top of page

Who we are

Lacuna Securities provides Human Centric Security™ that holistically fill your IT Risk, Data Protection and Cyber Security gaps. We offer Governance, Risk and Compliance (GRC) support from identification to technical security delivery including incident response and training. We also offer virtual services for data protection (vDPO) and information security (vCISO).

We are often asked to support our GRC services with technical delivery and we fulfil these requests through a network of trusted partners. Their values, experience and expertise complement ours to provide you with a holistic approach to Cyber Security.

Our team has an extensive IT Risk, Cyber Security and Governance background. We implemented well-received compliance processes and systems that make compliance evidencing easy. We can communicate with multiple stakeholders from technical admin, developers, managers and the Board.

Our cyber security professionals have more than 10 years of practical knowledge in Red team and penetration testing. In addition, our professionals have extended knowledge in IT corporate infrastructure, malicious activity simulation and social engineering.

We are value-driven, flexible and adaptable. We aim for your objectives and help your business to succeed.

At Lacuna Securities, we believe people, processes and technology work best together, with special focus on people at the core.

Who do we do it for

Our experience and expertise added value to industries within global Financial Services, Business Services, Software and Internet, Telecommunications, and Health. We are predominantly UK based.

From conversations about Data Protection and Cyber Security, we’ve learnt that these companies have three main challenges:

  • The first is the cost of compliance – not just upfront for the implementation but also the cost of continued compliance. Naturally business owners prefer money coming in and pay as little as possible to ‘tick the box’ of compliance. This, however, exposes companies to undue risk:

    • Fines for non-compliance are steep. A data breach could be fined up to €20M or 4% of global annual turnover, whichever is greater.

    • Brand damage. Consumers are becoming more aware of data protection. There is a culture shift with a higher expectation for protection. Companies that fail to meet this expectation may lose their customers’ confidence.

    • ICO investigations. Consumers are aware that they can lodge a complaint to the Information Commissioner’s Office (ICO). This complaint may spark an investigation which could be an unpleasant process that takes up valuable time and resources.

  • The second challenge is to truly understand what and how to implement Data Protection and Cyber Security controls on top of running the business. Often the work effort in becoming and maintaining compliance is underestimated.

    • The GDPR and DPA 2018 is more onerous on documentation and evidencing than the Data Protection Regulation previously was.

    • Under Article 95(3) of the Payment Services Directive (EU) 2015/2366 (PSD2), payment service providers are required to establish an effective operational and security risk management framework relating to the payment services they provide. Payment service providers that are required to complete the operational and security risk form in accordance with regulation 98(2) of the Payment Services Regulations and SUP 16.13.13D.

Compliance implementation, monitoring and reporting continuously takes additional time and resources. To assist, practical processes, suitable technologies and assigned accountabilities are crucial.

  • The third challenge is that many companies seemingly offer similar consulting services. These companies often include pure lawyer firms or pure technology companies that rarely have practical risk, governance and control experience. This makes implementing a holistic approach to meet business needs, tricky if not impossible.

What do we do

At Lacuna Securities, we always consider risk vs benefit analyses. We start by understanding the business, its’ information assets and how it operates. We identify security or compliance gaps and work with the business to establish the most suitable implementation plan. Together with the business, we will guide and help to operationalise this plan.

It doesn’t stop there. As compliance is ongoing, we help monitor, train and report on compliance to these implemented policies, processes, technologies and controls. When needed, we also liaise with the Information Commissioner’s Office on your behalf.

We offer practical solutions for operational processes, technologies that are suitable and assist in assignment of accountabilities to effectively make compliance part of your business.

Our values

What do we believe in

  • Maintaining the Right Culture with integrity, honesty, accountability and a positive outlook

  • Creating Value through understanding objectives, cost-benefit analysis, planning to succeed and quality delivery

  • Respect for each other. We believe in people, work collaboratively and learn from other’s viewpoint

  • Continuously learning. Nobody knows everything all the time; there is always something new or a different perspective.
    We love to explore new or different ideas


  • Keeping things simple

Our focus

Lacuna Securities believe that People, Process and Technology work best together to provide a stronger, more secure environment for you and your company. If each is viewed in isolation, critical security and compliance gaps emerge that can lead to non-compliance and significant risks to the business.

  • People – Humans are the centre point of our focus. It is important to ensure that everyone is well informed about the who, what, where; when and how. It is not only about the processes and procedures but also providing people with the necessary understanding and tools to ensure you create the best security and compliance culture. We believe in bringing out the best in people by focussing on their positive contributions to also ensure sustainability.

  • Technology – We believe technology is an enabler. It must help to reduce risks, support people in execution of processes and be practical rather than enforce a specific method that could restrict business operations.

  • Process – Clearly defined processes will help reduce risk of non-compliance and drive people understanding and behaviour at every level. It is important to be measured on the right things – we get what we measure. We use and are governed by industry standard processes so you can confident in delivery and execution.


Meet the founder

Sonya Stephens

bottom of page