Citizen development—aka “shadow IT”—is here to stay, and for a good reason. However, the risks it poses are growing, and they call for comprehensive governance. Federal agencies need guardrails to mitigate the risks and enable citizen developers’ contributions to help fulfill the enterprise mission.
These days, it’s a given that any large enterprise is rife with shadow IT. The proliferation was inevitable. Over the years, employees became familiar with technology and dependent on technology tools to do their jobs. Often not finding the tools they wanted in their IT departments’ official toolbox, they learned to create their own, a development initially alarming to IT leadership.
As organizations seek to become “user-centric,” what could be more user-centric than employees showing their IT departments—with tools they themselves created—what they need to do their jobs better? And in today’s era marked by IT skills shortages, a “do it yourself” attitude is coming to prevail among employees capable of producing their own one-off tools conventionally known as locally developed applications (LDAs).
But in a positive trend for technology, the somewhat pejorative label “shadow IT” is fading in favor of the more respectable “citizen development.” Instead of being perceived as roguery that undermines IT authority and cybersecurity, it is increasingly seen as a potential net positive. This is due to a growing recognition of the need for governance.
An LDA is typically developed by a potential citizen developer using the tools they have on-hand, such as Microsoft Excel or Microsoft Access. The developer does the work in their own silo without any involvement or guidance from the organization's IT office. A governance program provides support platforms for these applications, as well as supported processes to ensure that they are secure, accessible, etc. When the IT office provides support, and often provides a low-code/no-code platform to aid the citizen developers, it applies control and permits the sharing of benefits.
Forrester estimates that the U.S. will have a shortage of 500,000 software developers by 2024, while Gartner predicts that by 2025, “70% of new applications developed by enterprises will use low-code or no-code technologies, up from less than 25% in 2020.”
Utility and inevitability aside, ungoverned citizen development poses a variety of risks to an organization.
Security – Security violations are a major concern with citizen development. There is potential for LDAs to expose personally identifiable information (PII) and risk incurring hefty fines. Apps not supported by IT are vulnerable to malicious intrusions, especially in today’s work-from-home environment, where an LDA might reside solely on the developer’s laptop.
Quality - Because citizen development bypasses an organization’s configuration management and safe testing processes, LDAs risk incompatibility with other systems and applications, and have the potential to compromise the network. Consistency and standardization, along with firm change management, are hallmarks of quality IT.
Inefficiency - While an LDA typically makes its developer more productive, what happens to the rest of the organization? It is not unusual to find that many of the LDAs have as much as 80% in common. In other words, each citizen developer has done repetitive work that could have benefited the broader organization.
Compliance – How likely is it that citizen developers bent on making their own work more agile and efficient are also fully versed and trained in the fine points of compliance? Or stay abreast of new regulations that might apply to their LDAs? Citizen developers creating a tool for themselves are unlikely to consider, for example, the federal requirement about accessibility for people with disabilities.
Cost – In 2019, Gartner found that 30-40% of IT spend goes to unauthorized applications, while Everest pegged it at 50%. This proportion, likely larger today, represents a significant amount of funding that could, if well governed, produce greater value for the organization.
Collectively, these risks are significant enough that the temptation arises to impose extremely tight policies that would ultimately discourage citizen developers and impede the performance improvements they intend. Or worse, drive it underground where it would flourish without any oversight. That can be a mistake. In the words of Star Wars’ Princess Leia, “The more you tighten your grip, the more star systems will slip through your fingers.”
Effective governance is not about exerting authority but rather, enabling people to fulfill the mission with proper guidance. It means a more structured approach so that organizations can support the maturation of citizen-developed applications for use as enterprise applications. It means enabling citizen developers to create, expand, improve, and share their creations – all while ensuring security, quality, productivity, and financial responsibility.
To learn more about our approach to citizen development governance, contact me.