The modern enterprise is a software business. It doesn’t matter what size business it is, or what industry, there’s a near 100 per cent chance they’re relying increasingly on data and software to get work done. In fact, global spending for enterprise software is growing 8 per cent annually and will reach £488 billion by 2023. That’s up from roughly £296 billion in 2017.
Couple that trend with the rise of the “citizen developer” — those who build software using rapid development, low code, and even “no code” development platforms — and it’s plain to see how it’s become increasingly common for business users to start to develop some of the software and app functionality that they need. These tools have become so straightforward that someone who never would have coded before, such as a person in marketing, or sales, are now developing apps.
This can take a huge burden off enterprise software development teams who are under pressure to build those apps and gain insights from their data. This is because the need for software continues to drive application backlogs to new lengths. In a typical enterprise, if a team needs a small but useful app, they better be prepared to be patient waiting for it to be built. With citizen developers, they can build more apps on their own.
Of course, nothing comes without a cost, and citizen developers add a new element of potential risk to enterprises. Notably, they may inadvertently expose data through mistakes in code or configurations. They may unknowingly mishandle regulated data and data containing personally identifiable information. While these aren’t the most obvious risks that come to mind when they think of the insider threat, it’s a risk nonetheless and needs to be managed. In fact, insider threat is one of the largest unsolved issues in cybersecurity according to McKinsey. Half of breaches between 2012 and 2017 involved insiders. Of that set, 44 per cent were attributed to non-malicious insiders.
So how do enterprises manage the citizen developer and harness the positives while mitigating the potential negatives?
Some organisations will try to put the kibosh on citizen development, and try to force all development to go through the sanctioned channels within IT. This is not a feasible strategy. First, the application backlog in these organisations will continue to grow, and with that the organisation’s productivity and ability to compete will decline. Further, with developers in such high demand and tight supply, the organisation will unlikely be able to hire the talent it needs to close the gap.
Partner with citizen developers
To avoid longer app backlogs, organisations will want to partner with citizen developers. This is much more realistic than trying to stop them in their tracks. Today, every company is not only a software company, but everyone is a “developer” in their jobs, whether they are customising SaaS apps, making workgroup databases, scripting certain repetitive tasks, and increasingly managing robotic process automations.
Savvy enterprises will embrace their citizen developers and provide the resources to support them, such as standardising on a low code platform that can be properly managed, and when and where appropriate, partner citizen developers with professional developers. Also, the projects citizen developers work on are fertile ground to find innovative ideas staff obviously seek to be more productive. Some of these ground-up efforts will prove worth putting more resources behind.
Reject the negative citizen developer stereotype
For whatever reason, citizen developers too often are viewed as less than by some developers and IT people. They believe developing software is something that should be only done by professionals: those steeped in years of training and apprentice on the art, craft and engineering aspect of development. While all of that is certainly necessary to develop many of today’s complex apps and manage infrastructures, it’s no longer true of every app. There have always been rapid development platforms, but the new tools that enable virtually anyone to swiftly build apps and manipulate data are a new thing. These apps provide value and take pressure off stressed teams. Citizen developers are one way to help bridge that gap.
Train citizen developers on security
Organisations need to put the right resources and tools in the hands of citizen developers. This should include training, such as the value of enterprise data, and not just regulated data but the intellectual property data that makes the enterprise run and grow. And by training them on application security basics, enterprises can make it much more likely to put the right controls in place to ensure data security. There doesn’t need to be a big investment in the creation of training materials, oftentimes this information is made available by the low code platform makers. All an organisation has to do is package it and make it available to their staff.
Ongoing application governance
The risk is that by embracing citizen developers chaos reigns, and that the enterprise loses control of its applications and data. This won’t be the case if the enterprise has proper governance in place. The organisation has to look for apps that are in use and make sure that the app and its functioning is appropriate. The IT team should be working with the business units to make sure this is the case. Because of the training, citizen developers should be aware of the controls necessary for personally identifiable information, regulated data, and intellectual property. Of course, that is an unreliable plan, so it is crucial to continuously monitor and assess, as well as audit business units on the apps and tools they use.
Ongoing data governance
Keep in mind, these citizen developers don’t need to be made security or IT experts, they primarily need to be made aware of the issues so they can avoid novice mistakes. And they need to be prompted to notify IT about the apps they build so that the data can be properly managed, secured, backed up, and included in disaster recovery programs. There’s nothing worse than when an organisation suffers an outage and cannot access critical applications because those applications were built rogue and aren’t backed up. When everyone is communicating, these things don’t have to happen.
Organisations that encourage citizen developers will be more productive, alleviate application backlogs, and as a whole take stress off their software development teams. And if they do it with the right data security approach, they won’t be any more likely to suffer security issues as a result.
Rob Juncker, SVP Research & Development and Operations, Code42
Image Credit: everything possible / Shutterstock