Low-code development is opening software creation to a less-technical audience inside many organizations, including state governments, which made heavy use of it during the pandemic. But now, some of the technology’s biggest proponents are starting to warn that it could create major headaches if not managed properly.
Senior IT officials told StateScoop that low-code is powerful because it allows even those with little or no programming experience to build apps in a matter of days. But wielding that new power can impose risks of data security, locking in vendors and creating “shadow IT,” unvetted tech that’s deployed quietly and goes unnoticed by IT departments for months or years.
The same low-code programs rapidly deployed during the pandemic could wind up burning IT leaders if they’re not careful, Nebraska Chief Information Officer Ed Toner told StateScoop. Toner, who oversees a team that helps other state agencies with low-code development, said that while working in the private sector, he was frustrated by low-code more than once.
“They didn’t understand the structure of the data they were pulling with this low-code and they were pulling incorrect stats and metrics,” Toner said. “They had created their own little silo of data and they weren’t taking into account all the other related data, and so they were producing metrics that were totally wrong. It took me six months to clear it up.”
According to a recent paper from the National Association of State CIOs, nearly a third of state IT leaders believe that low-code and no-code will influence their organizations more than any other technology over the next three to five years. With many states struggling to find IT veterans who know how to maintain decades-old mainframes running on outmoded languages, low-code is appealing to CIOs who want to build IT environments that can be sustained over the long term.
Vermont CIO John Quinn told StateScoop his state built more than two dozen low-code apps on Salesforce during the pandemic, helping residents with tasks like finding COVID-19 information or applying for unemployment insurance.
“I find it’s much harder to find skilled assets than it is new kids coming out of college or people that are just breaking into the technology sector,” Quinn said. “Thinking about our long-term need around resources, capacity, based on the number of applications that we have, I need platforms that are easy to learn, easy to manage. And by using the same platform over and over for multiple uses, we can build our bench deeper.”
‘Easy on the eyes’
Keith Perry, Georgia’s chief development officer, told StateScoop that as the head of a full-stack development team, he’s cautious about low-code solutions. But putting some of the development and maintenance of software into the hands of business users is a “relief” for many overburdened tech departments, he admitted.
“They can make those changes and put in those use-cases and get that speed to market without waiting on us, because we had a long list of things we had to develop,” Perry said of his experience with low-code at another agency before he joined the Georgia Technology Authority. “You’re getting business people who are becoming experts in that.”
Brian Kontur, a program manager at the Virginia Department of Transportation, told StateScoop that a recently developed app that helps the state manage vendor contracts for transportation projects was built using low-code and no-code tools in Microsoft Power Apps and Power BI. He said that in the long run, maintaining software built in low-code will require less training.
“Our team, we have the best top-notch developers, but that doesn’t mean we have to build the most complicated one-off application that looks great but then once someone has to update it, they need a user guide and training just to figure out what that one person did on that one specific type of application,” Kontur said. “Low-code, no-code doesn’t mean bad. It means easy, easy on the eyes and easily adapted.”
Montana CIO Kevin Gilbertson told StateScoop low-code is part of how he’s planning to make his state 100% digital by 2023, ditching old paper processes and shifting more operations online. He’s now building a team that will help establish governance around low-code in hopes of avoiding pitfalls like shadow IT.
Quinn, the Vermont CIO, said that while shadow IT is always a concern, low-code has actually helped his state get a handle on its huge app portfolio — a reduction from 1,500 apps to about 1,100. Redundant processes are a major drain on resources in many states, and in Vermont, Quinn said, there are more than 200 processes and systems for case-management alone, used by only eight agencies.
Another common critique is that low-code can be expensive. Perry told StateScoop that one Georgia agency got sticker shock when a vendor provided an “extravagant” $250,000 quote on implementing a low-code project. Quinn said that low-code licenses can seem expensive initially, but that if a state has good technology governance and plans to reuse those license across many apps, it will eventually save money.
“While it’s hard up front, we are changing the operating model of the way we buy technology at the same time and moving from that [capital expenditure] model to an [operational expenditure] model,” Quinn said.
These challenges aren’t new — the IT leaders interviewed for this article recalled episodes from past decades of inexperienced users building low-code apps that used sensitive data without first asking their IT departments.
“If you have to put in a lot of workflow and a lot of logic into a program, low-code’s probably not for you. You can make it do it, but it becomes a little bit of a maintenance nightmare,” Toner said. “You also have no idea what the underlying code is. The problem with that is you’re locked into that vendor, because you’re going to have to rewrite those low-code applications if you ever leave the vendor.”
Perry, Georgia’s chief development officer, said he’s wary of giving the technology unchecked power.
“When you start looking at application inventory, you start pulling back the covers and you find all of these mini one-off applications that are running everywhere,” he said. “What’s scary about that is the risk, the inherent risk, and all of the sudden this little thing has become a mission-critical application and it doesn’t have mission-critical support behind it. Low-code’s a good tool to have, but it shouldn’t be the biggest tool in the tool belt.”
Correction 6/8/22: This story was updated to clarify Perry’s comments.