The no-code approach has changed the nature of software development. However, if you’re in IT, the idea of no-code apps being written without the involvement of professional developers may trigger some immediate concerns. How should enterprises prepare themselves for the shift toward no-code apps? Clearly, it’s not a good strategy to simply ignore potential risks. But at the same time, the no-code approach continues to grow. The best way to approach it is to have a clear plan and process in place.
Start by challenging the common assumption that all “shadow IT” is bad, and embrace the desire of non-technical employees to build apps for themselves. Shadow IT reflects the business’s continued drive for more innovation. Just keep in mind that a realistic governance model is essential for the process.
Let’s discuss the three Ps of a governance model for no-code: process, people, and platform.
If you implement too heavy a governance process for simple no-code apps, you run the risk of stifling innovation by imposing too many checklists on the building of simple apps. This defeats the underlying benefits of faster speed and agility of no-code. However, being too lax on governance for more mission-critical applications can run the risk of security issues, data breaches, or compliance risks.
We recommend formalizing a framework to help your teams avoid a one-size-fits-all mentality regarding no-code governance. This framework should evaluate your no-code project from three different dimensions: business (i.e., complexity of process and organization), governance (i.e., internal and external compliance with laws, guidelines, and regulations), and technical (i.e., how much assistance teams need from professional developers). Use a checklist to “score” the complexity of your app and selectively apply governance practices in a manner that scales based on complexity. You want to apply just the right amount of governance that doesn’t discourage business innovation, while balancing the need to appropriately control and secure apps.
The next dimension is people, which defines the organization for no-code delivery. Again, you want to scale your approach to be neither too small nor too large/complex. You generally categorize no-code development teams into three delivery models:
- “Do-it-yourself” is the simplest model, where all primary roles of the no-code project are contained within a team sitting inside a single business unit and a single sponsor. This makes the business highly autonomous and in charge of their own destiny.
- “Center of excellence” (or CoE) delivery is typically owned and led by a single overall cross-functional CoE leader. It has skilled knowledge workers whose mission is to maximize efficiency through consistent definition and adoption of best practices for no-code across the organization.
- “Fusion team” represents a multidisciplinary team comprised of both business and IT resources collaborating together. Typically, this is because of greater technical requirements and complexity. They may also be tapped to provide expertise around specific technical areas, such as security or DevOps.
These delivery models often evolve over time. The CoE and fusion approaches typically do not get formed immediately but emerge after the organization has started building some no-code expertise from multiple DIY projects and more technically challenging and mission-critical applications.
No-code apps run on an underlying no-code platform. It’s essential to be thorough in your diligence when selecting a no-code platform provider: understand the measures they take to maintain and harden their platform against security attacks and meet any necessary industry compliance certifications (e.g., GDPR, HIPAA, PCI DSS, etc.). [Editor’s note: The author’s company is one of a number of platform providers in this area.] The first time the no-code platform is implemented, plan for thorough security and compliance reviews to validate the platform. Subsequent governance checks to build individual no-code apps will likely be streamlined.
Work with your organization’s chief information security officer (CISO) and/or security department to create a no-code security checklist. This should identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance. The checklist should be applied by the business teams (and automated by a modern no-code platform) to provide a repeatable approach to security governance as they build no-code apps. The checklist should build upon the existing standards and practices within the organization, augmented with additional guidance from industry groups (like the OWASP Foundation), which are increasingly creating new checklists specific to low-code/no-code development.
Forward-leading business and technology leaders understand the value of no-code approach — and you should too. However, business teams that want to build DIY software need guidance with the right strategy that applies the “right amount” of governance.