No One Wants to Be Governed, Everyone Wants to Be Helped

• Cyber Risk

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

No One Wants to Be Governed, Everyone Wants to Be Helped

Here’s how a security team can present itself to citizen developers as a valuable resource rather than a bureaucratic roadblock.

Michael Bargury, CTO & Co-Founder, Zenity

January 23, 2023

5 Min Read

Source: Aleksandr Davydov via Alamy Stock Photo

LinkedinFacebookTwitterRedditEmail

Amid volatile times and gloomy predictions for 2023, low-code/no-code (LCNC) adoption continues to grow rapidly. A recent forecast published by analyst firm Gartner predicts that low-code markets will grow 20% in 2023, with citizen development in particular growing 30%. While business units continue to go all-in on LCNC, security teams were mainly out of the loop until not long ago. This reality is quickly changing as LCNC becomes a business-critical infrastructure and as business developers build critical applications. Now security teams have to ensure that things were built correctly. This is a recipe for conflict.

As security teams we can’t cover everything, so we make tough choices and focus on the business-critical. The by-product of that is that some business units get used to working without us. In many cases, that’s fine. They go about their daily business; security is not involved because they aren’t doing anything risky or critical enough. But then, one day, they succeed in creating critical applications. They make a big splash and are rewarded with the attention of the organization. Of course, this also comes with heightened security attention.

While this is a challenging situation, it’s important to notice the fact that it’s a good problem to have! Your organization has been successful, and you are getting a chance to build an entirely new security pillar from scratch and introduce new types of developers to working with the security team. You have the opportunity to establish things the right way. But how?

1. Start With Learning

First, understand the fundamental security challenges LCNC poses. Learn why other security teams are concerned about LCNC, and focus your attention on the most common risks to target first. By familiarizing yourself with the risks specific to LCNC, you will arrive at the conversation with business teams armed with knowledge that is highly relevant to the challenges they are having and be able to speak in a language that they will understand and relate to. You will also be able to focus on and drive the conversation toward the risks that are more relevant for your organization.

2. Understand the Business Context

Acknowledge the fact that the business units have been successful in bringing in this new technology and using it to generate meaningful value. Make sure they are aware that your involvement is itself an acknowledgement of their success.

Take the time required to learn what they have been doing so far. How are they addressing operations and management of the platforms? How do they handle application life cycle management? While they might have been able to succeed on grit and perseverance, when problems become complex enough, they will encounter areas where your expertise as a security professional would be tremendously helpful. Learning about their operations and struggles could help you find ways in which they could really use your guidance to solve critical issues or change a fundamental concept they got wrong.

3. Identify Opportunities to Help

Once you’ve identified areas where they could use your expertise, think about how you and the security organization could help address those challenges. Could you offer a security risk assessment? Could you help them figure out configurations? Permission management?

By identifying areas where you can help, you will also identify areas where you can apply controls. These challenges, which are much better addressed by a central security team with the right skills, will help the business solve problems that prevent them from moving forward while also allowing you to put guardrails in place.

4. Map Risk Hotspots

While learning about existing challenges, you must also build an independent understanding of the current risks in your environments. Use threat modeling and security assessments to gain visibility into security risk in the existing environment and its applications. Review existing development processes and assess their adherence to secure SDLC. Identify and treat cases that need urgent attention or security risks that could easily manifest into significant harm. With a clear distinction of the areas where risk is most acute, you will be able to focus your attention — and that of the business leaders — and get results faster.

5. Lay a Path Toward Enablement

Everybody worries about security, and in a big organization in particular, people are always concerned even if they don’t actually do something about it. Business teams that have brought in and built on new technology without relying on central IT/security teams know that some risk is involved. They might have even made choices to restrict access or prevent usage of this or that useful platform feature, in fear of what might happen. One clear way to win the business’ heart and mind is to help them unblock usage. Allow more people to build applications or use advanced and potentially risky features. With your security expertise, you can evaluate the security risk, identify compensating controls, and provide a path for them to expand usage, while elevating their feeling of responsibility and easing fear of a security issue.

Moving Forward Together

Change is never easy and will cause friction. With LCNC continuing to soar and business relying more and more on applications produced outside of IT on the one hand, and hackers targeting business on the other, security teams must assume their role as a guide that can help business teams innovate while not introducing new security risks.

By taking the time to consider the business’ perspective, its previous success, and its challenges, security teams will be able to build mutual trust and articulate a way forward that demonstrates a win-win for business innovation and security guarantees.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

• Think Like a Cybercriminal to Stop the Next Potential Attack Jul 22, 2025
• Elevating Database Security: Harnessing Data Threat Analytics and Security Posture Jul 23, 2025
• The DOGE-effect on Cyber: What’s happened and what’s next? Jul 24, 2025
• Solving ICS/OT Patching and Vulnerability Management Conundrum Jul 30, 2025
• Creating a Roadmap for More Effective Security Partnerships Aug 14, 2025

More Webinars

Events

• [Virtual Event] Strategic Security for the Modern Enterprise Jun 26, 2025
• [Virtual Event] Anatomy of a Data Breach Jun 18, 2025
• [Conference] Black Hat USA - August 2-7 - Learn More Aug 2, 2025

More Events

You May Also Like

---

Edge Picks

thumbnail Cyber Risk

Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks

URL bar of a browser showing part of a website address Endpoint Security

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Icons for Chrome, Edge, and Firefox browsers on a screen Endpoint Security

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards

Stream of 0s and 1s running alongside padlock icons Endpoint Security

Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security

Latest Articles in The Edge

• Women Who ‘Hacked the Status Quo’ Aim to Inspire Cybersecurity Careers Jul 16, 2025 |

5 Min Read

• AI Is Reshaping How Attorneys Practice Law Jul 15, 2025 |

5 Min Read

• Browser Exploits Wane as Users Become the Attack Surface Jul 9, 2025 |

6 Min Read

• Unlock Security Operations Success With Data Analysis Jul 8, 2025 |

2 Min Read

Read More The Edge

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Cookie Policy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Manage Consent Preferences

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Cookie List

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Direct Link