How to prioritise what features to build

Deciding what to build and when is the most difficult task for any product/engineering team. There are always multiple competing interests that appear at different times, pulling you in every direction.

Without an understanding of how to prioritise, you can easily switch contexts too often, damaging productivity and making everything feel manic.

Despite this, it is it possible to define some prioritisation rules. These are mine:

  1. Critical problems waking up your team
    Your team are the first of two crucial stakeholders. It sounds obvious, but without team members you can’t deliver your service! Stress and fatigue caused by outages have a knock-on effect on your customers because product quality suffers. Engineers must be on call for their own code and systems, but if there are too many out of hours incidents and the trend is not towards a reduction in volume, they will eventually leave. Being woken up (or interrupted out of hours) has a huge impact on quality of life which has to be addressed quickly.
  2. Critical problems breaking service for your customers
    Customers are the second of the two crucial stakeholders that determine prioritisation. Your business only survives because customers generate revenue but without your team, you cannot service your customers. As such, customers come second. But any critical issue that is breaking a core service for your customers must be solved quickly. This can range from a complete outage to a major bug that is preventing functionality from working. These types of issues should be parachuted into the current development cycle and fixed first. It’s much easier to keep existing customers happier than to sign up new ones.
  3. Bugs and improvements requested by or affecting existing customers
    Linked to #2, keeping existing customers happy is the best way to build a sustainable business. This is especially the case with SaaS, where accounts often grow and revenue can be increased without anywhere near the cost of acquiring a new customer. Existing customers also know what they want to see in the product because they’re actually using it. You don’t necessarily have to agree with them and it may not be appropriate to build everything every customer asks for, but bugs and smaller improvements help to improve retention. SaaS revenue compounds.
  4. Innovation
    Since it has never been easier to start a business, differentiation is crucial to standing out amongst the inevitable competition. Products have to continually evolve because what is differentiating today is just a standard feature tomorrow. This means having a unique perspective of the market and what customers want from it. Building solutions to interesting problems helps attract the best team. It makes customers want to stay with you because they see the product evolve. And it makes you stand out from competitors. You can’t stay ahead just by copying.
  5. What lost deals or prospects are asking for
    Having a unique position in the market isn’t sufficient if you don’t offer the key features everyone is asking for. Understanding why customers are not buying and/or what they are asking your sales team for will give you a good insight into what you should be building. Sometimes you can commit to delivering requests as part of a deal (or with a chargeable services element on top). I’d also argue there’s a place for a whole product team dedicated just to building requests that come out of the sales and marketing discovery process.
  6. What your competitors are doing
    This is often linked to #5 if competitors are defining the market. You need to ensure you cover at least the core functionality for buyers who have a simple checklist, but then this is where #4 comes in to make your offering stand out. However, it is the lowest priority to simply copy what competitors are doing because by definition doing so will mean you’re always behind.

Whether you agree with the ordering above or not, the important thing is to have a set of rules which can be applied to inbound requests.

You’re going to get input from your team, customers, investors, board members, friends, competitors and more. Technical debt, refactoring and rearchitecting also have to be considered (maybe it comes under #1 in extreme circumstances, but it can probably be considered as part of a project that fits into one of the normal priorities).

Things will also change over time.

Only one thing can be top. Unless there is a single, ordered list of numbered priorities, nothing is the priority.

Challenges of running an enterprise SaaS business in the UK

Since starting Server Density in 2009, a B2B enterprise SaaS business, my biggest challenge running has been commercial.

This is a broad area but covers everything from sales and marketing to new customers through to account management and keeping existing customers happy. In recent years, the latter has developed into “customer success” as a specific discipline distinct from customer support or technical support.

In the last 12 months I’ve been involved with hiring for commercial roles in both the UK and the US and there is a clear difference between countries when looking for that crucial enterprise B2B SaaS experience.

My conclusion is that whilst you can quite easily build out product, engineering and customer support teams within Europe and the UK, it is very difficult to do the same with early stage commercial teams. There’s the occasional highly talented individual who has done it before in the UK, but otherwise it’s almost impossible to recruit for commercial roles here. The initial sales, marketing and customer success hires need to be in the US.

The reasons for this are as follows:

The UK and Europe have well established communities around technical roles: engineering, product development, operations, developer relations, community, events, and customer support. You can find people doing these roles at all levels of experience and seniority at companies of all sizes. There are plenty of academic institutions linking with industry to develop more of the theoretical experience, and mainland Europe in particular benefits from a significantly lower cost base which has made outsourcing popular. This all means that there is a large talent pool that scaling startups, corporates and other businesses can access.

For commercial roles in enterprise SaaS, this ecosystem simply doesn’t exist. There are very few SaaS businesses founded and being scaled in the UK or Europe.

The “founded and being scaled” part is important because it’s not the satellite sales offices that count – at the point where you’re creating a new sales office, you have already figured out the repeatable business model and are simply scaling it. It is the stage where you’re still figuring out product-market fit that needs the highly experienced people in key roles who have done it before.

Those people are in the US.

From the BVP Cloud Index, 42 cloud/SaaS companies have a market cap of +$1bn. Of those, 36 are HQ’d in the US and only 1 in the UK (Mimecast).

This is a problem because it’s self-reinforcing cycle. Companies start and are scaled in the US because that’s where the experienced people are and the people are there because that’s where the startups are.

London is the best place to start a technology business Europe. With 58,000 tech firms already located here and more venture capital investment than in Germany, France, Spain and Ireland combined, I agree that London will remain a major hub for the types of businesses that already do well here – fintech, fashion, design, consumer, retail, eCommerce and mobile. But SaaS is lagging.

There are signs of improvement, although there is still some way to go:

  • SaaS specific funds like Point Nine Capital and Notion Capital are sowing the seeds but their portfolio companies often relocate commercial operations to the US.
  • Box recently opened its European HQ in London, but they have already IPO’d.
  • Apple and Google have both announced major new HQs in London, although they are long past the challenges of startup scaling.
  • Mimecast has their HQ in London and IPO’d several years ago, although they listed in the US on NASDAQ.
  • NewVoiceMedia is a UK based company that looks like it might IPO in the future (given the amount of capital raised).
  • A second round has been launched by the GCHQ Cyber Accelerator specialising in security products, most of which will come under the enterprise SaaS category.
  • The UK is positioning itself to try and lead the world in AI, self-driving cars, space flight and other “deep tech” developments which tend to have a more B2B commercial focus.

In the meantime, what I think this means for SaaS businesses is that you can start off in the UK and Europe with an initial product and initial funding, but to scale the commercial model through to IPO you have to relocate that part of the business to the US.

Engineering, product, support and operations should remain in Europe because the expertise is available here at great value for money, but sales, marketing and commercial operations need to be where the talent pool is greatest – the US.

A different approach might apply if you’re not going for IPO or trying to build a big business – there are plenty of small, successful businesses in the UK and Europe. But then the risk of being outcompeted will arise instead.

Rewriting, refactoring, rearchitecting – when is the right time?

With any product development, there’s always a tension between perfection and getting things released.

The engineering mindset is geared much more towards architectural, design and implementation perfection. The phrase “it’s done when it’s done” is the ultimate manifestation of this approach but that simply doesn’t work with any real product. Customers expect rapid bug fixes, regular iteration and ongoing improvements.

It’s difficult to get the balance between good engineering and “good enough” to release. Bugs hurt the customer experience, creaky architecture can result in poor performance or entire outages, and technical debt wears away at the happiness of your engineering team. But there are some things which might indicate you’re spending too much time on the engineering!

  • Refactoring, rewriting or rearchitecting code as a project by itself. The best time to refactor is when you’re already touching the area of the codebase in question. Rewriting code delivers no customer benefit but takes up a lot of time, usually introducing new bugs as well. Major rewrite and replace is usually only justified once you’ve hit scale limitations but even then, taking a component based approach and delivering small changes sooner is better than a grand rewrite over months.
  • Investing time building for a scale you have not yet reached. Code will usually last much longer than you expect and so unless you have instrumentation which is showing a customer (or on call) impact either now or imminently, this is probably not a good use of time.
  • Rewriting in a new language, or introducing a new language into an existing codebase. Only dramatic changes in usage scope really warrant considering writing something in a language that isn’t already part of your stack. Hitting a scaling limitation might be a reason e.g. shifting from Python to Go for a systems problem within a high performance environment may make sense, but the right consideration should be given to the ongoing maintenance cost . Who else on your team has experience with that language for the future? How are you going to maintain the technology? Who is responsible for updates? What happens if that team member leaves and you have bugs to fix?

Generally speaking, starting a new project or component is the time to consider new technologies, languages, frameworks and approaches. Anything with the words “rewrite” or “rearchitect” should be approached with extreme caution and scoped within an existing project that will deliver customer benefits at the same time.

You can’t build a SaaS company in 2018 without significant funding

When I started Server Density in 2009, the company operated on a very low cost, bootstrapped model. I received a small amount of cash from Seedcamp in 2009 and then a few angels in 2011 but for the first few years, the total raised was only around $200k. The company grew off organic revenue with very low costs for the first few years and only more recently raised VC funding.

The years 2009 to 2011 were still very early in SaaS. The opportunities were mostly SaaSifying an existing on-prem business and both the number of SaaS businesses and funding sizes were small.

Data from Crunchbase by Christoph Janz.

After 2011, SaaS was considered the business model of the future so competition ramped up and more companies were formed. This resulted in an increase in the capital required to build out and support a “proper” business.

Unless you had achieved a certain revenue scale, it was about to become very difficult to compete and even then, it was quite easy for a better funded competitor to overtake you.

As of 2018, I believe it is now impossible to start and scale a SaaS business without significant capital. Even established businesses are finding it challenging to scale when up against intense competition because of the cash requirements of so many areas of the business:

  • The product must continually evolve. Feature comparison is now the standard way of looking at the options when evaluating which product to choose as a customer. SaaS is the only sensible way to have software delivered in 2018 so the sales discussions are less about SaaS vs on-prem but SaaS Vendor 1 vs SaaS Vendor 2. Regardless of whether you actually need all the features on offer, it comes down to how many features a vendor has. This requires a large product and engineering team to regularly release updates and improvements as well as fixing issues.
  • Sales teams are expensive, especially in key geographies like the US East and West Coast. They have a high front-loaded cost and take time to ramp up. Recruitment is challenging and very costly. All this needs cash before you see any revenue.
  • Self-serve models are very difficult to build up because they require high volume organic traffic. Content marketing is saturated so unless you already have a good ranking, it takes years to build up. Marketing expertise is there but as with sales, it isn’t cheap and it’s time consuming to generate new ideas, build campaigns and pay the huge fees to sponsor and travel to conferences.
  • Supporting customers through a proper customer success operation requires experienced people, management tools and a proactive approach which is high touch. Again, building the team is the most expensive area.

Bootstrapping SaaS to sustainable revenues and profitability is so hard in 2018 because of the time it takes to grow organically. During that time, well funded competition will appear, out-build and out-spend.

Funding doesn’t necessarily mean success but it does make competing more difficult simply because it does usually mean a more feature-rich product can be developed.

That said, it is still possible to gradually build up a profitable small software business in a niche area that can grow over time. Many of these businesses exist and provide a great quality of life for the founders or small teams. But this is not the type of business I’m talking about here.

Instead, I’m saying that the model that Server Density took in 2009 to build a large scale, SaaS business around a critical business need like systems monitoring is no longer possible. To get into SaaS today you have to have a major differentiator, rapidly prototype, get some initial revenue and then raise significant capital. And not just that, you have to do it within a short 12-18 month window.

It’s certainly cheaper and easier than ever to form a startup. However, it is has never been more expensive and difficult to scale.

Following this post, on Feb 8 2018 I recorded a podcast with Seedcamp discussing this post in more detail:

Predicting the next decade of self driving cars, SaaS and China

I’ve been thinking about what the next 10 years of the technology industry will look like and have come up with a few things I think we’ll see develop.

  • Self-driving, electric cars will become mainstream and they will be linked to ride sharing services in particular. We’re already seeing countries ban the sale of new non-electric cars. Logistics will be the first to take advantage of self-driving, followed by consumer vehicles. The self-driving transition will be led by ride sharing services, with Tesla entering the market with their own offering. Uber is best placed right now but their success depends on their ability to navigate their major cultural issues.
  • Voice driven personal assistants will become significantly better, driven by direct access to your personal data. This will be easiest for Siri and Google Home because they have their own platform where the data resides (assuming Apple develops Siri into more of an open platform). Alexa will have direct access through integrations.
  • SaaS as a software delivery model will mature and we’ll see more SaaS companies IPO. There will be no growth and revenues in non-SaaS software will contract – renewals of these non-SaaS licenses will drive most of the revenue, with minimal new business primarily from legacy businesses and/or with FUD reasons. The 2.0 era of SaaS is already over and we’re beginning to transition into SaaS 3.0 which will be about “real” AI driven insights on the data.
  • Every consumer device will be connected and considered part of the “Internet of Things” but the largest scale users will be industry. There will be more and more major security incidents involving poorly architected IoT products until government regulation steps in.
  • The cyber security industry will transition from 1.0 to 2.0 which will involve consolidation, the emergence of a few big vendors (likely AWS, Google and Microsoft) and a clearer approach to sales and marketing.
  • China will become dominant as a world power (militarily and economically). Silicon Valley in the US will no longer be the number one place to be for technology, innovation and startups which will instead be in China. But this will only happen if China breaks down the wall that exists with Chinese companies only really operating in China, unless China is considered a big enough market by itself (it already is, but most technology companies want to go global which is challenging from within China).
  • Clean energy will become ubiquitous but we’ll get there indirectly via fracking and natural gas and continue to be supported by nuclear for a very long time.
  • We will return to human exploration of space through private enterprise. This will be led by SpaceX but China will become a major player here too, probably suddenly.

I look forward to coming back to grade my predictions in 2028.

Cyber security and leaving the door unlocked

A standard part of home or office contents insurance is making sure you use a lock from a list of approved manufacturers, and then ensure that the lock is actually engaged when you’re absent. Enabling other security mechanisms such as alarms is also typically required.

This seems entirely reasonable and simple common sense: if you leave a building unlocked and your belongings are stolen, it’s your own fault – you were negligent.

It’s not quite the same when it comes to cyber theft.

Even though you can purchase insurance to cover you against the risks of cyber attack, hacking, ransomware and data loss, the policies are much vaguer when it comes to understanding your responsibilities.

In a physical contents policy, it is sufficient to use the term “locked” to describe the state the building must be in to be considered sufficiently protected. When applying for the policy you will be asked if there is an alarm and in theory the presence of one should reduce the premium. The same isn’t the case when applying for a cyber insurance policy. I think it should be.

Basic security steps

There are two steps you must take to secure your online accounts:

  1. Use a password manager, with unique passwords for every online account that are at least 12 characters in length (as of Jan 2018, this will change over time).
  2. Use 2 factor authentication using a TOTP app such as Google Authenticator, not SMS. Or even better, use a security key.

Having the same password (or a small number of passwords) for your online accounts is the single biggest reason why account compromise is so frequent. A single breach of any online service will reveal your password for everything else, something which happens on a regular basis.

Without a password manager, this becomes difficult to achieve, especially since you will want to use a random selection of numbers, letters and special characters. The main reason to use a passphrase with combinations of words is to make it easier to remember. Using a password manager means you don’t even have to remember anything except the single master password, can protect against phishing because auto-fill matches are based on URL patterns and you can quickly enter credentials with keyboard shortcuts.

You have to expect that your password will be leaked (or possibly guessed given sufficient compute power), and so that is why having 2 factor authentication is so important. This is a great example of having layers of security so a breach of one type of protection is mitigated by another.

If you don’t use both of these “techniques” for at least your email and ideally for every account, you are negligent. It’s the same thing as leaving your property unlocked.

Applying this to cyber policy insurance

Just implementing these security measures significantly improves your security and should really be a standard part of applying for cyber insurance just like asking about alarm systems is for contents insurance. Not using either should therefore increase your premium.

But given the number of people who are still acting negligently with regards their own cyber security, perhaps it’s not yet been considered in the risk analysis for insurers. Maybe so many people don’t bother with proper security that it doesn’t show up in their premium modeling yet.

Or maybe it does. If you look closely at the insurance wording, you might find something like this:

What is not covered – pre-existing problems: anything likely to lead to claim, loss, breach, privacy investigation, illegal threat or interruption which you knew or ought reasonably to have known about before we agree to insure you.

Source: Hiscox Cyber Policy

This is vague enough to give the insurer scope to exclude many claims for poor security practices – “ought reasonably to have known about” easily covers not using the two security techniques above. There is enough advice online and from official government channels saying the same thing (2FA and password managers) for this now to be considered reasonable knowledge.

Leave the room to get feedback from your board

I’ve been running monthly board meetings for Server Density since 2015 which was when we brought on an institutional investor. My board now comprises of the VC partner (Barnaby Terry), my first angel investor (Qamar Aziz) and an independent (Oren Michels).

Although it’s well established that employees should have regular performance reviews, this isn’t widely heard of when it comes to evaluating the CEO performance. In much larger businesses, compensation can be linked to stock price or other KPIs, but at a startup or small business it can be harder. Feedback often needs to be qualitative as well as quantitative.

You might implement a 360 degree feedback process within the management team but a formal opportunity for feedback from the board to the CEO is rare. This might only surface through scrutiny of specific board agenda items, difficult questions or ultimately being fired!

With this in mind, an idea I have been using for some time is a specific section of the board meeting where I leave the room and allow the remainder of the board to discuss without me present. This is a good opportunity for them to discuss the meeting topics themselves but I specifically frame it around “Feedback to the CEO”. This lasts 10-15 minutes, after which I’m called back in.

Despite the board members not being in the day-to-day so less able to provide specific operational direction, I have found the feedback very useful. It has allowed me to direct my thinking on difficult topics, understand how I might change my approach to problems and reconsider where I should be spending my time.

Positive feedback is just as useful as negative. I know many CEOs suffer from imposter syndrome so being given praise is valuable as well. You should try and bring on board members who have been CEOs themselves, so they understand the difficulties. Feedback is so much more valuable when it is from someone who can relate to the experience.

If you’re not getting feedback from your board, you’re missing out on a big part of why they’re supposed to be there.

The most important piece of advice I’ve learned on structuring board meetings is that they should be discussions without fear of conflict. Just using the meeting as a status update is a waste of everyone’s time and incredibly boring.

Further reading on running effective board meetings I’ve found helpful:

We’re still in v1.0 of the cyber security industry

Things are just starting to get interesting in cyber security. We’re seeing a ramp up of attacks, from corporate breaches through to election tampering and disabling critical healthcare services. Governments are posturing and hinting at their warfare capabilities. There is almost no regulation and most end-users are failing to protect themselves.

Security is still talked about by the uninformed as a binary state. To be secure, or not.

Actually, “defense” isn’t a single thing. It’s not a question of whether you will suffer a security incident, but when. As such, good security is implemented through layers and with a mind to mitigating breaches through compartmentalisation:

In every instance, it is the lack of compartmentation between accounts and personas that has been the cause of the pain. Without proper compartmentation, attackers are able to leverage information from one compromised account to access another related account. Increasing privileges and traversing across the persona’s exposed and interlinked account control centers.

The human element of security is often the weakest. We hear a lot about zero-day vulnerabilities and elaborate hacks because they are cool, but it’s the simplest breaches – users with poor password hygiene and no 2-factor authentication – that are the biggest cause for concern. People are used to frictionless access to their computers, and the UX around 2FA and strong passwords is usually less than frictionless.

E-mail continues to be a popular communication platform despite it having minimal built-in security. With history of all your communication, files, personal conversations and direct access to all your other accounts (through password reset), it really is a single point of failure. Nobody uses PGP properly so most have given up and moved to encrypted apps like Signal and WhatsApp.

Yet email continues to be a critical part of business and governmental infrastructure.

The security industry is also full of vendors with vague, fluffy marketing. It can be difficult to know precisely what you’re buying and it’s difficult to compare products because they’re often hidden behind enterprise sales processes. The big cloud providers are starting to offer data-driven products and there are some promising businesses like Cloudflare, but for the vast majority, the market is confusing.

  • Unlimited attack surfaces
  • Users not paying attention to basic security practices
  • Frustrating and inconvenient UX
  • Enterprise vendors selling vague security promises
  • An increasing number of attacks from criminal gangs, hacktivist groups and nation states

To me, it looks like a very immature landscape where things are just getting started. We’re still in v1.0 of the cyber security era and things are only going to get more interesting!