How to plan for governing no-code at scale

No-code tools have become rapidly popular across enterprises. According to Gartner, by 2025 some 70% of new applications developed by enterprises will use low‑code or no‑code technologies. 

By democratizing the ability to develop software using visual and intuitive drag-and-drop tools, no-code enables a whole new range of non-developer roles within an organization to take on the building of software applications. The use of no-code tools increases the talent pool inside most organizations by allowing employees within the business itself to take on or assist in development tasks.

However, security and cyberattacks are simultaneously a critical concern for most organizations; the threats of a security breach have increased over the past several years as more organizations shift to hybrid work environments. In fact, 80% of security and business leaders now say that their organizations have more exposure to cyber threats today due to remote working. 

Preparing for no-code at scale

To a CIO or CTO, these two accelerating trends may seem like two trains racing headlong down the same track towards each other and facing an inevitable head-on collision. How do you embrace the many positive benefits of enabling business teams to accelerate their innovation with no-code without compromising the security of your business?  How do you help prevent the emerging teams of “citizen developers,” who have typically not been trained in security or governance practices, from risking a security breach or compromising sensitive corporate data?

Thankfully, you are not alone, and if you’re just starting down a no-code journey, you can learn from the many hundreds of customers that have already deployed no-code. In this article we present the top elements of an action plan that you can put in place to prepare your business to govern no-code at scale.

Standardize your no-code infrastructure

One of the common myths is that no-code should only be viewed as out-of-control “shadow IT” and should be stopped. Instead, the first step in your action plan should be to embrace the opportunity that no-code can provide and see this as an opportunity to get ahead of and proactive engage the business. 

Don’t try to fight the appetite for no-code to drive new innovation; instead, look to standardize its use.  One of the big advantages of no-code platforms is that they can provide a centralized, consistent infrastructure for business teams to build apps.

Rather than leaving each business team to custom develop their own apps unchecked (often referred to as “shadow IT”) on a myriad of different bespoke technologies, proactively enabling the business with a standard no-code platform can significantly improve adherence to security guidelines.

This is because it enforces a more consistent, managed way of building and deploying software. This actually can remove the likelihood for developers to accidentally write insecure code as they opportunistically build apps on their own tools or frameworks. Instead, the use of no-code enforces more consistent usage and app design patterns than traditional software development which reduces security risks. 

No-code technically a misnomer

It’s a bit inaccurate to say that there’s no code — a lot of code had to be written to build the no-code platform. However, it’s the responsibility of the no-code platform vendor to write, maintain and secure this code.

Therefore, it’s vitally important to be thorough in your diligence when selecting a no-code platform provider; make sure to understand the measures they take to maintain and harden their platform against security attacks or compliance breaches.

The first time the no-code platform is implemented, you should plan for thorough governance reviews to validate the security profile of the platform. However, security reviews on subsequent use of the no-code platform to build individual apps will likely be streamlined as they will follow a consistent pattern.

Implement a no-code governance checklist

It’s true that business teams and no-code creators are much less practiced in building apps. Unlike software developers, they are unlikely to have gone through training on application security or data sensitivity and will lack some of the prior experience of what to look for to help ensure proper levels of security and data protection are met.

The good news: This expertise does typically exist within your enterprise, as the organization’s Chief Information Security Officer (or CISO) and/or data governance teams will have defined a standard collection of processes and technologies operating at multiple layers that work together to help strengthen a company’s overall security profile.

So, as you begin to adopt no-code development, it’s important to engage with this expertise to create a no-code governance checklist. Developing this checklist should be a collaborative process between the various teams (security, audit, data governance) and the no-code team to identify governance-related issues, determine the level of risk associated with those issues and make informed decisions about risk mitigation or acceptance.

Critical aspects of no-code governance

Make sure that your checklist encompasses the four common types of governance you will encounter: 

1. External compliance checklists to assess compliance with external laws, guidelines or regulations imposed by external governments, industries and organizations.
2. Internal compliance checklists imposed by internal audit teams or committees to enforce adherence to rules, regulations and practices as defined by internal policies and access controls.
3. Security checklists to protect your corporate information resources from external or internal attacks.
4. Data governance checks to assess how sensitive corporate data is managed and secured. 

Your no-code governance checklist likely builds upon the existing standards and practices within the organization. Hence, industry groups (like the OWASP Foundation) are increasingly starting to develop new checklists that are specific to low-code/no-code development. 

Once you are aligned with your internal stakeholders on the checklist, the implementation of the rules should ideally not require technical skills — in fact, modern no-code platforms increasingly provide built-in automated governance practices and procedures that allow companies to set-up governance policies automation themselves, without 3rd party engagement or technical specialists. 

This allows the governance checks to be defined and applied by the business teams (and automated within the no-code platform) which will provide a standard approach to security and compliance as they build no-code apps.

Enable/support no-code teams via a CoE

As no-code is adopted more broadly across your teams, a common best practice is establishing a no-code center of excellence (CoE). This is often an evolutionary approach in most organizations, as project teams start to gain success and experience in using no-code across different parts of the organization.

The CoE may start small — sometimes with just one or two skilled resources — but can play a vital role in helping support the maturity of no-code delivery across your enterprise by establishing repeatable processes and best practices.

Supporting the consistent use of no-code security and governance practices is one of the key “value adds” that the CoE can provide to assist your no-code delivery teams, who themselves may not have a lot of experience in following or adhering to security guidelines. It’s important to apply these kinds of practices in a model though that scales — both up and down — based upon the complexity of the app.

Collaborative CoE and no-code business architects

Typically, the CoE may have the role of a no-code business architect that would have deeper knowledge of no-code security practices. They would likely be the one who has collaborated with the security team to build the organization’s no-code governance checklist (as outlined in the previous action plan step) and would be able to provide hands-on, practical support and engagement with the no-code delivery team to help them conduct a governance audit.

The no-code business architect would be responsible for engaging the delivery team to decide how detailed a security review is needed, based upon assessment of the business, governance, and technical complexity of the use-case and application.

Conclusion

In the dynamic and unpredictable markets we exist in today, our ability to compete, thrive and grow depends increasingly on continued innovation. Your business depends on it. Your employees embrace it.  Your customers demand it. 

If you don’t find innovative new ways to leverage software to enable your business processes, you’re at a significant competitive disadvantage against those who will. This is why business teams are hungrily adopting no-code tools to realize benefits of accelerating time to market and reducing the backlog of requests due to scarce IT and developer resources.  

However, as business teams charge ahead with embracing and adopting no-code to build apps, be prepared for IT to raise concerns on security and data privacy breaches. However, instead of fighting no-code, seize the opportunity to offer the business new solutions for building apps while simultaneously implementing controls and governance to ensure proper use.

Modern generations of no-code platforms offer the full range of governance and reporting capabilities needed to ensure that apps built will have the ability to be monitored for compliance and security.

By adopting a standard set of tools for building apps that are business-friendly, you can realize the full benefits of a standard no-code platform that is “blessed” by IT and reduces the risk of security breaches within your enterprise.

Katherine Kostereva is founder and CEO of Creatio.