Journal of an Architect and CTO

Transitioning from a software architect to a CTO of a fintech company was an interesting experience. It really elevated my view of technology and its role in business. Suddenly, you need to think about budgeting, P&Ls, client satisfaction, company risks, and HR policies. You no longer manage technology directly, but rather people, priorities, and flows of information. I already had some management experience before, but I doubled down on operational people management, corporate finance, and leadership. Back then, there was no “How to CTO” book, but I believed these skills were expected from a CTO — and I was right. They are the foundation, but along the way I made some specific, important, and surprising realisations that I wanted to share. ...

In the 18th/19th century the British Empire was the dominant superpower in the world and eventually established its own rule known as the Pax Britannica. A major factor that helped establish this dominance was their military advantage at sea. The British fleet, which started from the Tudor navy in the early 16th century, beat the Spanish Armada and, with some hiccups, became the most dominant naval power up to the 19th century. ...

People don’t resist change. They resist being changed. — Peter Senge When driving change in a company, you better make sure you have active supporters, but don’t forget about people who will resist it. Some will be just reluctant to change their work habits. Others might see this as a redistribution of power and actively oppose it. The best way to deal with this is not going to war or exercising power, but rather recruiting them to your cause. That said, have a plan for when recruitment fails.

If you’re an IT leader, you’ve likely, at some point, sat in front of a blank document titled “IT Strategy” and didn’t know where to start. How do you even begin thinking about strategy for your department? You’re obviously expected to “bring value”, but what does that actually mean? In his book IT Strategy, Jim Maholic suggests a helpful imperative to structure your approach: the SEAR imperative. He argues that there are four ways IT can contribute to the business: ...

Ever had the feeling that getting things done is harder than it should be? It’s difficult to find relevant information, get hold of the colleague you need, or obtain a decision from the responsible person. Even when you have a good understanding of what needs to be done and solid momentum, it still feels like running underwater. We can call this friction. By friction, I mean small internal obstacles in the system—caused by bureaucracy, misunderstandings, and poor communication—that slow down work and cause frustration. Some level of friction is inevitable, and there is even good friction (for example, friction caused by security or risk controls), but friction levels in a company should be actively monitored. ...

The rising wave of AI agents is reaching e-commerce and payments. Major players such as Stripe, Shopify, Visa, Mastercard, Google, as well as new entrants, are trying to answer a simple question: how will online purchases look in the age of AI agents? Let’s imagine how this could work. Instead of going to a seller’s website or a marketplace, you interact with your preferred AI agent and tell it what you want to buy. The agent then browses known shopping catalogues using an MCP server or contacts seller agents to negotiate deals via the A2A protocol. Once it finds suitable offers, the agent presents them to you in its native UI and asks you to confirm your choice. After confirmation, it reaches into your wallet—like Apple Pay or Google Pay—extracts secure payment credentials, and uses them to pay through an AI-enabled gateway. All of this happens via the ACP or AP2 protocols. ...

If you drop a frog in a pot of boiling water, it will, of course, frantically try to clamber out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite placidly. As the water gradually heats up, the frog will sink into a tranquil stupor, exactly like one of us in a hot bath, and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. ...

PCI DSS is a term that should be familiar to anyone dealing with credit card payment processing. For readers who are less familiar with the topic, it is a security and privacy standard designed to ensure the secure processing and storage of cardholder data. It has a single objective: to prevent sensitive cardholder data—such as card numbers and CVV codes—from leaking outside your system. In this post, we’ll look at how to set up a simple architecture for processing card-not-present (i.e., e-commerce) payments. For example, you may have an e-commerce website and want to accept card payments via a form in your UI. You could take the easy route and embed your payment processor’s hosted payment form in an iframe, allowing you to complete a simple self-assessment instead of a full audit. However, you might have more complex requirements. Maybe you want to process payments on the backend to route transactions to different providers or apply custom retry logic to improve conversion rates. ...

Every IT leader should be up to date on what’s happening in the tech industry. Social media, blogs, and other publications provide a steady stream of daily information, but it’s also useful to regularly review high-level, periodical reports. Here are some of the reports I follow that are relevant to my work. ...