Embracing the Next Generation of Business Developers

• Cyber Risk

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Embracing the Next Generation of Business Developers

Security teams that embrace low-code/no-code can change the security mindset of business users.

Michael Bargury, CTO & Co-Founder, Zenity

October 24, 2022

5 Min Read

Source: Dmytro Sidelnikov via Alamy Stock Photo

LinkedinFacebookTwitterRedditEmail

Security teams constantly strive for mindshare and alignment within the business. Seasoned security leaders often describe how security needs to serve the business and how it depends on business buy-in about the importance of security to succeed. As a result, security teams invest a lot in raising security awareness, educating business users, and explaining why security is crucial to the business and cannot succeed without business users.

Without buy-in from business leaders, security teams can apply security measures only through formal gates, enforced controls, and corporate policies that, without proper communication, can often cause frustration and end up making the business buy-in problem worse. When business teams see security as a business-enabler, however, the conversation changes completely. People reach out to security to get input early on in the process, and security teams can focus on helping teams assess where to invest their security efforts.

This dynamic is so fundamental to organizations that often security leaders focus most of their efforts on building relationships with business leaders to get that executive buy-in. In the best cases, that also translates to bringing business units and security teams closer together. With this lens, we can see just how important and transformational DevSecOps is. Suddenly, development teams more easily collaborate and even sometimes lead the effort for better security. The indirect effect of having more people — that is, developers, not just security professionals — thinking with a security mindset can be transformational to the ability of the security team to make big strides forward.

An organization where lots of developers understand and push for security in their day-to-day work is far more likely to go along with large security projects like rolling out a new identity system or applying zero trust, even though those might require some patience from users during implementation. This indirect effect could end up being much more important than the fact that we now have automated security tests as part of the CI/CD, even though those are important as well.

Bringing Developers Closer to the Security Mindset

One possible explanation for the success of DevSecOps is the value of automation. Whether it’s through catching syntax errors, identifying an insecure dependency, or detecting hard-coded secrets, automated security testing helps developers achieve more in less time. The argument that automation is the reason why developers are jumping on the security bandwagon seems to imply that developers always saw the importance of security but lacked the resources to act on it.

While automation is extremely helpful, I find that the change in mindset for some development teams is far greater than just a change in the resources discussion. More and more developers are seeing security as part of their responsibility, rather than the responsibility of someone else.

There is a bigger shift here than just a reduction in the cost of applying good security practices. Security teams started talking to developers in the language of developers, rather than the language of security. This is a crucial point. Instead of painting a beautiful picture of how security should work, DevSecOps shifts the conversation to a much more practical one: How do we make one step forward to where our developers actually are?

Note that the goal remains the same — guiding developer teams toward a beautiful picture of how security should work. However, crucially, we start off at the practical side of the discussion and help guide every step of the journey rather than describe a future that seems far away or even impractical.

By shifting the security conversation to the language of developers and meeting them where they are, security teams and developers now share a security mindset, which helps with both day-to-day operations and the large security strides forward that require developer buy-in.

While the success with developers is important, security still struggles with getting mindshare for a much larger portion of corporate employees, namely business users. Can we apply lessons learned from DevSecOps to bringing business users closer to security?

The Times They Are A-Changin’

In recent years, business units have been experiencing a tectonic shift brought forth by low-code/no-code platforms. By gaining the skills required to facilitate business processes or create custom applications on their own, business units have drastically reduced their reliance on IT and continue to accelerate digital transformation. Leading analyst firms predict that most enterprise applications will be developed using low-code/no-code by 2025, and surveys reveal that business users are already a large part of — and in some cases, the majority of — low-code/no-code builders.

The trend of business users becoming builders can be both a challenge and an opportunity for security teams. If left outside of security’s perceived scope of responsibility, it will lead to a significant growth in shadow IT. However, it also presents an unprecedented opportunity to cultivate a security mindset with business users. If DevSecOps made developers more security-aware, an equivalent for low-code/no-code could do the same for business users. As with developers, the fundamental change of bringing business users closer to the security mindset would mean drastically increasing security mindshare across the organization. Low-code/no-code presents a unique security awareness opportunity.

When trying to capture the security awareness opportunity that low-code/no-code presents, we should apply the lessons we learned from DevSecOps by meeting business users where they are. The low-code/no-code development process significantly differs from pro-code DevOps. Many business users nowadays are building their applications and automating their processes with low-code/no-code. Security teams should familiarize themselves with those platforms and their development processes, and learn how to talk about security for such purpose-built applications in the native language of business development.

Low-code/no-code is so dominant with business users that it is already being used for business-critical applications within many organizations even if their security teams don’t know about it. With analysts predicting that 70% of new enterprise applications will be built with low-code/no-code in three years, it is apparent that we have a unique window of opportunity to affect the way that these applications will get built. But even more importantly, this is an opportunity to influence the next generation of developers — namely business users — and the way they will think about security and their roles in it.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

• Think Like a Cybercriminal to Stop the Next Potential Attack Jul 22, 2025
• Elevating Database Security: Harnessing Data Threat Analytics and Security Posture Jul 23, 2025
• The DOGE-effect on Cyber: What’s happened and what’s next? Jul 24, 2025
• Solving ICS/OT Patching and Vulnerability Management Conundrum Jul 30, 2025
• Creating a Roadmap for More Effective Security Partnerships Aug 14, 2025

More Webinars

Events

• [Virtual Event] Strategic Security for the Modern Enterprise Jun 26, 2025
• [Virtual Event] Anatomy of a Data Breach Jun 18, 2025
• [Conference] Black Hat USA - August 2-7 - Learn More Aug 2, 2025

More Events

You May Also Like

---

Edge Picks

thumbnail Cyber Risk

Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks

URL bar of a browser showing part of a website address Endpoint Security

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Icons for Chrome, Edge, and Firefox browsers on a screen Endpoint Security

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards

Stream of 0s and 1s running alongside padlock icons Endpoint Security

Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security

Latest Articles in The Edge

• Women Who ‘Hacked the Status Quo’ Aim to Inspire Cybersecurity Careers Jul 16, 2025 |

5 Min Read

• AI Is Reshaping How Attorneys Practice Law Jul 15, 2025 |

5 Min Read

• Browser Exploits Wane as Users Become the Attack Surface Jul 9, 2025 |

6 Min Read

• Unlock Security Operations Success With Data Analysis Jul 8, 2025 |

2 Min Read

Read More The Edge

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Cookie Policy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Manage Consent Preferences

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Cookie List

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Direct Link