How to Assess Your Tech Stack: First Steps for Every New CTO

Helpful tips to guide you through your first tech stack assessment

As a newly-minted CTO, it’s now your responsibility to ensure your company’s tech stack is working for the company, not against it. This means that every element of your tech stack should be working in concert to help you achieve the results your organization requires, not causing friction and creating bottlenecks. A necessary first step in identifying areas where your tech stack could be performing better for you is a tech stack assessment. 

Your tech stack assessment will take you through every element of your stack while you continue to operate your company’s IT. It’s a little like inspecting an airplane’s engines while the plane is flying. Navigating the challenge of assessing your tech stack without jeopardizing your organization’s operations will require some planning and finesse. 

Whether you’ve already started this process or are looking for suggestions on how best to proceed, we’ve compiled the following tips and tools to help facilitate your first tech stack assessment as CTO.   

The Benefits of Doing a Tech Stack Assessment

Addressing Tech Debt

Tech debt is a real problem facing companies of every size today. Tech debt is the accumulated stress on an organization resulting from expedited delivery of tech versus spending time addressing its problems. Tech debt can accumulate when an organization rushes rollouts or focuses on quick patches over full-scale solutions, or when an organization’s resources simply don’t allow the time to address individual technical issues. 

Particularly in the DevOps world, where automation enables lightning-fast development speed, it can be easier to develop around a problem than take the time to address it. Over time, this can lead to considerable tech debt and an unruly tech stack. 

According to McKinsey tech debt accounts for roughly 40% of IT balance sheets and as much as 50% of IT workers’ is time spent addressing it. This makes tech debt one of the most expensive challenges facing CTOs today, and addressing it is the number one reason to conduct a tech stack assessment. 

Identifying Opportunities

Assessing your tech stack will also give you a chance to identify opportunities for streamlining workflows and automating tasks. Your current tech stack might be hiding inefficiencies or obfuscating gaps. A thorough tech stack assessment will uncover opportunities your current team might have overlooked or simply forgotten about.

Things to Consider When Evaluating Your Tech Stack

As a new CTO, the burden is on you to evaluate decisions made by previous caretakers of your organization’s tech stack. It might be tempting to move to a new solution because it’s your go-to or because it’s got a lot of buzz around it.  While you should be aware of current IT trends, you should also treat them with a healthy amount of suspicion. Rushing into using a new framework just because it is new might introduce inefficiencies and create further tech debt. 

At the same time, just because something has been done the same way for a long time, it does not necessarily make it the best for your organization. Your job as CTO is to weigh the benefits of every element of your tech stack against the resources you have available to manage them.

When evaluating a tech stack, consider the following:

• Developers: Do you have enough developers on your team and if not, what will the cost be to acquire them?
• Cost: In addition to the cost of acquiring new developers, what is the cost of the tech stack elements you are considering, and does it vary depending on team size?
• Time: Time is also a valuable resource, and arguably in shorter supply than financial resources. How long will your proposed changes take to set up and deploy? 
• Learnability: How complicated is a component or app for an individual developer to learn? Understand that time spent on necessary changes will have an impact on the bottom line. 
• Scalability: Will the tech continue to scale as your team grows? Keep in mind that you’re planning for the future and your tech should keep up with your organization’s growth. 
• Support: What level of support is offered? How much time will your team spend debugging someone else’s code versus their own?
• Security: Your tech stack components should have robust security in place. 

Conducting a DevOps Audit

A DevOps audit is an important part of your tech stack assessment. The good news is that if your controls are designed and implemented correctly, changes will be end-to-end traceable. 

DevOps has a built-in advantage when it comes to performing audits and assessments because every step should be automatically tracked. This makes it easier to evaluate changes and additions to the tech stack. On the other hand, the speed and automation associated with DevOps mean that new methods of governance and auditing are required.

COBIT

The Information Systems Audit and Control Association (ISACA), an international professional association focused on IT governance, has created the COBIT framework for establishing governance over IT frameworks and establishing best practices. COBIT stands for Control Objectives for Information and Related Technologies, and it has been updated continuously since its creation in 1996. The current version, COBIT 2019, was created specifically to adapt to updated methodologies inherent in DevOps. 

COBIT 19 contains over 40 objectives across six key principles:

1. A governance system is required to satisfy stakeholder needs and to generate value from the use of I&T. To create value, the enterprise must balance benefits, risk, and resources and develop an actionable strategy and governance system.
2. Several components build a governance system. They can be of different types and must work together in a holistic way.
3. A governance system should be dynamic: If one or more of the design factors have changed (e.g., a change in strategy or technology), the enterprise must consider how this impacts the EGIT system.
4. Governance and management activities and structures are different.
5. The enterprise’s needs should be used to tailor the governance system. To do this, a set of design factors for customizing and prioritizing the governance system components is used.
6. A governance system includes all enterprise functions, focusing on IT functions and all technology and information the enterprise uses to achieve its goals.

More information about COBIT 2019 and COBIT certification can be found on the ISACA website.

Audit Reduction Tools

ISACA has outlined the following DevOps controls you should consider making a part of your tech stack. Even if you have some of these controls implemented, it’s worth examining to ensure they’re doing what they should.

1. Automated software scanning: To keep up with a more rapid release schedule and to spot compliance issues or configuration drift. 
2. Automated vulnerability scanning: Configuration tools like Chef or Puppet can create vulnerabilities introduced by compliance-as-code frameworks. Vulnerability scanning triggered during the deployment process can address this. 
3. Web application firewall: This is a security filter used to isolate suspicious or malicious code and prevent it from sending unauthorized data. In the event that an issue is discovered but isn’t severe enough to warrant immediate attention to fix, a firewall can be established to quarantine the app until a permanent fix can be deployed. 
4. Application security training: It’s critical to ensure that everyone is aware of proper coding techniques and common vulnerabilities. 
5. Software dependency management: Although DevOps speeds individual application deployment, it can lead to a complex deployment landscape resulting in different applications sitting in different containers with their own dependencies. Organizations should track and manage outdated packages and mitigate additional vulnerabilities.
6. Access and activity logging: It is important to ensure that there is an activity log and version control with a timestamp in case you need to rollback to a previous build.
7. Documented policies and procedures: Documentation is often neglected in an Agile or DevOps environment. Ensuring that all policies and procedures are documented and updated in production tools will ensure great consistency. 
8. Application performance management (APM): Use APM to measure the performance of applications and proactively address any issues that arise. 
9. Asset management and inventory: The accelerated pace of DevOps makes tracking asset inventory complicated. An accurate inventory of assets, ownership, purpose, physical or virtual location, and other details is critical to ensuring compliance.
10. Continuous auditing and monitoring: DevOps is focused on continuous processes, and auditing should be included in that. 

A full tech stack assessment and audit can be an intimidating task. Adding automations to your stack now can help prevent the accumulation of more technical debt. DuploCloud has built our automated cloud deployment platform with rigorous compliance standards in mind, making it easier for you to deploy faster with less worry about whether your applications are adding to tech debt. Reach out today to learn more.