What is citizen development? The CIO’s solution to shadow IT

The growing demand for software has given rise to pseudo-programmers who, though not professional developers, build applications that empower their business lines. These so-called “citizen developers” (cit-devs) build apps because IT can’t build the software they require when they require it.

Cit-devs fall into two camps: those who don’t code, and power users who do minimal coding. Forty-one percent of business respondents are running active cit-dev initiatives, with another 20 percent either evaluating or planning to start, according to a survey from Gartner, which predicts the number of active citizen developers will be at least four times the number of professional developers by 2023. 

[ Beware the reasons why software projects fail and the leadership practices that could sink your software project. | Get the latest CIO insights direct, with our CIO Daily newsletter. ]

“The number of people who can participate in citizen development is growing exponentially,” says Chris Obdam, CEO of Betty Blocks, which makes software that empowers users to build apps without coding. “They see the IT dept is not up for it and shadow IT is created because the business is growing more and more frustrated.”

That mention of shadow IT is crucial: Some citizen development is sanctioned, while some isn’t. But whether it happens with or without IT’s knowledge, cit-dev presents a new challenge for CIOs who must decide whether to support or thwart these types of programmers. The stakes are high: Without oversight of citizen development, CIOs won’t know what tools and platforms are being used or how data is being governed, opening their companies up to security and privacy risks.

From macros to mission-critical apps

Citizen development finds its roots in IBM’s Lotus Notes/Domino and Microsoft’s suite of productivity applications. Business staff began building macros — small programs that automate tasks to save time — for Excel. Others created files for storing data using Access database management system. And many workers built enterprise portals, or intranets, using SharePoint.

Cit-devs later crafted more sophisticated apps, such as reports for business intelligence and other functions. Data collection, workflow orchestration and automating data capture are the top three application types created by citizen developers today, according to Gartner analyst Jason Wong.

In many cases, these do-it-yourself projects save overwhelmed IT departments from having to allocate professional developers to solve these ad-hoc business issues. But cit-devs often can’t maintain their own creations, particularly as more users adopt the tool, says Paulo Rosado, CEO of software maker OutSystems. They lack the skills to modify and refactor their apps — some of which become mission-critical — let alone handle the repositories of data the apps create.

Suppose a cit-dev creates a small report with some graphics using a low-end BI tool, Rosado says. That lightweight app becomes so critical to daily workflow that staff in the department want that report available in a mobile app. Other staff not only want a mobile app, but they expect it to enable business transactions. But that cit-dev’s capabilities don’t extend beyond the desktop version; he lacks the ability to scale the software he’s created.

“They [cit-devs] reach limitations that, if not addressed, create truly damaging shadow IT,” Rosado says. And that’s when IT gets called in to rescue them from their own software Frankensteins.

The power of low-code platforms

But CIOs and cit-devs are getting help from so-called low-code or no-code platforms that enable cit-devs to build software with minimal or no coding. With these tools, cit-devs arrange application components, including data and logic, via drag-and-drop interfaces in a process akin to snapping together digital Lego blocks into an application workflow. Low-code tools do require some script writing, however, to enable access to older apps, create reports, or build custom interfaces.

Salesforce.com, Microsoft, Mendix, OutSystems and Appian lead a market of close to 20 low-code vendors, according to Gartner research on the market.

Betty Blocks’ Obdam says the platforms are picked up quickly by digital natives, including many Millennial and Generation Z workers, who generally tend to be more savvy about consuming software. But “in the end, it’s not about tooling but about fixing problems that business folks have,” Obdam says.

Outsystems’ Rosado says companies such as Toyota and Humana use his company’s Developer Studio platform to build anything from simple forms and workflows to mobile apps and reactive websites. 

Each low-code platform has its nuances, but they all give IT the ability to govern, and in some cases, audit, how cit-devs build software. This affords citizen developers the freedom to build what they need for their business department, while enabling CIOs to create guardrails that will protect the enterprise.

“One of the differences between the opportunity now and the past is that these platforms give you tools to govern deployment,” says Forrester Research analyst John Rymer, who estimates that half of his inquiries are about cit-dev and low-code platforms. Rymer adds that empowering cit-devs to build software under a formal governance model is a top priority for his clients.

A playbook for CIOs working with cit-devs

Tech and business staffs must collaborate on citizen-development initiatives, with IT empowering the business with self-service capabilities that have identity and security baked into the low-code or no-code software they choose. CIOs can delegate this task to application leaders, who work with business leaders to identify and enlist cit-devs. This shift enables IT to transform from always being in control of operations to being a facilitator, Obdam says.

A basic playbook could look like this:

Identify the chief cit-dev/shadow IT practioners. Look at which business units are already active in shadow IT or cit-dev, says Gartner’s Wong. Operations is the most likely business unit to adopt cit-dev, followed by product development, finance, customer service and HR.

Seek out the power users. These users, who will likely have the deepest knowledge and application domain expertise, will serve as cit-dev evangelists. Work with them and their business unit leaders to establish trust.

Define boundaries. Identify which cit-dev activities are safe, what requires professional developer support, and what would require strict IT oversight or even entirely off limits, Wong says.

Pick a platform. Select a low-code tool that works best for your organization, ideally one with full auditing capabilities that allows a governing organization to track data, including what users are using the tool, how and where.

Regardless of what platform you choose and what governance mode you employ — from white-listing apps to setting granular data permissions — empowering rather than thwarting cit-devs is the way to go. The reality is that you’re not going to have enough professional developers to build the software your business needs, so why not enable cit-devs to lighten the load?

“We have to expand the labor force that’s creating software,” Rymer says. “It’s that simple.” Plus, he adds, “It’s only rogue IT if you don’t manage it.”

More on IT strategy:

• 10 old-school IT principles that still rule
• 9 forces shaping the future of IT
• Why IT-business alignment still fails
• 9 warning signs of bad IT architecture
• 12 ‘best practices’ IT should avoid at all costs
• The 12 biggest issues IT faces today
• 6 hard truths IT must learn to accept
• IT’s worst addictions (and how to cure them)
• 8 early warning signs of IT disaster
• 12 bad habits that slow IT to a crawl