Skip to main content

Hybrid working models could spur the start of a bigger ‘build your own application’ trend. But is it secure?

Image Credit: Bruce Mars / Pixelbay
(Image credit: Image Credit: Bruce Mars / Pixelbay)

Hybrid working models have come of age as companies emerge from the pandemic and re-evaluate the trust they place in employees to be productive and the overheads offices have consumed while left unoccupied this last year. 

Numerous household names have said they support more flexible working patterns, with many planning to reduce their office space; BT said it would reduce its office footprint from 300 offices to 30. Whereas, Facebook and Twitter have said to its teams they can ‘work anywhere’ in the future. In the case of Nationwide, its work anywhere decision is in direct response to just 6 percent of employees saying they’d want to work in an office, a third saying they’d prefer a blend of home and office, and the rest who had a desire to stay working at home.   

It’s certainly proved a conundrum on so many levels but especially at a very individual and personal one from the impact home working can have on learning and development and inclusion, through to pay, cost of labour and regional variations, to managing family and being more productive in the time available. 

Of course, the biggest incentive is the savings to be made on property. HSBC cites a potential saving of $5.5bn a year if they cut back space by 40 percent. This will be music to shareholders’ ears, but also those of the CTO as it constitutes investment that can be made in digital transformation, innovation, productivity tools, customer experience and product development. 

However, it’s clear from speaking to CTOs that they are caught between a rock and a hard place. They now have thousands of home offices to keep going and secure, not a few, yet they can’t rely on the cash released to facilitate all the demands being made upon it. 

It’s unsurprising then, that Forrester Research predicted that by this year more than half of software developers would be using no code and low code tools to build the lighter-weight applications people are asking for to do their job well. It’s a model that has real merit and potential. It provides flexibility in terms of budget as it’s very low cost, it’s fast so solutions can be built in a day and you need no coding experience to create something useful.  

Forrester’s prediction was made before the pandemic, so it’s likely the numbers will be greater now and I suspect it’s not just professional developers who will be turning to build your own app models either. Employees will start to get in on the act and use it as a way to create a quick solution to a regular daily problem. They can crack on with creating mini applications that can do a quick calculation to save time or keep a project log running between people dispersed across the country or world. They are no longer bound by the IT team’s resource constraints. 

But it brings new risks. Just as bring your own device forced a rethink on policy and corporate network security, so will build your own application. CIOs need to be aware that while their own teams may embrace no or low code models, it’s likely that the trend will permeate the organisation outside of the IT function and as a result it’s likely it will create inefficiencies and that the network will become littered with cyber security hazards

Top three things to consider:  

  1. Just because you can doesn’t mean you should. As build-your own apps are often built by the functional business unit it creates an ineffective and inefficient model to deliver outcomes. There are few best-practice or straw-men apps to learn from (often the reason why they have been built in the first place) so they don’t always consider specialist development process and user design. Plus, it’s likely one function needs a similar app elsewhere – then you have a number of apps doing similar things slightly differently. Wouldn’t it be better to have the synergy of a central service catalogue for business units to pick and choose from? 
  2. This highlights the question of resource. When you have a ‘part-time’ approach to development in the business unit, you are ultimately distracted away from the function’s core role. That can’t be good for the bottom line or the customer their core function? This is especially important if they aren’t incorporating, perhaps unwittingly, effective security into the process. 
  3. Keeping track of who is doing what could be incredibly cumbersome, which is why it’s good to advocate a zero trust model. It will ensure that anything inferior and insecure is identified and taken off the network.   

What does that mean in practice? There are four attributes a zero trust model should have: 

  • Identity verification – every person and device connecting to its network should prove its identity and get permission to connect, preferably with multi-factor authentication.
  • Micro-segmentation – this is about controlling who can access what. It generally centres around data based on value and importance. The most valued data should be ring-fenced with well-defined access rules.  
  • Least amount of access – Each user should get the least amount of permission they need. 
  • Access to sensitive networks and data should be monitored, and alerts should raise and be handled once unauthorised access is detected.  

When a model like this is in place, new and unqualified applications, which build your own apps are, can be detected and access halted. Such a model can be easier to implement as part of the move to the cloud, but it can be introduced retrospectively too. 

There is however an upside that CTOs could embrace. Zero trust models represent an effective means to highlight where IT investment needs to go. Analysing the results of zero trust initiatives could uncover which areas of the business have more no code enthusiasts than others and why.  

Indeed, IT could work with enthusiasts to find verified solutions that have more impact. When you consider the transformations and process changes movements like this generate, it can be argued that these small instances could all add up to create real tangible change with regards to how functions work and perform. 

The best models put the ICT function at the centre to provide governance and consultancy. They provide a flexible set of building blocks for code, options for hosting etc that the business units can use almost like Lego blocks to build localised business applications. In effect they become best-practice consultants to the business functions and ensure the local busines units know the short-cuts to use, and avoid, and are leveraging the best-practice similar apps use. 

This form of set up lets companies harness the horsepower, creativity and local budgets from the units, while keeping centralised standards and governance in place. Done well, it also contributes to having a leaner core ICT team.

A progressive framework, and approved building platforms, will also consider security testing, or better still have protocols that stipulate apps are built with a ‘DevSecOps’ mindset where security is built in from the start. An imperative for compliance and reputation. 

Business transformation is often viewed as a massive change that takes years to embed. The pandemic has proved the contrary. Plans to deliver digital change has been brought forward by years, especially in retail. The need for contactless business models was so urgent that business had to adapt and make the impossible happen. 

But it’s also shown that employees are resilient and have many of the answers that the more corporate view of the business doesn’t have. Working with them to realise their ideas and need to be productive – wherever they work – could be just as transformative. a

Ben Field, regional director UK&I, Radware

Ben Field is regional director for Radware's UK and Ireland region.