Low-code/no-code citizen developers: How companies are balancing innovation with security

The benefits of low code/no code platforms are well known, but adopting them at scale across enterprise has proven to be a challenge for many companies. The “Dos and Don’ts of Upskilling Citizen Developers Across Your Org” panel at VB’s latest Low-Code/No-Code Summit dug into the citizen development movement, from security concerns to scaling challenges and more.

“Organizations are sitting on this enormous pool of talent within the organization,” said Dali Ninkovic, manager (global B2C), PMI Citizen Developer Practice at PMI (Project Management Institute). “Low-code/no-code technology enables this talent to surface and be creative and innovative. There’s nobody better to start these new initiatives within the organizations than people who are not, by definition, professional programmers. This is something that results in enormous value.”

When it comes to tapping into this talent pool, however, companies need to start small. A discovery and experimentation process within a single department helps prove the value of the initiative to the company at large. From there, a gradual, thoughtful roll-out to other departments helps business leaders develop a strategy for growing the citizen development program across the organization.

“In the discovery phase, you’re just trying to get comfortable with the tools,” said Pete Schaefer, director, information security at TrackVia. “Right around where you get into adoption, if you haven’t already, I would really encourage citizen developers to deliberately engage with your IT or your security teams. You want to make sure you’re using the platform in an appropriate manner based on the type of data you need to process and protect.”

Lenka Pincot, head of Agile transformation, Raiffeisenbank Czech Republic, agreed, noting that citizen development is supposed to bring business and IT people closer, not to set them apart.

“Each of these roles has different responsibilities and knowledge,” she explained. “If we make them work together and share their experiences, then we enable business innovation in a fast and easy way — what low-code/no-code platforms are developed for. At the same time we provide enough information and assurance for IT specialists that the intention is not to create a shadow IT, but to help solve business issues faster.”

Ninkovic agreed, and recommended that organizations embrace a security-first approach across the organization to ensure that shadow IT issues never develop.

“Make sure that the platform is validated and vetted by IT,” he said. “Most of the applications of citizen development that I’ve seen are going to be created on top of existing data and core systems like SAP or Oracle Financials, things like that. IT needs to make sure that the correct access for citizen developers is enabled for these APIs. Obviously, before these applications are rolled out, I would definitely recommend that companies implement some form of approval process in line with their IT standards and guidelines, to ensure that all of the CD-created apps meet all of the security standards and have a continuation, a long lifespan and maintenance plans in place and so on.”

Before citizen development initiatives can be fully adopted, organizations also need to put a governance strategy in place, Ninkovic added. It should define clear objectives for the citizen development initiative, including which departments will be involved, how IT will oversee development, and how citizen developers should balance their daily job priorities, and how teams determine which business problems will actually benefit from an application. He also recommended putting what he calls a command center in place: a combination of IT people, business people and stakeholders who set policies and guidelines in place, oversee the program and oversee regular reporting from teams.

Pincot noted that her company uses what they call “centers of expertise,” or smaller groups of specialists who manage each aspect of their citizen development strategy — a global center of expertise for citizen development that handles global security policies, including local specialists who can help business teams implement solutions properly, and so on.

“Citizen development means you give really powerful tools into the hands of people who can use them by themselves,” she said. “It’s critical to balance centralized decision-making or centralized governance versus enough freedom and empowerment to use these tools for innovation.”

These communities of people can exchange ideas, answer questions and develop a collective body of knowledge that keeps the program evolving and continuously unlocks new and innovative ideas, while implementing them safely.

In smaller companies without the same kind of governance structures, employee education is key to ensuring citizen developers understand the basics of security and why it’s needed, Schaefer said, without shutting down innovation. With too many restrictions and too many guardrails, citizen developers are discouraged from pursuing new ideas.

It’s about “balancing security risk, innovation, speed of providing a solution,” he explained. “The hard part is, how do you understand what that balance is, and even get agreement on what that balance should be?”

Pincot pointed to Raiffeisenbank’s hackathon event, in which the winning team created an application that allowed employees to exchange unwanted items and donate to charity.

“That was amazing, because in this type of application, they would probably never make a list of IT priorities or business priorities,” she said. “This is where we need to enable innovation, not to use technology only to improve something that we didn’t figure out properly before or fix some data transfers and so on, but really put something in the hands of people who have good ideas — and they can’t wait for the priorities of funding because it’s not business-critical. They have a great idea that can really improve culture and the well-being of people in the organization.”