Addressing Citizen Developer Security Concerns
The average cost of a data breach in 2022 is $9.44 million.
Most organizations will experience a data breach (84%) and nearly half of those will happen in the cloud (45%).
Forrester predicts that in 2023, “citizen development will lead to a headline security breach.”
While citizen development can position organizations to scale application development without overworking IT teams, there are security concerns.
We’ll dive into what those concerns are and how to prepare your organization.
That way, you can unleash the full potential of your citizen development program.
Growing Citizen Developer Security Concerns
Low-code applications now support critical business functions in many organizations.
The appeal of scaling application development with limited resources has accelerated the adoption of low-code tools by organizations globally.
Now that nearly 39% of businesses use low-code to empower developers outside of IT (and 27% planning to do so by the end of 2023), businesses need to be prepared for what this means inside their organization.
Especially from a security standpoint.
While many low-code tools rely on cloud-based infrastructure for added security, they’re not invulnerable. Also, most security breaches are a result of human error. In short, it’s not that low-code apps lack cybersecurity features, it’s that the employees can use them in a way that invites security breaches.
It’s important to remember that citizen developers aren’t professional developers. They’re full-time employees that build applications outside of IT departments.
This means that you cannot assume your citizen developers fully understand proper IT security protocols without training. Nor can you assume they’ll know how to properly connect the apps they build to existing business systems securely.
How to Ensure Your Citizen Developers Remain Secure
Low-code platforms leverage cloud infrastructure to provide increased security.
But they’re not invulnerable.
Left unchecked, citizen developers can build applications with weak points outside parties can exploit. Risk to your business increases. And the fallout can be devastating (both from a financial and a brand perspective.)
Here’s how you address and mitigate the security risks from your citizen developers.
Establish Governance Framework
Creating a robust and secure citizen development program starts with governance.
Start by evaluating the low-code tools that your organization uses or is considering using. Dive deep into the platforms. Access their security features, capabilities, costs, and support. Compare platforms. Read reviews. Speak with vendors.
There are over 220 low-code tools on the market.
Your IT team needs to pick the best one for your organization.
Next, outline how your IT and security teams will provide governance. They need to map out the processes and workflows for citizen developers to create applications and collaborate.
You need to understand the limitations and capabilities of your citizen developers. They are end-users, not professional developers. Some will be more tech-savvy than others. And they’ll come from a range of backgrounds with different needs.
From there, you need to decide on qualifications for selecting citizen developers. Not everyone is suited for the role. You need to work with team members you can trust.
Your IT team will also need to determine how your citizen developers will use low-code tools.
You’ll need to figure out who is creating what.
Creating a Tiered-Access System
Shell’s Do-It-Yourself (DIY) Citizen Development Program is a great example of security guardrails.
They divided the types of applications into three categories, green, amber, and red:
- Green (Full DIY): Anyone can develop solutions.
- Amber (Partnered DIY): Developers must collaborate with specialists or upskill into departments before building solutions.
- Red (Professional Development): Only professional developers can create apps for these business areas.
Throughout the year, Shell audits a collection of applications from each category. The goal is to ensure teams carry out the proper risk assessment and monitoring.
They also regularly coach developers on how to run these assessments and keep applications compliant.
The need for security guardrails increases exponentially when citizen developers move from creating applications for themselves to creating applications others will use.
You cannot assume citizen developers will focus on security when creating apps.
IT teams working with business leaders should create security guardrails for citizen developers. The guardrails should empower citizen developers to innovate while keeping them safe.
The guardrails should determine what data citizen developers can access, use, and share. It should clearly outline policies and procedures for application development.
Your citizen developers should understand that security teams dictate security guardrails and they are not allowed to override these.
Apply Zero-Trust Principles
Never trust. Always verify.
Consider applying zero-trust principles to citizen development applications. Your team should validate users continuously through authentication, authorization, and security configuration checks before granting access to resources.
Restricting user access to essential resources citizen developers need to create applications. Doing so minimizes security risks. By implementing the “assuming breach” assumption, you’ll restrict lateral movement in case of a breach.
Manage APIs Effectively
APIs without adequate security measures are prime targets for cyberattacks. An API strategy ensures the applications citizen developers create don’t compromise the security of other systems.
With proper access controls and authorization mechanisms in place, your citizen developers can only access and manipulate data if they have authorization. This reduces the risk of accidental data exposure or misuse.
In some cases, it may be better to work with citizen integrators. These are a subclass of citizen developers that specialize in integrations.
Your API strategy will enforce consistent security practices across all applications. As a result, it’ll be easier to monitor and audit applications for security issues.
For your citizen development program to succeed, your citizen developers need to work with (not against) your IT and security team.
With everything above in place, you need to give your citizen developers the freedom to innovate. Security should not be positioned as a bottleneck. Otherwise, you’ll lose the core value of citizen development: building applications quickly.
By getting your citizen developers and IT teams on the same page, you’ll ensure future apps are secure. Meeting regularly, for example, keeps everyone on the same page.
At the same time, your IT and security teams need to see citizen developers as an extension of their departments, not a replacement. Pushback against citizen development happens either because people feel they’re being replaced or they’re worried it will create more work.
Getting your citizen developers to collaborate with IT and security teams will show them that neither of those is the case.
In fact, they’ll learn that citizen developers can reduce their workloads.
Resources and Upskilling
Technology changes rapidly. Citizen developers need to stay current. They also need to understand best practices for application development and security policies.
In short, citizen developers (like professional developers) need to upskill continuously.
You want to give your IT teams and citizen developers access to low-code resources and training. You also want to encourage both groups to experiment with the tools.
For citizen developers, it’s important that they stay current on security policies for application development. They’ll also need time to work with IT and security teams to explain complex security protocols and policies to them.
Depending on the type of business, citizen developers may also need to learn industry compliance and regulatory requirements.
Use an Enterprise App Store
Enterprise App Stores provide a consolidated view of the applications in your organization. This makes it easier for your team to audit security features. Plus, you can also thoroughly monitor apps within the organization. If your team finds unusual patterns of activities, they can investigate immediately.
Apps in the enterprise app store have to go through rigorous security checks before publishing. This ensures they meet organization standards. Plus, you can ensure users always have the latest, most secure version of an app, further enhancing the organization's security posture.
Enterprise App Stores make it easy to manage app access. You can choose which teams have access to which applications, reducing the chance of unauthorized access or data misuse.
As an added benefit, it can help reduce Shadow IT, which can happen in spite of low-code tools if the development goes unchecked.
Conduct Regular Security Audits
If your organization has already started deploying low-code apps outside of IT oversight, it’s important to have your developers audit those tools.
Security audits shouldn’t be one-and-done, either.
Low-code tools are accessible. And the main benefit of citizen developers is that they can use these tools independently.
As a result, an approved app can change over time. Citizen developers may add new features, connect other applications, or change the functionality of the app. This can weaken its security over time.
Without regular audits, these vulnerabilities can go undetected until there is a security breach.
Don’t forget that security procedures can change over time, too. New technologies present new difficulties to manage. Old technologies become dated (and weaker) over time.
Regular audits keep your infrastructure secure.
You should give your security teams time to evaluate new applications built by citizen developers. They should also have time to audit existing applications at intervals.
Additionally, your security teams need to share findings with citizen developers and coach them.
Acknowledge Risk From Professional Developers
It’s important to remember that security breaches happened before citizen developers.
In fact, 88% of data breaches are caused by human error.
While IT professionals are less likely to be the cause of a data breach, it’s important for them to remember they are not immune.
As IT teams work with citizen developers to reduce security risks, they should also apply the same processes to their application development.
How to Keep Your Citizen Developers Secure
Citizen development is on the rise.
The ability of citizen developers to help reduce IT backlog has encouraged more organizations to explore moving application development outside IT.
It’s not slowing down anytime soon.
And it shouldn’t.
Organizations should embrace team members who are eager to improve processes. At the same time, they should have a citizen development program ready to provide support.
Without it, your citizen developers will do more harm than good.
The challenge is finding the time and experience needed to set it up properly.
At Quandary Consulting Group, we help clients create, deploy, and manage citizen developer programs. As leaders in the space, we lean on experience with low code tools to design a Center of Excellence (CoE) for citizen developers within your organization.
Whether you need help managing citizen developers or expanding your existing program, we can help.
Or, see how we’ve helped our clients in the case studies below.