Journey of a thousand miles. Trials and tribulations of a tech startup

I thought I would write about what I have been really busy with lately: changing my company to more of a product based business with my software / security as a service application – Simple Security Risk Assessment.

I have had some interesting experiences thus far, mainly dealing with hiring an overseas developer. Hopefully you can learn some lessons from my experiences or at least get a laugh

I will keep adding to this as I go through the development and hopefully launch experience

The story so far

The hell that is writing requirements

So I had a great idea, had just finished my last contract and had at least 2-3 weeks before my wife forced me to go find some other paid work rather than just blogging. So why not work on actually launching my business idea?

Now I write security requirements for a day job so I have a bit of experience at this. Still it was a big slog, something I hoped to finish in 2-4 days turned into a 100 page weighty tomb. In the middle of it I found Mockingbird and decided to also do a wireframe model. I also spent a whole day building the guts of the application in Excel. I can tell you it is hard getting motivated to slog through those last few help pages when you are thinking if they were smart enough to use my application surely they can figure this out.

Still if you are tech startup I would advise you to do go through this process. I have seen so many programing projects start off without clear requirements and just fail due to scope creep or deliver a race horse designed by a committee. Also I am not a fan of a strict Agile methodology, storyboards and frequent iterations are good and especially with an agile experienced on-shore developer but I think you need at least a baseline set of detailed requirements to work with an off-shore developer, and of course you will still prototype, provide feedback, make decisions and adjust as you go along but this can then be via change control . Well that's the theory anyway keep following this to see how that works out for me.

If you want to read mine see here. Sign this NDA and email it to and I will send you the password

Lost in translation – aka finding an off-shore developer

Why an offshore developer? Simple. Cost. I am funding this out of my own pocket; I have no real idea if it will make any money. Got to keep the investment costs low. Yes you can argue with me regarding total cost, quality of work, getting your requirements understood, time invested, legal issues, IP problems etc. etc. but nothing beats the hard mullah – money talks and everything else walks. Especially when its your own money and until the idea starts generating some revenue, keeping costs low is the name of the game.

I started by advertising my requirements on the main freelance boards:
If you want to see my ad on these go to the sites and search for simple security risk assessment.

The best one? All have their pros and cons, I like the interface on Freelancer and eLance the best. I really like the eLance feature to be able to provide a pre-bid and then update once you have understood the requirements. Scriptlance and project4hire are just plain ugly, however in terms of core functionally they all work. I guess not many people need this but it would be nice to have an integrated Non-Disclosure Agreement (NDA) feature for developers to sign before they got access. I had to organize the logistics for mine manually with a password to protect the requirements doc. Overall advice: use them all – I had about 6 good applications from different applicants on each site.

So the fun of evaluating the responses and answering questions of an offshore developer

Ready for the winge:  some of the problems I encountered:
  • Lack of ability to follow basic instructions: i.e. sign this NDA and I will provide you the password
  • Too much copy paste: i.e. I want to see your ONE (1) best Web app and mobile app, I do not have the time to go through your un-tailored spreadsheet of 50 apps and websites
  • Fake confidentiality clauses: I can’t show you my site because it is under NDA. Surely some of these  amazing sites you did are on the public Internet or the Apple APP store?
  • Contract issues – many developers state they do not have business insurance (here in India we don’t believe in it? WTF? ) and don’t like the penalty clauses (Dear honoured sir we will do best job, no need for penalty for not delivering requirements or completing on time). Honestly I would not do business without these - you have to give anyone in IT an incentive to finish the job to spec and on time
  • Not reading the requirements doc – on Skype call with 5 people, so can you explain your project? Sure etc. etc. Ask question that is answered in the requirements doc. Only so many times you can say Read the Frigging Manual (RFM)
  • Time difference – getting Skype messages at 5am asking have you read that email is no fun
Do get a Skype account or equivalent though, fairly mandatory. The rest of the issues seem just to be a cost of doing business with an off shore developer – hey pay peanuts….

I did also try advertising in Sri Lanka to hire two developers directly on the advice of a friend who has been burnt before. I advertised via . So far I have had three applications, two were just students out of Uni, one I’m hopeful about – I will interview him tomorrow and let you know how it goes.

Protecting your idea – aka paying for your lawyers next Lambo

My idea is hardly the next Facebook, but I could find little in the market that was similar, so I wanted to protect it.

The main mitigation's I turned to were:

NDA - I required an Non Disclosure Agreement (NDA) before I provided the detailed requirements documents. Not sure how enforceable this is (especially in India, China, Russia etc.) but hopefully it will at least act as a deterrent

Reputation and review scores on the boards – I generally only dealt with established companies that had at least a 4/5 rating on the boards above. I figured if they had an established business and wanted to keep their rating they would be less likely to rip off my idea. Well that was the initial thinking anyway, many of the companies that had competitive bids did not have reputation scores and feedback on the boards, probably because they were either new or had done the work outside of the boards so not getting any formal feedback.

Contract – I have confidentiality clauses in the contract and also applicable law being in the UK. I am also paying an arm and a leg to get a lawyer to review both the NDA and the Contract. Hopefully this will be worthwhile (more on that next week). If you are in the UK there is a free 30 minutes legal advice for new businesses (although this will not be enough for document review you could at least get some advice without paying a lot)

I also looked at patents but considering the cost for the protection they actually give, I decided against it.

Business case – is this actually going to make any money?

Maybe someone smarter would have started here. I have a skeleton of a business plan but it definitely not bullet proof. The idea is mainly based on seven years of experience in the security industry and some Google searches for competition and discussion with colleagues and friends in the industry that I respect. No focus groups or formal detailed market research.

The main competitive advantages I have are:
  • Being a “security expert” I know what I’m talking about when it comes to measuring security risk. Do what you know and where you can see a need
  • After 7 years in the industry I know what doesn't work and hope I have an idea of what does 
  • My initial investment and ongoing costs are fairly low so I don’t need to make a lot of money before I am in profit and even if it completely fails I haven't sunk a lot of money into something that I am sure I will learn a lot from
  • I have good contacts in the major fortune 100 organizations who have expressed interest and support for the application (turning these into sales will be the challenge)
I have also looked for a mentor and will hopefully be starting that relationship soon with an angel investor

Live journal

11/08/10 – I am starting my live journal here. I will let you know how I go through development, test and hopefully successful launch. Can’t promise daily updates but anything significant I promise to update here – so watch this space :)

12/08/10 - Had a quick 30 min call with my potential future mentor. Sounds like a nice guy but no idea about IT security. Could be a complementary skillset though, will have to see what hid day rates and/or the equity I have to give away for the benefit I will get. Meeting him next week for a coffee and discuss further. I am apparently not a "qualified" business yet (i.e. up and running) so we will see

I also interviewed my potential development candidate for the direct hire. He seems good, decent enough experience with web dev and iPhone dev. Could be a real option, things to think about .....

16/08/10 - So met with the lawyer yesterday, seemed quite a nice guy maybe I would be as well for £300/hour. He tore my contract to shreds - lesson learned it is faster and cheaper just to pay a lawyer for a standard form contract than try and modify one yourself.

I have also chosen my top 3 developers. It is a real close race between a Chinese one who I really like the iPhone app they have developed and an English firm that outsources development to India. I like the fact and the lawyer did too with the appealing idea of having a contact here in London and contracting with an English company. But the quality of work from the Chinese firm is impressive and they have followed up diligently and really seemed to want the job. who would you choose?

17/08/10 - So met with the potential mentor today. Seems like a nice guy, was good practice for me to pitch the business idea to him, he didn't quite get it so tells me I need to work on it a lot to get it down to a clear structure that can be explained to anyone even without security expertise.

I'm not sure about him overall in terms of the value he would add for the cost in terms of day rate and/or share equity. I mean I have good friends in fairly senior business positions that I can use as a sounding board. Also he has had two startups but neither in the technology space and not sure how successful. I would also be his first mentoree (that a word?) as he is new to the whole "knowledge angel" thing. Man I wished I lived in silicon valley where these type of mentors must be dime a dozen.

Still he did make some good points regarding more traditional marketing methods, the potential need for user helpdesk support and pricing. But he has no experience in this industry so are those things relevant?

At this stage I think I may go without and just rely on my network.... keep following to see if that was a good decision

I also made a offer to my number 1 choice developer. But I am a bit worried that the one APP I was interested in when I called the client they had never heard of this company. Could be a red haring the developer who did the site could have been working for themselves at the time. Still a red flag though, I. have asked for two more client references before I make any payment.

As a backup I have asked for client references for my next two choice developers as well. For the second choice one the client recommended them but his tone was not enthusiastic. I have emailed the two contacts for third choice.

If you were curious my first choice was the one that I was impressed most with their work over the local presence. But may end up that I go with the second or third place anyway.

19/08/10 - Had my first deep dive meeting with my chosen developer today over Skype. Was hoping to get my friend who speaks the native language on the call but Skype difficulties prevented it. Overall it was quite funny - they had a new guy "communicator" who had never read the project requirements nor knew about the contract they had signed. Good start.

Also there was about 5 developers on the call and none of them spoke English - I'm feeling really positive at this stage. I'm seriously running out of lost in translation pics.

Race horse designed by a committee?
or offshore developer over Skype?
Anyway talked through the wireframes and they told me they understood it. Also answered some of their questions. Have setup up daily calls (6:30am my time yay!) and asked the Communicator to keep track of a basic project plan. I am going to do the CARDI (constraints, assumptions, risks, dependencies, issues) log. I am a bit worried about the cultural differences that might mean when they agree to something or commit to a date - they are not really agreeing nor committing.

Well as you can tell I am not the most optimistic about this, but my second choice with the local contacts was nearly double the price. My third choice was cheaper but offshore again and had a less impressive portfolio.

Lets see how this goes, I have split it into 3 phases and only pay 30% upfront for phase 1. The next payment 40% for phase 1 is only due when they provide a working UAT model. So my losses are contained to that worst case. Also I they have penalties of 5% per requirement and 2% per day delayed, as well as a 10% bonus payment for success (i.e. on time to quality). So here is hoping - not really sure what I could have done more. The developers with lots and lots of reviews either bid a ridiculously high amount or just didn't bid beyond the first contact. The learning experiences continue....

Oh I almost forgot in my quest to find like minded startups in London I was told about I posted this to try and find some meetups and my mentor:

Lets see how many people reply. Also going to an event today that could be promising mentor wise and contacts wise

23/08/10 -  So development has started, so far seems positive. They filled in the status report, I have even have some client contacts to email about past jobs (I really should have done this before I hired them eh? The real test will come once I see some layouts and the first screens being put together. A bit of a trial I did with my wife's website tells me that the wordpress simple layout stuff is fine but once we even get to even a bit more complicated code like a paypal button (I know right!) that's where these guys can have some trouble.

Also the drinking (I mean networking) session I talked about a last Friday was brilliant. Met a couple of guys that said they would be happy to act as a mentor, got some great sales tips and maybe even some leads for beta testers and early adopters. So all good.

24/08/10 - Development continues. I had some pleasantly good news on the reference checks on my chosen developer, feedback:

As I review the application that is developing for me, I have determined that it is a top-notch quality product. This product is a service built with the latest PHP technology available. 
Delivery on time

In our contract we have set forth milestones that are to be met on specific dates. So far they have all be met on time
Understanding requirements

Though we communicate at a distance, and her team of engineers understand what my specifications are through constant contact.
Status reporting

is always available to discuss the project through email and skype, on a daily basis
Project management

keeps thorough records and keeps me aware of the status of the project's life-cycle.
This was really reassuring. So far seems so good, had a few questions today on the colour scheme, design and reference sites. I am going with blue and white and really minimalist design. My reference sites are and the Mindjet Mind manager application for the iPhone which I find brilliant and invaluable.

Had some issues with the first payment. Being my first payment to this overseas country that is hardly a surprise. I transferred money to the intermediary bank which was a mistake and have got that refunded. I need the full details before I can complete the actual payment. Quick tip: check with your Internet Banking overseas transfer screen what information is needed (I needed a Bank Identification Number (BIC) my bank recognized and an IBAN. Make sure you get this on the invoice from the developer, otherwise they are not getting paid on time.

On an architecture front, my existing hosting site doesn't support J2EE, so we are now looking into an alternate host. I am keen to run the database on Amazon simple DB so my preference is EC2, but the developer is looking into it.

Also trying something from the 4 hour work week book. Some cheap Google ad-words advertising to see how much interest there is in the application from the non targeted potential customers. My AdWords campaign is focusing on PCI-DSS compliance and the landing page should give me an idea via Google analytics of what the interest levels are. I was also thinking of advertising in some small niche magazines as the 4 hour work week suggests but I have found that the advertising rate cards are very prohibitive. Need to spend some time on the weekend looking for cheaper more niche advertising

27/08/10 - Saw the design preview today and wow I'm really impressed. To be fair I did provide them the designs I liked but it is still nice to have something you love first time and see that they are actually doing some work and capable of delivering. Checkout a sneak peak (these are likely to change a lot by live):

01/09/10 - Development continuing well, I saw 5 more pages today and provided feedback looking good. So much harder to go through pages and write comments in detail rather than seeing the developer face to face and talking them to them. But at least there is a written record of everything.

Have been reading up a bit on start-ups, joining a few sites like Kickstart. Read a couple of good articles on what to look for in a business co-creator and technical co-founder and business co-founder. Have managed to line up a meeting with a CISO at a major bank, could be a great input on features as well as a potential buyer.

Also emailed a few competitive products, some research on their website and I'm sure I am going to have a superior product at a cheaper price. In the email I asked for list pricing and any competitive analysis they have - feels a little bit unethical but oh well lets see if they respond.

08/09/10 - The design for all the pages is now done. I'm pretty happy with how it is shaping up. Coding has started on the functionality, I think we are on track at the moment.

16/09/10 - Sorry for the lack of updates for anyone that is actually following this, not a lot has really been going on, the development is going along well, they have completed all of the design now and starting on the functionality. The login function is now live and they are working on the rest.

Had a bit of a set back today that there was a bit of confusion on what functionality was required not the mobile formatted version of the site, I clarified that it was the full functionality. This may mean that they have to put extra developers on the project - beauty of fixed price for me I guess.

23/09/10 - The development is going really well, the design is now fully completed (with only a few tweaks left) and about 40% of the functionality is finished. There is even an alpha version now up on Amazon EC2!

13/10/10 - Wow no updates in almost two weeks, that is terribly slack. Things have been going well, as in all IT projects a few delays on the timeline, the developers have asked that the testing time be cut back by 10 days so will will begin beta testing a week or so into November. THis is not great and I am not a fan of cutting the testing but the application is in a pretty good state and the functionality is not that complex, I think we will be able to test it this weekend. To be fair I have provided some additional requirements as I have been feeding back and reviewing their work. This is why I do not think a crystal ball lets get all our requirements documented up front works, somethings only occur to you when you can actually see the site working and the flow.

The majority of the functionality is now done including the login and Paypal and Google checkout. A few user experience niggles to beat out, I did a use case and flow diagram of the login process - I really should have been less slack and done this upfront.

Also got my first bill for the Amazon Web Services, wow! was a bit higher than I expected, lesson learned should have done a micro server and researved the space from the start to save money. At least the site is now up and working on Amazon in alpha form. Got a good group of enthusiastic testers for the beta starting soon, so if you got this far drop me an email or twitter message and I will invite you to it.

I have been quite slack on working on this, no excuses realy although my day job has really picked up with a major project gathering steam and having some short term deadlines. My goal this weekend is to setup a memory test and survey and really prepare the pack for beta testing. I will also write some detailed test scripts and adjust the Amazon settings so I can hopefully save some money.

21/10/10 - Ok so all that stuff I planned for last weekend, none of it got done. Try again this weekend.

Had to totally rework the login and subscribe flow, I think they finally get it now at least I hope they do. The subscribe is now separated from the login, this allows people to login and try the site for 30 days without having to think about payment. Hopefully this will mean more small businesses is particular try it out, love it and then subscribe later. Increasingly though I am thinking that having the on-line subscribe is a waste of time, as this is a B2B rather than B2C application, I think the only customers I will get especially at the start will be via  a good amount of selling and hand-holding. I was reading this article on getting the first enterprise customers, which reaffirmed that point. The first customers will most likely just pay via invoice, so why am I wasting time with the on-line subscribe and Paypal and Google checkout again? Oh well lessons learnt.

Also had to draw some pictures to explain some functionality: the emailing for action tracking. Man I wish I could just go and see the developers, sit with them, tell them what I wanted, get feedback, they understood English. Oh well.

The mobile web version of the site is delayed till 10 November. I am most nervous about this one because I have yet to see even one design of it. The design will have to be significantly different from the desktop web version but I drew the original mockups for a mobile platform so hopefully the developers are following that.

Next full version of the site for my review 25th October.

01/11/10 - On holiday at the moment, a bomb went off 10 kms down the road, awesome! Really finding it hard to get motivated to work on the site. It needs soooo much more work to get polished. Looking at startup sites like Gist or even old hands now like Dropbox is so demotivating. I dont' even have some of the basic pages like an About Us or Contact Us done right. The login process is clucky, the developers have implemented it using some code they hacked off anyopenid and it just is not as smooth. Just got to writup everything I need changed and try and get them to do it. This is hard....

09/11/10 - Oh man bugs bugs bugs everywhere, we were supposed to be ready for UAT start of November but the developer misunderstood that this meant that the product is basically working functionally. It is no where close to that, I found so many bugs today I can't even ask anyone that signed up to the beta to test.

14/11/10 - Ok this is really hard, I have to admit my timelines were too aggressive for this project. I just did not allow enough time for test and am now going back to my developers to re-baseline this project. Basically there are way too many bugs in the core functionality and there was also a bit of lost in translation. I had hoped and expected to have a version that was ready for User Acceptance Testing (UAT) by start of November, i.e. the application functionally works and I am getting feedback on the user experience and tweaking. Unfortunately the developers thought this meant ready for testing, there are still a lot of bugs including many with the core risk calculation  functionality. Must say they have done the UI pretty well though!

I also underestimated how hard it would be to dedicate my time to this once the initial shine had worn off. I am really really busy with my day job at the moment, and being stressed and tired on weekends the last thing I want to do focus on testing or trying to explain this calculation again to my developers (that was this weekend by the way and I still didn't get done enough).

So I have proposed to them that we re-baseline the project, allowing an additional month for testing and then two months of UAT before we even think about the iPhone version. So anyone that saw this coming when I hired an overseas developer laugh away but I'm not giving up on this.

03/12/2010 - Got to do some testing today that I have been putting off for ages. Still have yet to take all the requirements and put into detailed test cases for rigorous testing. One part of me wishes I was developing this app so that I could have full control and make it easier to update later but the other part is like if I can barely find the time and motivation for testing how would I have done with the coding and definitely the graphics and design.

Still it is getting there, much of the core functionality is built now and seems to be working ok without pushing it too hard and too many exception paths. I did end up extending the development by one month, so have December for testing as well. I am hoping to start the beta proper by the end of next week, leaving 3 weeks of focused beta testing to provide bugs for the developers to fix before I owe them the final payment.

Have done very little work on the business development side as well, have been feeling a bit down on the concept lately but after testing today I have a bit more enthusiasm back. This could actually be a useful tool that people may pay money for.

16/01/2011 - Last post on this for now. Really just couldn't ever find the time to get all the bugs out of the program, lost a bit of faith in the value the concept would provide also so for now it was an interesting experience, learned a fair bit but that's the end.

27/02/2011 - Maybe should let sunk costs lie but have fired up the server again, going to try and do some marketing on this by doing some talks at the local hacker news and defcon meetups

No comments:

Post a Comment


Written by