At many enterprises, financial and compliance audits are viewed as necessary but disruptive facts of life. And it can take weeks, months, or longer for some enterprises to access, test, and deploy updates to IT infrastructure elements, even updates deemed ‘critical” to effective cybersecurity. The explosive growth of low-code/no-code enterprise technologies and citizen-developed applications and services require more and better risk mitigation goals to which audits and updates can make significant contributions.
Low-Code/No-Code: More Deployments, Benefits, and Risks
Gartner estimates that by 2024, at least 80 percent of those building low-code/no-code applications will work outside IT. Leading enterprise software providers, including Salesforce, SAP, and ServiceNow, offer powerful platforms and features for “citizen developers.” And multiple low-code/no-code applications and tools are available to anyone with an internet connection and a credit card.
The advent and rapid evolution of generative AI is accelerating the already formidable growth of low-code/no-code technologies in enterprises of all types. These technologies are helping to ease and speed the creation and deployment of new applications and services, many of which are helping make enterprises more agile and responsive. However, these rapidly growing, readily available technologies are often deployed with little to no participation or oversight by corporate IT or cybersecurity teams. This creates new and potentially greater risks to enterprise data, operations, finances, and reputation.
Fortunately, many enterprises facing these challenges and opportunities are already experienced in planning for and executing audits and deploying updates to IT resources. As a result, these proven practices can be adapted and expanded to improve efforts to minimize and mitigate risks associated with low-code/no-code technologies.
5 Things to Start Doing Now
- Audit your critical data frequently and regularly. Every citizen-created application and service poses potential risks to the accuracy, quality, and security of critical business data and personally identifiable information (PII). Implement policies and processes to ensure your critical business and private personal data get audited regularly and risks and changes to them are flagged and acted upon as close to immediately as possible. Automated monitoring and notification tools can help ensure that critical data is always an accurate, consistent, protected, and trustworthy “single version of the truth.”
- Monitor your environment constantly. The environment in which critical data “lives and works” must also be monitored continuously. Every new low-code/no-code deployment or other change to the environment must be vetted ASAP for actual and potential risks to data, finances, and operations. Automated monitoring and notification tools are essential here, as are well-defined, well-enforced policies and processes for risk identification, triage, and management.
- Implement effective policies for managing low-code/no-code deployments. The good news is that established, experienced enterprise software providers are delivering low-code/no-code tools that embrace enterprise management and cybersecurity requirements. The not-so-good news is that tools not supporting these requirements are easy to get and deploy and may already be present without IT’s knowledge or oversight. Policies, processes, and user education efforts must all encourage citizen developers to understand and take serious measures that protect critical data and IT infrastructure elements.
- Pursue timely deployment of software and security updates. IT solution vendors frequently issue software patches and other updates to introduce new features and respond to new threats. Unfortunately, the expertise and resources needed to acquire, test, and deploy these updates vary widely, sometimes delaying their implementation for weeks or months. Such delays leave enterprise data, IT estates, and operations vulnerable to threats that exploit the vulnerabilities updates are intended to address. As a result, risk managers and those involved in low-code/no-code deployments must collaborate with IT and cybersecurity teams to keep relevant resources updated with the most current protections and features.
- Educate and engage end-users. End-users are both the first line of defense and the first vulnerabilities typically attacked by criminals. Low-code/no-code deployments represent significant potential end-user computing (EUC) risk. Education (and at least a bit of marketing) is essential to engaging users as allies for data and IT protection and training them to spot and avoid risks.
Regular audits and assessments of your data, low-code/no-code deployments, and policies and processes increase the likelihood of identifying risks before they become threats. In addition, timely updates to IT resources and regular reviews of relevant policies and procedures can help ensure LC/NC/OS tools always have the “latest and greatest” security and data protection features.
How Incisive Can Help
Incisive Software is focused on helping organizations build a strong foundation for success based on accurate and trustworthy data, especially in the face of new and growing risks spawned by generative AI and other low-code/no-code technologies. Incisive offers Incisive Analytics Essentials, a solution that enables you to gain managerial control over generative AI and other low-code/no-code deployments while making them available to authorized users. The Concourse platform, the heart of the Incisive solution, provides consolidated, comprehensive abilities to know what you have and what changes and effectively manage, protect, and trust your business-critical data across your entire enterprise.