Amid volatile times and gloomy predictions for 2023, low-code/no-code (LCNC) adoption continues to grow rapidly. A recent forecast published by analyst firm Gartner predicts that low-code markets will grow 20% in 2023, with citizen development in particular growing 30%. While business units continue to go all-in on LCNC, security teams were mainly out of the loop until not long ago. This reality is quickly changing as LCNC becomes a business-critical infrastructure and as business developers build critical applications. Now security teams have to ensure that things were built correctly. This is a recipe for conflict.
As security teams we can't cover everything, so we make tough choices and focus on the business-critical. The by-product of that is that some business units get used to working without us. In many cases, that's fine. They go about their daily business; security is not involved because they aren't doing anything risky or critical enough. But then, one day, they succeed in creating critical applications. They make a big splash and are rewarded with the attention of the organization. Of course, this also comes with heightened security attention.
While this is a challenging situation, it's important to notice the fact that it's a good problem to have! Your organization has been successful, and you are getting a chance to build an entirely new security pillar from scratch and introduce new types of developers to working with the security team. You have the opportunity to establish things the right way. But how?
1. Start With Learning
First, understand the fundamental security challenges LCNC poses. Learn why other security teams are concerned about LCNC, and focus your attention on the most common risks to target first. By familiarizing yourself with the risks specific to LCNC, you will arrive at the conversation with business teams armed with knowledge that is highly relevant to the challenges they are having and be able to speak in a language that they will understand and relate to. You will also be able to focus on and drive the conversation toward the risks that are more relevant for your organization.
2. Understand the Business Context
Acknowledge the fact that the business units have been successful in bringing in this new technology and using it to generate meaningful value. Make sure they are aware that your involvement is itself an acknowledgement of their success.
Take the time required to learn what they have been doing so far. How are they addressing operations and management of the platforms? How do they handle application life cycle management? While they might have been able to succeed on grit and perseverance, when problems become complex enough, they will encounter areas where your expertise as a security professional would be tremendously helpful. Learning about their operations and struggles could help you find ways in which they could really use your guidance to solve critical issues or change a fundamental concept they got wrong.
3. Identify Opportunities to Help
Once you've identified areas where they could use your expertise, think about how you and the security organization could help address those challenges. Could you offer a security risk assessment? Could you help them figure out configurations? Permission management?
By identifying areas where you can help, you will also identify areas where you can apply controls. These challenges, which are much better addressed by a central security team with the right skills, will help the business solve problems that prevent them from moving forward while also allowing you to put guardrails in place.
4. Map Risk Hotspots
While learning about existing challenges, you must also build an independent understanding of the current risks in your environments. Use threat modeling and security assessments to gain visibility into security risk in the existing environment and its applications. Review existing development processes and assess their adherence to secure SDLC. Identify and treat cases that need urgent attention or security risks that could easily manifest into significant harm. With a clear distinction of the areas where risk is most acute, you will be able to focus your attention — and that of the business leaders — and get results faster.
5. Lay a Path Toward Enablement
Everybody worries about security, and in a big organization in particular, people are always concerned even if they don't actually do something about it. Business teams that have brought in and built on new technology without relying on central IT/security teams know that some risk is involved. They might have even made choices to restrict access or prevent usage of this or that useful platform feature, in fear of what might happen. One clear way to win the business' heart and mind is to help them unblock usage. Allow more people to build applications or use advanced and potentially risky features. With your security expertise, you can evaluate the security risk, identify compensating controls, and provide a path for them to expand usage, while elevating their feeling of responsibility and easing fear of a security issue.
Moving Forward Together
Change is never easy and will cause friction. With LCNC continuing to soar and business relying more and more on applications produced outside of IT on the one hand, and hackers targeting business on the other, security teams must assume their role as a guide that can help business teams innovate while not introducing new security risks.
By taking the time to consider the business' perspective, its previous success, and its challenges, security teams will be able to build mutual trust and articulate a way forward that demonstrates a win-win for business innovation and security guarantees.