In a recent report, Forrester analysts warned of a looming major security breach at a large enterprise in 2023 rooted in business users using low-code/no-code (LCNC). The first part of this prediction is, unfortunately, a shared industry assumption: It would be surprising if we had an entire year without major headline security breaches. But the second part — forecasting that this major breach would be the result of business users, aka citizen developers, using LCNC — is an extraordinary attempt to wake up the security community before it's too late.

This prediction is so powerful since it comes in strong contrast to the tendency some security teams have to treat apps built by business users as toys or POCs rather than critical infrastructure. This assumption, warns Forrester, is wrong and will lead to dire results. In recent years, LCNC has become a reality in the enterprise, and business users have been building impactful apps that large organizations now rely on — with or without the security team's knowledge.

To understand why Forrester is issuing this warning, we must unpack its underlying assumptions. Doing so will show that it is full of new information about the analysts' reading and assumption of the market, which the reader is free to evaluate.

When a Security Breach Becomes a Major Headline

Consider the factors it takes for a security breach to become a major headline. First, obviously a breach needs to occur. While this assumption is trivial, note that it relies on an underlying assumption that hackers are focusing their efforts on LCNC apps and finding success in breaking them. For hackers to focus their efforts on LCNC, the perceived reward needs to be big enough compared to the perceived difficulty — which means hackers must be convinced that LCNC holds significant business data or facilitate important business workflows for them to be a worthy target. Success in breaching LCNC apps means that hackers can exploit either platform or app-level vulnerabilities to own these apps. 

Since business users are not security experts and often lack guidance, this is unfortunately an easy assumption to make. In fact, in a case documented by the Microsoft Detection and Response team, an APT group used live-off-the-land on some LCNC to remain hidden and persistent within a multinational organization for more than six months while defenders were actively trying to kick them off. In another case last year, a simple misconfiguration resulted in almost 40 million confidential records being exposed to the Internet.

Second, the breach must involve business-critical apps or data; otherwise the story just won't be as interesting for a major headline. The criticality of the app or data needs to be rooted in the business' value proposition for it to be obvious to every external security practitioner that this will have significant business impact on the breached company. LCNC and citizen development has grown significantly in recent years, delivering on its promise of empowering business users to address their own needs. Business-led development has become a strategic initiative in some organizations. Many large organizations have a dedicated group of admins who manage and operate these LCNC citizen development platforms, which are sometimes called Centers of Excellence.

Third, the breach needs to be detected. A breach could be announced publicly by hackers willfully publishing it to hurt the breached company or push the company to yield to the hacker's demands. It could also be detected inside the breached company if business-critical apps have stopped working or security teams have identified it. In any case, breach detection comes seven months after hackers had their initial successful access, on average. Doing the math, and considering the predicted headlines are to come in 2023, this means that hackers may have already breached business-critical LCNC apps.

Lastly, and again trivially, the breach needs to be publicized. Of course, any organization that suffered a major breach would be happy if the news of its unfortunate event did not reach major news outlets. Assuming that the breached organization would work against it, and that not all major breaches are reported on, this means that next year should bring far more than one major security breach resulting from business users building with LCNC.

Unpacking the Forrester prediction for 2023 reveals a set of assumptions about the world we live in now. Business users are building business-critical apps with LCNC. Hackers are acutely aware of and have probably developed dedicated tools and exploits to breach such apps across the industry. Some security teams are probably dealing with a detected breach at this very moment.

Why We Should Be Happy About the Prediction

While discussing a predicted major breach feels gloomy and pessimistic, the larger message is positive: Business users are succeeding in moving the needle in the enterprise using LCNC and solving problems on their own.

There has long been a gap between business users who can articulate the problems they need solved to do their job better — thus making the business stronger — and IT teams that are failing under the pressure and have limited capability, which renders them unable to meet most of those requirements. LCNC is the latest development trying to bridge that gap by empowering business users to address their problems as they see fit. The business empowerment goal, part of IT decentralization, has been pursued by endless innovation waves, including productivity tools like Office, application generators, visual coders, and lately RPA and LCNC. As we saw above, this prediction is predicated on the amazing fact that LCNC is actually succeeding in empowering business users, and that they in turn succeed in changing business outcomes.

Like every new technology, LCNC comes with a new set of challenges. While we've been successful at leveraging LCNC for business impact, we haven't been as good at making sure those apps, the identities they use, and the data they handle are secure. This will not be an easy task, as security teams are not used to monitoring and guiding business users and the apps they develop. However, our role as security teams is to enable the business, and the business clearly shows it wants LCNC.