Finding Balance Between Low Code & Security Policy

The world is learning to live with COVID. Things are coming back to normal. Well, not really. 

“A competitor just got taken for $8 Million in ransomware. You just won executive approval to really get moving on your digital strategy and you can’t land the talent you need. Inside LinkedIn, reviewing your feed, one company is boasting that they have 1,000 positions they need to fill in the same skill sets you need. Adding to the surprises, your car is on a quarter tank and many stations are out of gas due to a cyber hack.”.  Finding balance

There is no normal – only the present reality of a complex, entangled, evolving reality. Wherever you are, the low-code movement and security policy are two perspectives that need to work together. Low-code and no-code movements make software, services, and solutions more accessible to broader audiences, requiring fewer skills.

Low code is a response to a global skills shortage

Interest in low-code development has doubled or tripled in recent years based on Google Trends. The catalyst? Extreme shortages of the digital skills needed for data mining, automation, artificial intelligence, robotics, … 

Given the high demands for digital talent, hundreds of software companies are making the configuration and use of technology more accessible to the builders and composers of services and applications. Perhaps you have heard some of the new buzzwords like “citizen developer”, “citizen data scientist” or “citizen coder”? Amidst the backdrop of increasing accessibility, some firms have begun to link these to diversity and inclusion programs. This is a fantastic way to activate workers with high engagement and less developed skills.

The economic growth opportunity is massive and employers are not waiting finding balance

Estimates for the skills shortage in multiple pre-COVID studies showed that demand outpaced global education capacity by 400-800%. RAND Europe just completed a study on behalf of SalesForce. An estimated $11.5 Trillion in GDP growth was at risk by not being able to action the innovation in front of organizations. 

A few corporations have stepped up to create upskilling programs. Business Insider cited seven companies that had initiated programs. In order of announcement AT&T, JP Morgan, Accenture, Amazon, PWC, Bank of America, and Verizon. It is the later firms that intend to apply diversity and inclusion. 

Beyond upskilling, the technology industry is trying to make solutions and services more accessible. When they do it builds confidence, establishes real experiences, increases adoption and creates early value.

Does making things easier and more accessible increase risks?

We have seen the stories of extortion. We even experienced a recent inability to get gas when ransomware disrupted pipeline distribution of gas to local US markets. Our aloof response to yet another cyber-attack got very real. It felt like we were sliding back into a new kind of quarantine in a matter of days. 

On a whim, I checked Google Trends on three components to get a historical scale of mindshare through search behavior activity. How do low code and security policies contrast one another? Security policy is a continual heartbeat carried by Chief Information Security Officers. Low code is rising and increasing, just passing security. Add ransomware, WOW! Who would not be astonished at the visual impact of what gets attention?

This got me thinking and hopefully, this article will trigger your own thinking. Do we have adequate measures and policies to protect democratized data and newly empowered capabilities? Is there a way of knowing that we have met policy when everything is more open and accessible? Can we create secure and safe low-code spaces that enable exploration, upskilling, and faster time to value? 

Have you ever been to a bowling alley where they fill the gutters with soft bumpers that keep the bowling ball in play and headed toward the pins? People that have never tried bowling, no matter what they do, knock down pins, develop confidence and get better. The same approach applies to low code. Without addressing or adjusting how we secure these systems. We are apt to create a richer opportunity for cyberattacks.

Keep calm, we have been here before finding balance

Security is one of the most adaptive business practices. Mainly due to continuously evolving technologies, interfaces, and techniques. I have been blessed to have worked with the founders of the international security standard. It began as BS7799 with Stanford Research Institute, Carnegie Mellon teams. They created one of the first Risk Assessment methodologies OCTAVE, and the International Information Integrity Institute (I4) established in 1986.  I mention these because we have processes, design methodologies, and sensemaking frameworks. These approaches when applied bring about rapid solutions and guidance based on the situation. Do you explore how behaviors and policies need to change with the situation? 

Model future operations, multi-stakeholder journeys, and evolving situations

Long before COVID, I participated in an FBI InfraGard led activity. It was dealing with an evolving threat in a simulation that we walked through as a tabletop-style game of roles, issues, dependencies, and surprises. In retrospect, it was not that different from scenarios in Dungeons and Dragons.

Years later, several consultancy firms explained ITIL through the lens of the Apollo 13 mission. It was highly effective. As a service provider, prior firms modeled facility loss due to Hazmat, pandemic, or earthquake. Through these scenario planning activities, we had playbooks that made the difference when we temporary lost accesss to a security operations center (SOC) due to a HAZMAT incident, lost a facility to localized prepandemic flu, and lost a building for days after a major earthquake.

Design Thinking has been a great model for driving innovation and rethinking new scenarios. Following an open process, the final design is improved by having a red team identify weaknesses and strategies to create the innovation alongside design teams. Much like authors Gene Kim, George Spafford, and Kevin Behr in the novel The Phoenix Project. The Security Officer’s job is to facilitate a safe solution for the mission – Security teams need to be part of the team and not just ‘Dr. No’. 

Lastly, one framework which has escaped designers is called Cynefin®. The framework has become immensely helpful in many situations and global policymaking settings. There are videos from the founder of Cognitive Edge, Dave Snowden. Very enlightening. Finding balance.

Additionally, here is a YouTube Link: https://youtu.be/N7oz366X0-8

Our present path is finding balance by blending low-code and security policy

In closing, Edge Total Intelligence is a sensemaking software solution that unites the myriad of tools and data present in operations. It safely brings these assets and other third-party data together under a role-based/context-based security model. I mention this because we realized that we need to evolve every low-code feature alongside the security policy model. Working both together makes us mindful of creating safe and secure spaces. 

Our customers and designers can protect access and reduce the skill level required to see, investigate, decide, and execute ideas and business objectives. For our customers, learn about the new features in our Q3 Release Webinar. Still not familiar with edgeTI? Please check out our e-Book on how you can share expertise across teams.