A few months ago I spoke to the CISO of a multinational logistics company who told me that his company would never allow the people to prosper. “I see that the benefit could be huge, but we won’t allow it,” he said.
This statement has perfect meaning. Allowing employees with little IT or coding experience to develop applications seems counterintuitive to companies accustomed to seeking tight control over developers, applications, and digital assets. For many executives, citizen development seems to belong to a distant future.
At a follow-up meeting with the same CISO a few weeks ago, the conversation went in a different direction. Marketing teams found CASB and began using no-code automation. Business application teams started Salesforce to streamline business processes instead of just focusing on sales and customization. Employees across the company use Microsoft’s built-in platform to build custom Teams applications. “Turns out, we didn’t have a choice. Citizen development is a reality now, and I now hope to mitigate its security risks,” he told me.
This CISO is not alone. The largest banks, retailers, and manufacturing companies in the world are all about citizen development. At a recent online event, Microsoft announced that 97% of Fortune 500 companies use its low-code/no-code platform.
How Low-Code/No-Code Platforms Find Their Way to Enterprise
To understand how organizations can move from “low-code who?” to “business developers” in just a few months, we need to understand how low-code/no-code is found in the enterprise. We also need to look at go-to-market (GTM) low-code/no-code platform strategies.
1. Land-and-expand: Low-code/no-code platforms follow many paths to the heart of the business. The first and most obvious is a top-down approach. In organizations where digital transformation is a strategic effort, senior management is often looking for platforms that can accelerate the productivity of their business teams. Low-code/no-code platforms are built to do exactly that. Two popular options for digital innovation are low-code application platforms (LCAPs) and integration platforms-as-a-service (iPaaS).
In the digital transformation scenario, an organization will typically set up a center of excellence (CoE) that starts by finding key use cases that quickly create business value. Think of business applications used to manage an HR giveaway campaign, accept vendors at your facilities, or handle employees ’IT equipment orders. More importantly, CoE serves as an inspiration for business users to think of more ways in which they can improve their productivity in business applications and automation. This centralized group that leads by example does not need to be explicitly called CoE. It could be the business applications team, the intelligent automation team, or the integration team, for example.
Once users start to have an appetite for applications that enhance business processes, the CoE backlog quickly overflows. It is at this stage that business users begin to develop their own applications, either through guidance from the CoE or on their own.
LCAP and iPaaS vendors rely heavily on this process of expansion within the enterprise as their primary growth strategy. Although it is easier to get in the door with a solution used by a centralized team, the value that can be accomplished grows significantly when low-code/no-code tools are placed directly in the hands of users. business. In fact, LCAP and iPaaS vendors are investing heavily in making their platforms more accessible to citizen developers. Slowly but surely, business teams throughout the organization became aware of these platforms and began to use them to do their job.
This land-and-expand model is win-win for vendors and customers. Centralized teams bring these platforms to the corporation and demonstrate their value, leading business teams to realize their potential by meeting a wide range of business needs quickly, on their own. .
2. Bottom-up (shadow IT): The marketing team at the said logistics company turned out to be diligent at a big conference. The company plans to make some important announcements, with the goal of making it a big deal and generate a lot of buzz. To translate this hype into leads, they want to set up a dedicated landing page with content optimized for conference visitors. The marketing team hires a vendor to build the page. To deliver quickly, the vendor uses a code-free automation platform to set up an email campaign and sync leads to the company’s CRM. The result is a great conference experience, powered by a code-free automation platform connected to the company’s CRM.
In the haste of things, however, CRM integration was set up with an administrator account that was shared with all the developers on that account. At launch, only a handful of developers had access to the account, but after seeing the value, the entire marketing team was granted access, inadvertently sharing administrator privileges with the CRM. Security teams found out after the fact. The platform was purchased out of pocket due to time constraints, so there was no security assessment or opportunity to refuse.
This is a typical story, where platforms are directly introduced by users to solve a particular problem, without security visibility or guardrails. Once inside, they continue to expand into additional use cases and business groups. Vendors call this product-led growth (PLG), and it has been GTM’s hot trend over the past few years.
In fact, users are introduced to these platforms because they really solve their problems. Manual processes around order-to-cash, customer care, and marketing operations are a common example. This is great for business productivity. However, over time, organizations will find that their business -critical data and processes have disappeared from under the security umbrella.
3. SaaS becomes the new business cloud: Name your favorite company’s SaaS platform. Most likely, it’s a low-code/no-code development platform as well, and your business users are building with it. Don’t just trust me here – I encourage you to check it out for yourself.
In recent years, SaaS vendors are increasingly moving towards becoming low-code/no-code development platforms. Microsoft, Salesforce, ServiceNow, Workday, Slack, and other SaaS leaders have all introduced their own low-code/no-code platforms, embedded in the very platforms that your users already use. business. Some vendors focus on know-it-then automation and others on custom application development. But they all interact directly with business users, empowering them to do more of their own.
Going back to the previously mentioned logistics company, CISO found that users across the organization use Power Platform, Microsoft’s low-code/no-code platform embedded in Office, to build custom applications for their Teams channels. These applications gain access to resources on behalf of their Teams users to do useful things like set up calendar invitations, send emails, or share SharePoint file. Incidentally, it also gave application creators control over application user identities, allowing them to mimic their users through applications. Like any application that gains access on behalf of users, that access can be used to do harm, either through malice or unintentional.
SaaS vendors are strongly pushing low-code/no-code as a way to expand their business. They take advantage of what is already in the hands of business users and create app development platforms for their specific personalities. This, again, is great for innovation and business speed.
The Time to Act is Now
With all the different ways of entering low-code/no-code into the enterprise, it becomes clear that organizations cannot opt out of citizen development. Gartner predicted that the number of active citizen developers in large businesses will exceed the number of professional developers by four to one by 2023. Other analyst firms predicted similar numbers. Even if we have basta a citizen developer every professional developer, can we really let that out of the security umbrella?
Instead, security teams should accept low-code/no-code and help guide the new generation of citizen developers in accordance with enterprise requirements. The sooner it is done, the better.