You Can’t Opt Out of Citizen Development

• Cyber Risk

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

You Can’t Opt Out of Citizen Development

To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.

Michael Bargury, CTO & Co-Founder, Zenity

May 16, 2022

7 Min Read

Source: sdecoret via Adobe Stock

LinkedinFacebookTwitterRedditEmail

A few months ago I had a conversation with the CISO of a multinational logistics company who told me that his company will never allow citizen development. “I see that the benefit could be massive, but we will never allow it,” he said.

This statement made perfect sense. Allowing employees with little IT or coding experience to develop applications seems counterintuitive to companies that are used to seeking strict controls over developers, applications, and digital assets. For many executives, citizen development seems to belong to a distant future.

In a follow-up meeting with that same CISO a few weeks ago, the conversation went in a very different direction. Marketing teams found their way around the CASB and started using no-code automation. Business applications teams started using Salesforce to streamline business processes rather than focus only on sales and customization. Employees all around the company were using Microsoft’s built-in platform to build custom applications in Teams. “Turns out, we didn’t get to choose. Citizen development is now a reality, and I am now expected to mitigate its security risks,” he told me.

This CISO is not alone. The world’s largest banks, retailers, and manufacturing companies are going all-in on citizen development. At a recent online event, Microsoft announced that 97% of Fortune 500 companies use its low-code/no-code platform.

How Low-Code/No-Code Platforms Find Their Way Into the Enterprise

To understand how organizations can transition from “low-code who?” to “business developers” in just a few months, we need to understand how low-code/no-code finds its way into the enterprise. We also need to look at low-code/no-code platforms’ go-to-market (GTM) strategies.

1. Land-and-expand: Low-code/no-code platforms follow multiple paths into the heart of the business. The first and most obvious one is a top-down approach. In organizations where digital transformation is a strategic effort, senior management often looks for platforms that can accelerate the productivity of their business teams. Low-code/no-code platforms are built to do exactly that. Two popular choices for digital transformation are low-code application platforms (LCAPs) and integration platform-as-a-service (iPaaS).

In the digital transformation scenario, an organization would typically set up a center of excellence (CoE) that starts off by finding key use cases that quickly produce business value. Think of business applications used to manage a giveaway campaign by HR, welcome vendors to your facilities, or facilitate IT equipment orders by employees. Even more importantly, the CoE serves as inspiration for business users to think of more ways in which they can improve their productivity with business applications and automation. This centralized team leading by example doesn’t have to be explicitly called a CoE. It can be the business applications team, the intelligent automation team, or the integration team, for example.

Once users start getting an appetite for applications that streamline business processes, the CoE’s backlog quickly overflows. It is at this stage that business users start building their own applications, either with guidance from the CoE or on their own.

Both LCAP and iPaaS vendors rely heavily on this process of expansion within the enterprise as their core growth strategy. While it’s easier to get through the door with a solution used by a centralized team, the value that can be realized grows significantly when low-code/no-code tools are placed directly in the hands of business users. Indeed, LCAP and iPaaS vendors are investing a lot in making their platforms easier for citizen developers to use. Slowly but surely, business teams across the organization become aware of these platforms and start to use them to get their job done.

This land-and-expand model is a win-win for vendors and customers alike. Centralized teams bring these platforms into the corporation and demonstrate their value, leading to business teams realizing their potential by addressing a wide range of business needs quickly, on their own.

2. Bottom-up (shadow IT): The marketing team at the aforementioned logistics company has been hard at work on a big conference. The company plans to make a few key announcements, with the intent to make it a big deal and generate lots of buzz. To translate this hype into leads, they want to set up a dedicated landing page with content optimized for conference visitors. The marketing team hires a vendor to build the page. In order to deliver quickly, the vendor uses a no-code automation platform to set up an email campaign and sync leads to the company’s CRM. The end result is a great conference experience, powered by a no-code automation platform connected to the company’s CRM.

In the rush of things, however, the CRM integration was set up with an administrator account shared with all developers on that account. At launch, only a few developers have access to the account, but after seeing the value, the whole marketing team is granted access, inadvertently sharing administrator privileges to the CRM. Security teams found out about it after the fact. The platform was purchased out of pocket due to time constraints, so there was no security assessment or an opportunity to say no.

This is a typical story, where platforms are introduced directly by users to solve a specific problem, without security visibility or guardrails. Once inside, they continue to expand to additional use cases and business groups. Vendors call this product-led growth (PLG), and it has been the hot GTM trend for the past few years.

Indeed, users are introducing these platforms because they actually solve their problems. Manual processes around order-to-cash, customer care, and marketing operations are a common example. This is great for business productivity. However, over time organizations can find that their business-critical data and processes have slipped out from under the security umbrella.

3. SaaS becoming the new business cloud: Name your favorite corporate SaaS platform. Chances are, it’s a low-code/no-code development platform too, and your business users are already building with it. Don’t just trust me on this — I encourage you to check it out yourself.

In recent years, SaaS vendors are increasingly shifting toward becoming low-code/no-code development platforms. Microsoft, Salesforce, ServiceNow, Workday, Slack, and other leaders in SaaS have all introduced their own low-code/no-code platform, embedded right into the platforms your business users are already using. Some vendors are focused on if-this-then-that automation and others on custom application development. But all of them are reaching out to business users directly, empowering them to do more on their own.

Back in the previously mentioned logistics company, the CISO found out that users across the organization were using Power Platform, Microsoft’s low-code/no-code platform embedded in Office, to build custom applications for their Teams channels. These applications gained access to resources on behalf of their Teams users to do useful things like set up calendar invites, send emails, or share SharePoint files. Inadvertently, it also gave the application creators control over application user identities, allowing them to impersonate their users through the applications. Like any application that gains access on behalf of users, that access could be used to do harm, either by malice or by mistake.

SaaS vendors are pushing strong on low-code/no-code as a way to expand their business. They are using their advantage of already being at the fingertips of business users and are building app development platforms for their specific personas. This, again, is great for innovation and business velocity.

The Time to Act Is Now

With all of the different ways low-code/no-code finds its way into the enterprise, it’s becoming clear that organizations can’t just opt out of citizen development. Gartner has predicted that the number of active citizen developers at large enterprises will outnumber professional developers four to one by 2023. Other analyst firms have predicted similar numbers. Even if we end up having just one citizen developer per professional developer, can we really let that slip outside the security umbrella?

Instead, security teams should embrace low-code/no-code and help guide the new generation of citizen developers in line with enterprise requirements. The sooner this is done, the better.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

• Think Like a Cybercriminal to Stop the Next Potential Attack Jul 22, 2025
• Elevating Database Security: Harnessing Data Threat Analytics and Security Posture Jul 23, 2025
• The DOGE-effect on Cyber: What’s happened and what’s next? Jul 24, 2025
• Solving ICS/OT Patching and Vulnerability Management Conundrum Jul 30, 2025
• Creating a Roadmap for More Effective Security Partnerships Aug 14, 2025

More Webinars

Events

• [Virtual Event] Strategic Security for the Modern Enterprise Jun 26, 2025
• [Virtual Event] Anatomy of a Data Breach Jun 18, 2025
• [Conference] Black Hat USA - August 2-7 - Learn More Aug 2, 2025

More Events

You May Also Like

---

Edge Picks

thumbnail Cyber Risk

Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks

URL bar of a browser showing part of a website address Endpoint Security

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Icons for Chrome, Edge, and Firefox browsers on a screen Endpoint Security

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards

Stream of 0s and 1s running alongside padlock icons Endpoint Security

Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security

Latest Articles in The Edge

• Women Who ‘Hacked the Status Quo’ Aim to Inspire Cybersecurity Careers Jul 16, 2025 |

5 Min Read

• AI Is Reshaping How Attorneys Practice Law Jul 15, 2025 |

5 Min Read

• Browser Exploits Wane as Users Become the Attack Surface Jul 9, 2025 |

6 Min Read

• Unlock Security Operations Success With Data Analysis Jul 8, 2025 |

2 Min Read

Read More The Edge

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Cookie Policy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Manage Consent Preferences

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Cookie List

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Direct Link