We have entered the era of the citizen developer, ushering in both exciting opportunities and new concerns for big business. Up to now, large corporations have relied on IT departments to design, configure, and modify complex software systems that were customized to their specific needs. However, faced with increasing digital demands and a shortage of skilled programmers, many companies have embraced low-code and no-code development tools to bridge the gap.

There are many advantages to low-code platforms, which empower non-technical personnel to build their own business applications with intuitive drag-and-drop interfaces. While front-line employees may lack programming expertise, they often have a deep understanding of the company’s processes and pain points. These DIYers can fill a critical need as overburdened IT departments struggle with limited resources and project bottlenecks.

But like everything in business, there are risks and rewards to democratizing IT and giving amateurs the power to create and maintain apps.

4 Risks to Consider with Rapid Application Development

The benefits of low-code development are many. It frees up IT to tackle complex problems. Workers report being happier. Citizen development brings productivity gains, performance improvements, faster deployment of apps, and IT cost containment. However there are some risks that enterprises should consider:

  • Faulty design risk. This is the risk that the app has a faulty design, which citizen developers may lack the knowledge and experience to recognize. When low-code apps are built and deployed rapidly, they might not be tested thoroughly to ensure that the logic is sound. It is one thing for an app to access business data, but quite another for it to ingest or manipulate the data without validating it. Other potential design flaws include an abnormal database architecture that could give users incorrect or misleading information and be time consuming and costly for technical professionals to repair.
  • Knowledge transfer risk. The citizen developer should not be the only person in the organization who understands the design and maintenance of the app. It is risky if the organization is dependent on knowledge possessed by only one individual.
  • Compliance and security update risk. Citizen developers might not be aware of a company’s data security and governance requirements. If they connect or integrate their app with other services offered on the web today, they could unwittingly introduce security vulnerabilities that would have been obvious to more seasoned programmers. Also, when an app relies on code that is outsourced and delivered in pre-configured modules, you are dependent on the vendor to stay on top of security vulnerabilities. You might not be able to debug your low-code apps until the vendor provides a fix.
  • Data silos or duplication of efforts. When users are free to develop applications at will, it can create a Wild West scenario of data silos, with data created and stored in apps that aren’t accessible to the rest of the enterprise. Or you can have a duplication of efforts with people creating redundant or competing apps.
The citizen developer should not be the only person in the organization who understands the design and maintenance of the app.

How to Mitigate the Risks of Citizen Development

Despite the risks, enterprises should not ignore the tremendous benefits that ‘cracking the code’ can bring. Low-code development is here to stay. A recent Forrester study projected that the low-code application market will grow from $1.7 billion in 2015 to $15 billion by the end of 2020.  Gartner’s Strategic Planning Assumptions suggest that by 2020, more than 70 percent of enterprises will have strong citizen development policies in place.

A recent report from Quick Base, a leading low-code platform, found that while users were overwhelmingly satisfied, the biggest obstacles to implementing low-code solutions were security concerns and executive buy-in. However, with some common-sense precautions, businesses can see huge productivity gains from letting citizen developers automate repetitive tasks, solve problems, and make their own workflows more efficient. To mitigate the risks of citizen development:

  • Use a vendor you trust. When choosing a platform, consider the vendor’s reliability and the security features it provides. Does the vendor publish updates and bug fixes in a timely manner? Research the vendor’s security history. As long as citizen-developed applications are built on a platform with state-of-the-art security, data breaches are no more likely than with other corporate systems.
  • Cultivate an atmosphere of partnership between IT and the business units. Just because employees can create and deploy applications quickly doesn’t mean they should. IT departments should supervise and support the development process to harness the benefits and control the risks. Put citizen-created apps through the same security reviews as custom software. Have an IT liaison guide citizen developers and help users integrate what they build into the enterprise.
  • Don’t use low-code platforms for critical, high-security tasks. While low-code programming is convenient and cost-efficient, it might not be the best choice for sensitive tasks with complex security or compliance requirements. Educate employees about what kind of data is safe to keep in cloud storage, and what’s not. Use a Data Classification Matrix or similar tools to classify different kinds of data into categories such as: commonly public, confidential, internal use only, and so forth.
  • Don’t skimp on training. The more people in an organization who know about the platform and its capabilities, the more people can use it to innovate and create new solutions. Make sure both IT and citizen developers have access to training on the low-code platform. Allow them time to experiment and try new things out, with your encouragement. It is important for citizen developers to be familiar with corporate policies on data handling, encryption, password management, and legal compliance – for instance, HIPAA for health-care information, PCI for credit card data, and FERPA for educational records. Make sure employees understand the risks of using cloud-based apps over public wifi hotspots.
  • Require code commenting and documentation. Businesses should establish a portfolio management process, with standardized approaches to data handling and documentation. Proper documentation helps to mitigate knowledge transfer risk and ensure that future users can easily find what others have done and build upon it.
  • Don’t hesitate to call for outside help. Outside experts who know the platform well can support internal app builders by helping them get started, walking them through difficulties, and helping them avoid mistakes in design and implementation. Outside consultants can also help to spearhead a well-governed citizen developer initiative and mediate between IT and the business units.

At Watkyn LLC, we work with IT and citizen developers in enterprise environments every day. We help businesses develop applications using no-code or low-code platforms like Quick Base, and deploy those applications across departments using best practices to mitigate risk.

To discuss how rapid application development using a no-code platform like Quick Base might help your business, you can reach Phillip Dennis at (954) 900-6690 or by e-mail at p.dennis@watkyn.com.

As long as citizen-developed applications are built on a platform with state-of-the-art security, data breaches are no more likely than with other corporate systems.

1 Comment

  • Surya Avantsa

    At last I’m glad to find someone else who thinks like me. I feel like showing this article to my client and say look I’m not the only one saying that security is important.

    While QuickBase itself is a very secure platform, the moment you use Javascript to customize the app, you are throwing everything thing out there for anyone on the street to look up your app tokens and user tokens.

Leave a Reply