James Elliott · DevSecOps & operations management

Developer by background,
security by trade.

I'm James Elliott. I started out writing code, found my way into the seams where security meets everything else, and these days I lead a DevSecOps team. This is where I think out loud — about operations, strategy, and the messy human side of shipping software well.

Read the writing More about me
Role
DevSecOps Eng. Manager
Writing about
Operations & strategy
Based in
UK · Remote-first
Started as
A developer
01 · About

I came up building things — that still shapes how I work.

I started my career as a developer, shipping product code before the term DevSecOps had really caught on. Over time I gravitated toward the seams — where security, platform, and product collide — and ended up running engineering teams whose job is to keep those seams from tearing.

Good security feels like lane-assist, not a handbrake. It should keep you in the lane while you focus on the road ahead.

These days I lead a DevSecOps engineering function. I still think like the developer I was — which means I have little patience for security that exists on a slide but never in production. The work I'm proudest of looks the same from the outside: a team that stopped firefighting, started shipping, and quietly raised its security posture without anyone calling it a "transformation".

When I'm not doing that, I'm writing about it — engineering operations, strategy, and the human side of building software. That's mostly what this site is for.

02 · How I work

I'm not the Department of No.

P/01

Yes, and…

"No" is rarely the answer. The job is finding the route that ships the work and keeps you safe — even if it means a detour.

P/02

Pragmatic over pure

A 70% control your team actually runs beats a 100% control they route around. I optimise for what gets used in production on a Tuesday.

P/03

Lane-assist, not handbrake

Good security should sit in the background and gently nudge — not jolt the wheel out of your hands. If a control feels like a handbrake, it's the wrong control.

P/04

Leave it better

The goal is a team that doesn't need me. Good work makes itself unnecessary — I'd rather hand back something self-sufficient than build a dependency.

03 · Writing

Notes on strategy, operations, & getting things shipped.

18 May 2026
If Your Security Strategy Relies on the Business, You Have No Strategy
We have all sat in those quarterly planning meetings. The executive team unveils a beautiful, colour-coded, 12-month product roadmap. It is logical. It is…
DevSecOps
5 Apr 2026
The Dopamine Trap: How AI Made Me Work More, Not Less
The idea of AI was simple: AI was a bootstrap tool. It does the tedious 60% of the boilerplate - the setup, the basic scripting, repetitive tasks - leaving me…
AI People
25 Jan 2026
It's not you, it's me: Separating security from cloud
A quick note before we dive in: The journey I’m describing here is a personal one, synthesising lessons, stories, and observations from my entire career. Think…
DevSecOps People
19 Dec 2025
Four Forces of DevSecOps: Embracing the Unknown
“Jack of all trades, master of none” We’ve all heard the phrase. I’m sure some people use it as an insult, implying that you are too diluted, unfocused or…
DevSecOps
15 Nov 2025
I was wrong about DevSecOps
A quick note before we dive in: The journey I’m describing here is a personal one, synthesising lessons, stories, and observations from my entire career. Think…
DevSecOps
All writing on the blog
04 · Work with me

And yes — happy to talk strategy.

The day job keeps me busy, but I take on the occasional engagement when it's a good fit and genuinely useful. No retainers, no theatre — just a focused pair of hands and a second opinion you can trust. A few ways that tends to look:

S/01
A second opinion on strategy
Short Advisory
Where are you, what are the real risks, and what's worth doing next? I'll tell you straight - no 200-page vendor PDF, just the next service interval, mapped.
S/02
Designing a DevSecOps program
SDLC Tooling
Brakes, mirrors, lane-assist for your SDLC - a security program that keeps the team in lane rather than yanking the wheel. Security in the build where it pays, runtime where it must.
S/03
A sounding board for managers
Coaching Ad-hoc
The passenger seat, not the driver's. For first-time security managers and EMs carrying security scope — document reviews, honest feedback, and the occasional "are you sure?".
05 · Say hello

Come say hello.

I like meeting people who care about this stuff. Want to talk through a thorny security problem, compare notes on running teams, or just disagree with something I wrote? My inbox is open — and yes, if you'd like a hand with your security programme, I'm happy to chat about that too.

Drop me a line
Email james@ibexcore.com
LinkedIn /in/yews
GitHub /ibexcore