The CTO test: seven questions every founder should be able to answer.

One of the harder things about running a small or mid-sized company is figuring out when you've outgrown asking the developer and need a senior technical voice in the room. The signals are usually behind-the-scenes: deferred decisions, vendor surprises, hires that don't stick. By the time the consequences hit the P&L, you've been operating without a CTO for a year longer than you should have.

Here's a diagnostic. Seven questions. None of them require you to write code. If you can answer each one cleanly — in a sentence, in your own words, without checking anywhere — you probably have either a CTO already or a strong-enough operating partner. If you can't, the gap is real, and these are the questions a Fractional CTO would walk into your business already starting to answer.

1. What's the single biggest risk in your current tech stack?

Question 1 · Risk

Not the most annoying thing. The biggest risk — the thing where if it went sideways, you'd be in serious trouble for at least a quarter. Common answers: a single vendor we couldn't migrate off in under six months. A senior engineer who's the only person who understands the deployment pipeline. A piece of software that's two major versions out of date. An integration that nobody fully owns.

Most companies have at least one risk like this. The problem isn't having one. The problem is not knowing which one it is. If you can't name yours, that means nobody senior has done the inventory.

2. Which of your vendors could shut down without warning, and what would you do?

Question 2 · Vendor concentration

Software companies fold, get acquired, or change their pricing model overnight. We're past the era when "everyone uses [X]" was a guarantee. Your CRM, your accounting system, your email service, your AI tooling — for each one, what's your fallback if you got a 30-day shutdown notice tomorrow?

You don't need a complete migration plan for every vendor. You need to know which vendors would actually hurt if they disappeared, and roughly what your move would be. If the answer is "I have no idea," you've discovered an exposure you can't price.

3. What would change about your business if you had to switch CRMs in 90 days?

Question 3 · Switching cost

This isn't an academic question. CRM repricings are increasingly aggressive, and "lock-in" is no longer just a feature comparison — it's a real cost line. The exercise of imagining a forced switch surfaces three things at once: which workflows you've quietly outsourced to one vendor, which integrations would break, and which historical data you'd lose access to.

If the answer is "we'd be in serious trouble," that's worth knowing. The fix isn't to switch — it's to systematically reduce the dependency over six months so the next renewal isn't a hostage negotiation.

4. How much technical debt do you have, and what's the interest rate?

Question 4 · Technical debt

Technical debt is the work you skipped to ship faster — shortcuts in the codebase, half-finished integrations, manual workarounds that never got automated. The "interest rate" is what those shortcuts cost you per week in slowed-down work, bugs, or workarounds.

Most founders can't answer this because the developers don't volunteer it. Every codebase older than two years has at least three accumulated chunks of debt that are slowing the team down. A senior technical voice puts a number on each chunk and decides which to pay down first.

The companies that struggle most aren't the ones with debt. They're the ones with debt nobody has named.

5. Why is your last technical hire still here, or why did they leave?

Question 5 · Hiring & retention

This is a deceptively important question. Hires don't leave for one reason — they leave for the same two or three reasons, repeatedly, in patterns. If you've lost a senior developer in the last 18 months, the answer to "why did they leave" should be specific: management quality, compensation gap, lack of senior leadership, no clear path to growth, work-life pressure.

If your answer is "they got a better offer," you don't actually know yet. Better offers are how people leave; the reason they were open to one is what matters. A senior technical voice in the room asks this question routinely — not because retention is the goal, but because the answers are diagnostic of management problems you might not see otherwise.

6. What is your AI policy?

Question 6 · AI governance

Two years ago this question would have sounded like it came from a compliance officer. Today, every employee at every company has free access to powerful AI tools, and most of them are using those tools without governance. That means: customer data being pasted into ChatGPT. Code being generated and committed without review. AI-drafted emails sent to clients without oversight.

An AI policy doesn't need to be 30 pages. It needs to answer four questions: what AI tools are approved for what kinds of work, what data cannot go into AI tools, who reviews AI-generated work before it's externalized, and what your customer-facing AI use looks like (if any). If you don't have explicit answers, you have an implicit policy — and it's almost certainly not the policy you'd choose if you thought about it.

7. What would it take to recover from a compromised email account?

Question 7 · Security & recovery

Email account compromises are the most common breach we see at the SMB level — usually phishing, occasionally credential reuse. The damage isn't always the email itself. It's the access to whatever the email account is logged into: cloud storage, payroll, banking portals, vendor accounts.

If your founder's email got compromised today, what's the first thing you'd do? Who do you call? How do you confirm what's been accessed? How long until you've revoked downstream access? If the answer is "I don't know," that's a CTO-shaped problem, even if you've outsourced your IT to a managed-service provider. The MSP keeps the lights on; the CTO owns the response plan.

What to do with the answers

If you read those seven questions and answered them all confidently — specifically, in your own words, without hedging — you don't need a Fractional CTO. You either have one already or your role plus your senior developer is doing the job.

If you found two or three you couldn't answer, you have a CTO-shaped gap. The gap can be filled by a senior hire, by a fractional engagement, or by structured time with your existing senior developer to get the answers documented. Which one is right depends on size, stage, and budget.

If you found five or more you couldn't answer, the gap isn't subtle anymore. You're operating with significant exposure that you can't see. The first 30 days of a Fractional CTO engagement is mostly about answering these questions in writing — not because the document matters, but because the act of answering them is what surfaces the work that needs to happen next.

If you want to walk through these questions with someone who's done it for other companies in your shape, the free 30-minute discovery call is built for exactly that. We'll talk through each question, name the answers you can't yet give, and tell you honestly whether a fractional engagement, a senior hire, or just clearer process would close the gap fastest.