Presented by Smartsheet

Low-code tools are making it easier for citizen developers to create custom business apps that improve productivity and agility. But do they put an organization at risk?

Business users have traditionally relied on IT personnel who can write code or manage complex administration tools to build, configure, and modify applications for their specific needs. However, faced with an increasing number of projects and the shrinking number of available developers, IT departments are forced to establish a cut line. As a result, many valid project requests from business units never see the prioritization light of day.

Some companies have responded by teaching their non-technical personnel to code. This do-it-yourself development theme is being catered to by a slew of software vendors under the moniker of “citizen developer” — employees without formal programming training or experience who create apps outside of IT. With minimal coding skills, the thinking goes, non-technical knowledge workers can become citizen developers and (hopefully more quickly) design or configure new applications.

In theory, the citizen development movement can bring positive impact to businesses by:

  • Bringing new capabilities and custom apps online quickly
  • Empowering knowledge workers to build technical workarounds to problems, increasing organizational speed and agility
  • Taking pressure off of stretched thin IT departments, freeing them up to focus on bigger projects

Yet, citizen development also complicates matters.

There’s a real threat of novice programmers, without formal training and certifications, hacking solutions that leave vulnerabilities in the wake of new apps. This means more work for enterprise security teams who need to come in and patch vulnerabilities when a hack fails.

Andrew Townley, CEO of Archistry, an IT, business, security, and management consultancy, notes: “Citizen developers are actually a double-edged sword. On one hand, they can support the enterprise IT department by developing business-critical applications that truly enable the business. On the other hand, they often do so in relative isolation of the enterprise IT strategy, meaning that prior oversight and management of applications that eventually become critical to the business is nearly impossible.”

The citizen developer: What can go wrong?  

Consider one anecdotal case recently cited in CSO. Security director John Britton of VMware was asked to clean-up a shadow IT application that had been deployed at a business. Britton noted that the “citizen developer” who created the application tried to include security in the form of usernames and passwords properly hashed in a database. However, no “forgot-my-password” function was provided.

The result: Frequent requests for manual resetting of passwords flooded into the citizen developer, so he removed the password hash function and passwords were then stored in the clear. Anyone with access to this database potentially had access to employee passwords.

There can also be risks around sufficient support, enhancements, and knowledge transfer. Townley points out, “What happens when Sally finds a job at a new company and she’s the only one who understands the whole application that supports a key business process because she developed it? It’s highly likely that nobody will remember to get her to do a debrief of the application as well — assuming there’s someone on the team willing and able to take it over.”

Phillip Dennis, founder and principal of Watkyn, pointed out the knowledge transfer risk when the citizen developer is the only person in the organization who understands the design and maintenance of the app. To mitigate that risk, Dennis suggests requiring code commenting and documentation.

The road ahead: No-code platforms

What business users need — and what organizations should focus on identifying and implementing — are high-value applications that are intuitive and enable business users to incorporate business logic without the need to write custom code or engage IT developers. The goal is to benefit from subject matter expertise without the need to overburden already stretched IT teams, and to reduce unnecessary risk.

Alan Lepofsky, VP and Principal Analyst at Constellation Research explains: “Traditionally, knowledge workers had to rely on their IT department to develop and deploy applications. This can often be a lengthy and expensive process. But now the rise of low-code and even no-code solutions, which enable ‘non-developers’ to use drag-and-drop to add fields, buttons, and basic programming logic to forms is enabling people to create applications to assist in their own business processes.”

Lepofsky adds, “While these new solutions are easy to create, a level of control is still required, so that areas like corporate branding, compliance, and governance aren’t overlooked.”

If your organization already has citizen developers you can work with them to evaluate platforms — some popular ones being  Smartsheet, Quickbase, and AppSheet — that deliver ease-of-use and flexibility to business users, along with the necessary controls to reduce organizational risk.

Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact