The CTO playbook for a small consulting practice

I spent years as CIO at companies between 200 and 10,000 employees. Then I started a small consulting practice — and discovered that the playbook I'd used for the larger companies didn't translate. Not because it was wrong, but because the scale broke the assumptions.

Here's what I run, and the framework I use to decide on it.

The stack

For CLIMB IT Solutions, today:

• Identity: Microsoft 365 (E3). One identity for everything that can federate.
• Productivity: M365 (Outlook, Teams, OneDrive, SharePoint). I tried Google Workspace; M365 fit my technical-services clientele better and was a wash on cost.
• Business OS: Odoo Enterprise — CRM, invoicing, helpdesk, HR, project, website. (See previous post for why.)
• Project / work management: a shared work tracker for client delivery, GitHub Issues for engineering work.
• Communication: Slack with clients, M365 Teams internally.
• Code + infra: GitHub, AWS (Bedrock + S3 + lightly used compute), DigitalOcean (cheap workloads), Cloudflare (DNS + CDN + WAF + Tunnels).
• Security + monitoring: an open-source SIEM hosted ourselves, an APM for application visibility, 1Password for credential management.
• AI: Betty / OpenClaw (my own; see post).

The framework

The thing that changes when you're both supplier and customer is this: every tool you adopt is also a tool you're recommending. If I use a work tracker for client delivery, I have an opinion about that tracker's worth. If I run an open-source SIEM for my own MSP business, I know exactly what it takes to deploy one for a client.

This means my tool choices have to satisfy two constraints simultaneously:

1. Small enough to use myself. A small practice cannot operate the same SIEM stack as a 5,000-person enterprise. The setup cost dominates. So I need tools that are appropriate for the size I am.
2. Big enough to recommend. If a tool can't scale to my biggest clients, I can't justify learning it. I need tools that grow with my clients.

The intersection is narrower than you'd think. Most enterprise IT tools fail constraint #1 (too heavy). Most small-business tools fail constraint #2 (won't grow).

Where the playbook gets specific

A few opinionated calls that come out of this framework:

• Pick a security stack you can run AND deploy. I run an open-source SIEM internally because it's deeply customizable and I can stand it up for a client in 1–2 weeks. I wouldn't run a managed-XDR product internally because if a client asked me to deploy one, I'd have nothing to compare it to.
• Prefer one consolidated platform over four-best-of-breed. One work tracker instead of Asana + Trello + Notion + Confluence. Odoo instead of HubSpot + QuickBooks + Zendesk + Mailchimp. The integration tax is real, and small businesses can't afford it.
• Self-host where the data is sensitive, SaaS where the data is commodity. Open-source SIEM on our own infra. M365 in the cloud. Bedrock for AI (sensitive prompts + my own data, but Amazon's infrastructure for the model weights). The line I draw is "would I be embarrassed if this got breached?" — if yes, self-host.
• Standardize on identity. One identity provider. One MFA enrollment. One conditional-access policy. If you cannot enforce a conditional-access rule on every business app you use, you do not have an enforceable security posture, you have a wishful one.

What I'd skip

A few things I see other small consultancies adopt that I deliberately don't:

• Custom-built internal tools that aren't part of the offering. If we're not selling consulting around it, I don't want to maintain it. Build vs buy, I buy.
• Annual SaaS contracts longer than 12 months. The discount isn't worth the inflexibility.
• More than one of any category. One CRM. One project tracker. One identity provider. One password vault. Categorical discipline is the cheapest cost-saving in IT.

That's the playbook. It's working today; ask me again in five years if it still does.

— Manuel