Low-code and no-code solutions can be a double-edged sword for the enterprise, offering a faster path to automation while empowering individuals outside the traditional walls of IT to take innovation into their own hands. These tools represent a new (albeit familiar) strategy for third-party involvement at the corporate level, helping to drive digital transformation in all areas of the business. But they also invite a mix of experts (and non-experts) into the once closely-guarded fray of custom application development, which should give any security-minded members of the C-Suite pause.

This democratization of development has the potential to be a boon, lowering the barrier to entry for forward-thinking citizen developers to start creating their own point-specific solutions. After all, the scope of traditional corporate IT encompasses the whole organization, and a chronic lack of developer talent spreads these teams thin in driving innovation equally across the business. With cost-effective, low-code and no-code services, enterprises can instead offload the coding aspect of application development–if not supplant it entirely–while enabling non-coders to leverage their specific subject-matter expertise for new, innovative applications. 

But as any CISO can attest, the risk often outweighs the benefit when non-IT stakeholders are allowed heavy influence over the enterprise tech stack. Shadow IT hasn’t gone anywhere, despite the term losing a bit of buzzworthiness since peaking as a hot C-Suite topic at the start of the pandemic. Workers may have started returning back to the office, but legacy, on-premises solutions aren’t being re-adopted–nor have the cloud-delivered solutions that enabled flexible, work-from-anywhere being forsaken. 

While it’s not fair to conflate low-code and no-code tools for Shadow IT, the concerns of the ladder haven’t dissipated as the benefits of the former have, arguably, been put on a pedestal. It’s not altogether surprising, either, as the same factors that drove a major shift in workforce dynamics have forced businesses to embrace optimization and digital transformation as a topline mandate. 

Driving digital transformation at any cost?

Look no further than the rapid decentralization of corporate networks that came about as a necessity when physical offices closed in 2020. Businesses that hadn’t migrated some operations to the cloud, for instance, or developed enterprise maturity around remote access via VPN or SD-WAN felt the sting acutely when the pandemic forced them to change gears. 

As a result, many of these businesses were forced to embark on rapid digital transformation that left a lasting impact on how the C-Suite prioritized innovation: If there’s another world-changing event akin to the pandemic, enterprises need to be ahead of the curve, not resting in a reactive posture that diminishes their market value. 

But this rapid, pandemic-induced, global digital transformation elevated the conversation around Shadow IT markedly, as the remote workforce underlined how little control corporate IT teams had in protecting legacy enterprise systems in a work-from-anywhere world. When employees access corporate networks directly over the internet (DIA) –that is, without VPN, SASE, SD-WAN or other software-defined access protocols–there are already a litany of potential threats that can come from traditional cybersecurity concerns (ie. usurped firewalls). 

It’s when IT teams aren’t able to supply the workforce with the tools and protections they need to work effectively in a digital-first world that non-IT will start taking matters into their own hands. If a corporate-licensed Microsoft Teams account constantly fails to deliver jitter-free conferencing, for instance, users may just deploy their own non-corporate Zoom to connect with co-workers in a pinch.

This only scratches the surface when it comes to the potential for dangerous data sharing when employees are using non-approved collaboration software, for instance, or even sharing files over non-corporate email accounts or cloud drives. The reason many workers pursue Shadow IT like this in the first place is because the corporate-approved solutions are inadequate. The pandemic put existing inadequacies on blast and ultimately paved the way for more democratized IT decision making–if not outright a call for citizen developers. 

Why low-code and no-code is different from Shadow IT

This is the moment where it’s important to draw a baseline distinction between Shadow IT and true low-code/no-code tools. While Shadow IT is generally a secretive endeavor (whether or not intentionally), low-code and no-code solutions are most often third-party service providers that work both in approval and in collaboration with corporate IT. When certain areas of the business need a new application but lack the IT resources to derive it at speed and scale, a third-party provider can saddle up with the eventual end users to develop an ideal new solution. All of this can be done without stretching the resources of an already thin IT team. 

Another distinction that’s necessary to make is that the introduction of low-code and no-code toolsets isn’t an indictment on corporate IT, either. To the most cynical-minded, the rise of the citizen developer could be seen as an against-all-threats bet on innovation by members of the C-Suite who fear falling behind on digital transformation. Even more cynically, putting these transformation efforts into the hands of non-corporate developers could be seen as “betting the house” for security-minded IT leaders who are beholden to the “on-premise or else” mantra that was pervasive pre-pandemic. 

Instead, IT shouldn’t view the citizen developer as a short-sighted solution to much larger, potentially existential corporate challenges. Rather, IT teams need to be reimagined to be stewards of the network first–a mantle that became most enterprise IT’s top marching order since the start of the pandemic–with a split focus on ensuring workers can perform safely and effectively from wherever they log on. 

Moving on from focusing on enabling safe and performant network access, each team across the corporation should have their own innovation mandate that allows them to explore low-code and no-code solutions knowing their network foundation is safe and effective. That’s all to say that innovation is no longer just the mandate of IT, and organizations need to be armed with the forward thinkers and tools across departments to think with digital transformation in mind. 

It ultimately also comes down to teams choosing low-code and no-code partners that have a proven track record of success in delivering solutions at a faster pace than in-house development teams have been able to on their own. Given low-code and no-code are still a relatively nascent proposition (and on a massive growth trajectory), any areas of the business seeking out these partnerships need to simply be diligent in their vetting–not hasty in their want to deploy solutions for the sake of meeting an innovation mandate.