About Us A little bit about who we are

  • Who we are

    Lacuna Securities provides Human Centric Security that holistically fill your IT Risk, Data Protection and Cyber Security gaps. We offer Governance, Risk and Compliance (GRC) support from identification to technical security delivery including incident response and training. We also offer virtual services for data protection (vDPO) and information security (vCISO).

    We are often asked to support our GRC services with technical delivery and we fulfil these requests through a network of trusted partners. Their values, experience and expertise complement ours to provide you with a holistic approach to Cyber Security.

    Our team has an extensive IT Risk, Cyber Security and Governance background. We implemented well-received compliance processes and systems that make compliance evidencing easy. We can communicate with multiple stakeholders from technical admin, developers, managers and the Board.

    Our cyber security professionals have more than 10 years of practical knowledge in Red team and penetration testing. In addition, our professionals have extended knowledge in IT corporate infrastructure, malicious activity simulation and social engineering.

    We are value-driven, flexible and adaptable. We aim for your objectives and help your business to succeed.

    At Lacuna Securities, we believe people, processes and technology work best together, with special focus on people at the core.

    Who do we do it for

    Our experience and expertise added value to industries within global Financial Services, Business Services, Software and Internet, Telecommunications, and Health. We are predominantly UK based though we do source highly skilled resources from Latvia depending on requirements.

    From conversations about Data Protection and Cyber Security, we’ve learnt that these companies have three main challenges:

    • The first is the cost of compliance – not just upfront for the implementation but also the cost of continued compliance. Naturally business owners prefer money coming in and pay as little as possible to ‘tick the box’ of compliance. This, however, exposes companies to undue risk:
      • Fines for non-compliance are steep. A data breach could be fined up to €20M or 4% of global annual turnover, whichever is greater.
      • Brand damage. Consumers are becoming more aware of data protection. There is a culture shift with a higher expectation for protection. Companies that fail to meet this expectation may lose their customers’ confidence.
      • ICO investigations. Consumers are aware that they can lodge a complaint to the Information Commissioner’s Office (ICO). This complaint may spark an investigation which could be an unpleasant process that takes up valuable time and resources.
    • The second challenge is to truly understand what and how to implement Data Protection and Cyber Security controls on top of running the business. Often the work effort in becoming and maintaining compliance is underestimated.
      • The GDPR and DPA 2018 is more onerous on documentation and evidencing than the Data Protection Regulation previously was.
      • Under Article 95(3) of the Payment Services Directive (EU) 2015/2366 (PSD2), payment service providers are required to establish an effective operational and security risk management framework relating to the payment services they provide. Payment service providers that are required to complete the operational and security risk form in accordance with regulation 98(2) of the Payment Services Regulations and SUP 16.13.13D.

    Compliance implementation, monitoring and reporting continuously takes additional time and resources. To assist, practical processes, suitable technologies and assigned accountabilities are crucial.

    • The third challenge is that many companies seemingly offer similar consulting services. These companies often include pure lawyer firms or pure technology companies that rarely have practical risk, governance and control experience. This makes implementing a holistic approach to meet business needs, tricky if not impossible.

    What we do

    At Lacuna Securities, we always consider risk vs benefit analyses. We start by understanding the business, its’ information assets and how it operates. We identify security or compliance gaps and work with the business to establish the most suitable implementation plan. Together with the business, we will guide and help to operationalise this plan.

    It doesn’t stop there. As compliance is ongoing, we help monitor, train and report on compliance to these implemented policies, processes, technologies and controls. When needed, we also liaise with the Information Commissioner’s Office on your behalf.

    We offer practical solutions for operational processes, technologies that are suitable and assist in assignment of accountabilities to effectively make compliance part of your business.

    Our Values

    What do we believe in

    • Maintaining the Right Culture with integrity, honesty, accountability and a positive outlook
    • Creating Value through understanding objectives, cost-benefit analysis, planning to succeed and quality delivery.
    • Respect for each other. We believe in people, work collaboratively and learn from other’s viewpoint
    • Continuously learning. Nobody knows everything all the time; there is always something new or a different perspective. We love to explore new or different ideas
    • Keeping things simple

    Our Focus

    Lacuna Securities believe that People, Process and Technology work best together to provide a stronger, more secure environment for you and your company. If each is viewed in isolation, critical security and compliance gaps emerge that can lead to non-compliance and significant risks to the business.

    • People – Humans are the centre point of our focus. It is important to ensure that everyone is well informed about the who, what, where; when and how. It is not only about the processes and procedures but also providing people with the necessary understanding and tools to ensure you create the best security and compliance culture. We believe in bringing out the best in people by focussing on their positive contributions to also ensure sustainability.
    • Technology – We believe technology is an enabler. It must help to reduce risks, support people in execution of processes and be practical rather than enforce a specific method that could restrict business operations.
    • Process – Clearly defined processes will help reduce risk of non-compliance and drive people understanding and behaviour at every level. It is important to be measured on the right things – we get what we measure. We use and are governed by industry standard processes so you can confident in delivery and execution.

    Meet the Founder

  • My name is Sonya Stephens and I work in IT Risk and Cyber Security focussing on the Governance, Risk and Compliance (GRC).

    I’ve spent over 20 years in big corporate companies building and improving Risk Management and Governance processes and controls. 15 of these years were within a large, global, financial services company. Here I held various senior positions such as Group Systems IT Security and Risk Manager, Senior IT Audit Manager and Product Development Senior Risk Manager.

    One of the highlights in my career was the opportunity to be the Business Lead in designing, implementing, testing, rolling-out and the training of an in-house developed Sarbanes Oxley risk attestation software tool. This tool was extremely well received by the global user population for its practical methods and ease of use whilst being a compliance tool.

    In today’s life and well into the future, there is so much of who we are living in the cyber world. This makes data privacy and protection hugely important. This includes effective user education and supplier assessments. For this reason, I welcome the Payment Services Directive (EU) 2015/2366 (PSD2), General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.

    Yes, compliance is a pain for companies to implement, continuously monitor and report on. It is, however, a crucial activity to do and keep doing. There are many good people out there, but sadly there are also dangerous people living amongst us. Dangerous people that use our personal data, pretend to be us and to steal from us. As company owners we need to understand this and protect against it best we can.

    Compliance in big corporates can be more complex than small-to-medium sized companies but all companies require scarce time and resources to manage this as the risks of non-compliance remain the same. When we share our own personal data with any company, we want to know it is kept safe, regardless of the size of the company.

    I am a parent to a young boy. Amongst sporting activities, he enjoys watching YouTube and play online games such as World of Tanks and Fortnite. I educate him about the potential dangers of the online world and monitor his activities. But I am always cautious. I need to know that all companies take security of personal data seriously. I expect companies to protect the personal detail of my son, his friends, all other children and all people. I want companies to know that it is so much more important than a tick box exercise.

    Being passionate about making compliance practical and easy, I promised myself I would do everything in my power to make it part of everyday, efficient business operations. That is why I am looking to get in front companies with a desire to improve their Data Protection and Cyber Security practices. Lacuna Securities can help with its practical implementation, monitoring and reporting.

    I am an associate Chartered Accountant (Institute of Chartered Accountants in England and Wales) and completed my training at PwC. I also hold a Masters Degree in Computer Auditing, am a qualified Prince2 Practitioner and I passed the Certified Information Security Manager (CISM) exam within the top 20%.