I’ve been the CTO for four companies (so far), so I guess you could call me a serial CTO. I’m well-acquainted with the many changes in the industry over the years. Below are a few things I’m seeing right now and a few things I think firms are moving toward over the next year.  


#1. Source Code

There’s a significant shift in the industry right now (more so in smaller startups than mature ones): firms are pushing for source code. And by source code, I mean code that’s typed up by software engineers or infrastructure engineers.

That source code is versioned, approved, and reviewed—and it’s no longer just for software. Source code is now for firewall configurations, Defense in Depth (DiD), and Zero Trust deployments for virtual machines and virtual hosts. It’s a lot of code and text-centric deployment.

If you haven’t already, you’ll start hearing phrases like “infrastructure as code” and “platform as a service” in almost every single industry. What that means is the technology skills you need are shifting from being a deep expert in a piece of technology to being a deep expert in writing code that manipulates a firm’s technology. And that’s a level up for a lot of IT organizations that didn’t start off as coders.  


#2. Automation

Five years ago, workflows were disparate, proprietary, and locked. Today’s systems are much more open and connectable, and increasingly sophisticated. As a result, there’s been an enormous increase in an IT team’s ability to automate integration across tools.

I know I just made a point about engineers writing source code, but robotic process automation tools are also in play (e.g., RPA tools). You’ll find low-code environments connected to tools that allow you to script and operate the tool in a semi-autonomous way. And there are no-code tools that let you drag and drop connections between things; you can build technology without having to be a software developer.

The same is true for internal interfaces and APIs. There are tools like Retool that allow you to create those administrative functions without writing a line of code. You drag a database query in here, you drag an API endpoint in there, and you connect the two things together. That’s changing the way we build software, the way we create solutions for customers, and the way we deliver those things. Automation is making software development and solution development more democratized.  


#3. Security and Defense in Depth

There have been a lot of high-profile security incidents in the past six months resulting in a big push toward Zero Trust security. The traditional castle-and-moat approach to protection has been slowly dying for the last ten years, and the security breaches we’ve seen lately are the final nail in the coffin. There’s no longer a well-defined edge of your company.

My best advice is to actively review and improve your firm’s security posture on an ongoing basis. If you’re not doing that, it’s not a matter of if you’ll get caught (by auditors, bad actors, or the public); it’s when.  


#4. Public Cloud

Public cloud won’t come as a surprise on this list; it’s obviously a big deal. About five years ago, there was a shift in the financial services industry toward the public cloud, but some folks were a little late to adopt the technology.

If you’re not talking about the public cloud, you should be—mainly because it used to be harder to certify and ensure security, and that’s no longer the case. We see both huge financial services firms and small financial services firms being built cloud-first—without any form of infrastructure that’s on-premises or locked away. That’s a massive transformation in the industry.  


#5. Data Science and Warehousing

If you think about the rise of disciplines like data science across an organization, ten years ago—even five years ago—it was all about data warehouses, business intelligence dashboards, and business intelligence analysts who were the keepers of KPIs and metrics and data. Everything was wrapped up in dashboards and reports.

Over the last few years, the emergence of data science as a discipline has turned into a world where those data scientists are not using a tool to build a report; instead, they’re writing code. They’re down at the data level—at the very lowest level—accessing information in an unfettered form. They’re building a model, a solution, a piece of analysis, a piece of code, a piece of software—an actual solution or product even though they’re not typically part of the IT department, they’re part of business functions.

We’re going to start seeing a lot of that—business functions becoming more technical and effectively building software or solutions for a company without having to get IT involved. IT’s role becomes more security and quality review rather than actually creating some of this.

The secret for a CTO is listening to your business and making sure you’re building professional empathy with that part of the company. You need to understand what your data scientists are looking for. Are they looking to have their own team that builds data-centric solutions? If so, you have to think carefully about whether you create that capability inside IT and then connect it to the business. Do you let a team build that capability and connect it to something your organization already has? Do you federate that function across the entire organization? Each of these decision points is different for every organization. In the long run, we’ll see a democratization of data and how technology solutions are built across an organization.

All of this leads you to Zero Trust Security and ensures you’re enforcing good security practices across something much larger than a traditional IT department or technology organization.  



CTOs are managing change in real-time. What we saw even five years ago isn’t how things work today. Security posture is moving away from castle and moat and requiring diligent review and improvement of your security posture to meet auditor expectations and deter bad actors. The public cloud is an integral part of this shift in how to certify and secure data.

Source code is no longer just for software. It’s for firewall configurations, Defense in Depth (DiD), and Zero Trust deployments for virtual machines and virtual hosts. The focus is less on expertise in a piece of technology and more on expertise in writing code that manipulates the spectrum of your technology. And, in fact, not all source code is written by a human. Sophisticated automation is changing the way we build software and create solutions for customers.

As a CTO, particularly in these challenging and changing times, listening is your best asset. Build empathy, understand what engineers and data scientists (and anyone else on your team) needs, then determine how their needs and ideas fit the department and organization as a whole.