problem is that in both cases, the incentives are misaligned. You need a recruiter who 1) is looking for good candidates that fit your criteria; 2) who will find you someone who is good to work with; and 3) someone who will will stay with you for a long time.

There are always going to be exceptions, and no doubt the recruiter pitching you will claim they have a new and exciting approach that makes them different, but in reality the only way to match incentives is if they are working for you exclusively full time i.e. they’re an in-house recruiter.

This will be someone who really understands your company values, will work in the same office and probably sit next to the person they hire. They might not be an engineer themselves but they will want to work alongside someone good.

Of course, in-house recruiters are potentially expensive full time employees so aren’t necessarily appropriate for a small numbers of hires. They only really make sense for growing big teams.

A possible compromise is an contract recruiter who is working for you exclusive for a defined length of time e.g. 6-9 months. That person can get into the company culture and take the time to find the right candidates, but then leave once they have built the team.

They won’t be as bought into the success of the hires as a permanent member of your team but it gets close.

The advantage of using recruiters is they supposedly have good networks of people, although that is really only true for the top end executive search firms, if you’re looking for contract roles or for less skilled general administrative positions (not engineering).

The best engineers can pick and choose a small number of places they want to work at, so they don’t use recruiters. This means for hiring engineers, it’s really tricky to find a recruiter that will actually deliver.

Stay tuned for my next post on how to source engineering candidates without recruiters.

In the beginning there were servers, and they had a fixed cost per month. You ordered a certain spec and had a fixed price which was predictable every month. Sometimes you might exceed your bandwidth allowance but most hosting companies included a huge allowance so that was unlikely.

Regardless of how little or how much traffic served and activity performed, the cost remained the same.

For many early switchers to the cloud, the cost remained somewhat fixed. Although you didn’t contract a known price up front (before instance reservations), if you were just using VMs (probably on EC2) then you were still paying a fixed fee.

Network usage was the first real “pay as you go” element for most people moving to the cloud. Both public and private traffic was billed for precisely the amount used, which might have been a nice reduction but was probably a nasty surprise.

Moving from fixed, all inclusive contracts to pay as you go removes a safety net which makes you responsible for optimising your network usage whether it is wanted or not. You no longer have control over spikes and have to pay for sudden popularity or malicious attacks.

This is quite a drastic change of mindset, particularly with regards internal traffic. Verbose network protocols such as for database replication or queuing systems suddenly have a real impact on your budgeting, yet they are very difficult to predict because they’re out of your control.

But that’s just the beginning.

For new cloud-first architectures, every single element of your architecture is billed on a usage basis. Every message in a queue. Every row in a database. Every serverless function call. You can just as easily save a lot of money on low traffic applications as blow through your budget with highly trafficked systems, poor design or bugs.

For developers, this means efficiency matters again. Performance improvements have a direct impact on the bottom line and developer time spend on optimising and refactoring can now be given a dollar value.

The gain is in handing the undifferentiated heavy lifting to a cloud service. Instead of spending time reinventing a standardized component, time can now be spent on the core application code that differentiates you service.

DevOps no longer really means developers understanding how to operate their applications. It’s more about how their applications operate in terms of performance, and therefore cost.

This is quite a shift in mindset.