Protiviti Contact

Protiviti Contact

Thomas Lemon

Managing Director


Tom is a Managing Director based in London and leads our UK Technology Consulting practice, which includes our security and privacy services. He joined Protiviti in 2004 to help launch the UK business, having previously worked at one of the ‘Big 4’ firms in their Technology Risk division. Tom has considerable experience providing technology consulting solutions to large global clients across multiple industries and specialises in leading large security, privacy and IT risk programmes and assessing and enhancing programme governance structures to ensure business objectives can be met efficiently and effectively, within organisational constraints. Tom also specialises in the GDPR, cyber security, PCI DSS, identity and access management, IT governance, IT risk management, end user computing, and project risk management.


  • Security awareness project: Tom led the delivery of a cyber security executive awareness initiative at a large global bank. He designed and personally delivered 40+ one-to-one awareness sessions with C-level executives at multiple locations in Europe, the USA and APAC. The project was very successful and led to further support to help the bank achieve its goal of raising the bar in terms of the level of awareness across its workforce and therefore its ability to help safeguard the firm from significant cyber security issues.
  • Data privacy: Tom and his team have supported a significant amount of GDPR compliance projects, including performing assessments, and designing and executing compliance programmes. His work has included designing privacy operating models, performing extensive data mapping projects, designing and implementing privacy processes such as the data protection impact assessment, subject rights processes, and many more. Tom regularly speaks at industry and Protiviti events on this topic and is focused on helping his clients achieve sustainable compliance and significant value from their privacy programmes.
  • Cyber Security Strategy: Tom led a project to help a large global bank define their cybersecurity strategy. Our work included interviewing senior leadership across the business, IT and information security functions in order to draw out strategic goals and objectives. We helped the CISO articulate his vision and develop this through to a series of initiatives within the bank’s cybersecurity programme, using the NIST framework as a reference point. The delivered strategy was a great success and was used by the bank as a reference to develop cyber strategies across other entities within the Group.
  • Cyber Security Programme: Tom led a project at the Americas operations of a global bank to enhance their cyber security programme governance. Tom’s team were responsible for shaping and building momentum across all programme work streams, supporting the Americas CISO with designing his target operating model, and identifying gaps in planned initiatives and recommending solutions to support the programme’s success. Tom also led a work stream to conduct a business focused risk assessment using Protiviti’s top-down cyber security methodology, in order to help the client better prioritise its programme based on business needs.
  • Developer access to production project: Tom’s team led the design and implementation of an enhanced control process at a large global bank to better manage the risk of developers getting access to production environments. The project included strategic and tactical risk reduction work streams to ensure a sustainable target operating model could be achieved, but also quick risk reduction benefits could be demonstrated.
  • Cyber Security Strategy: Tom led an engagement at a large global asset management firm to help them shape and document their three-year information security strategy. His team worked with the company’s CISO and his management team in order to understand the firm’s strategic vision and objectives, information security risks, and the seven initiatives they have put in place in order to achieve these objectives and mitigate the identified risks to within appetite. The strategy was designed to help the organisation achieve best-in-class information security practices and in doing so, deliver on the firm’s regulatory obligations and internal control objectives.
  • Security Policy Framework: Tom led a project to design and document an IT and Information Security policy framework at a global services company. The policies were based on industry good practices, including the CESG ‘10 steps to cyber security’. The policies used an innovative structure that Tom’s team designed, which catered for executive stakeholders and IT users across the Group. The CIO and IT leadership team provided very positive feedback.
  • Cyber Security Review: Tom led a comprehensive business-risk focused cyber security assessment at a global commodity trading firm. He worked with senior management stakeholders across the business to understand and explore key business risk scenarios of concern, their points of dependency on IT systems and information, their potential impact to the business and their likelihood based on the current state of the security control environment. Tom also worked with the business to understand their risk appetite relative to these risk scenarios. The top-down risk assessment was enriched with a bottom-up assessment of their security control environment, using the CESG ‘10 Steps to Cyber Security’ framework as a benchmark.
  • Unauthorised Trading programme: Tom led a project to implement segregation of duty controls across a large global investment bank’s most critical 500 applications to separate system access required by Traders and Non-Traders. The project was driven by a regulatory requirement that was delivered under considerable time pressure during an intensive six-month period. The project involved designing, building and implementing enhancements to the bank’s identity management platform at pace using agile principles. The project on-boarded the 500 applications into this toolset, including established SoD rules. All SoD violations were then remediated and a BAU SoD violation management function was put in place. Tom’s team designed, built and operated the BAU SoD violation management function for the bank for over two years.
  • Logical Access Management programme: Tom was the programme manager for a significant Logical Access Management programme at a global bank. The objective of the programme was to implement an identity and access management solution and operating model to enhance the joiner, mover, leaver and recertification controls across the bank’s most critical applications and IT infrastructure platforms. Protiviti was asked to step into the programme at a point where it was off track, drive delivery of near-term critical milestones and reshape the programme in order to get it back on track to deliver within overall programme timelines.
  • Privileged Access Programme: Tom led a team that supported the global implementation of privileged access management tools and processes across IT infrastructure platforms in a global bank. His team project managed key components of the design, planning and implementation stages of the programme and designed and implemented enhancements to the overall programme governance structure. Tom’s team managed the implementation of a tool to manage shared accounts with privileged access (CyberArk). They were also responsible for documenting and implementing processes, procedures and a service support model for this solution.
  • Identity Management Solution Implementation: Tom led a project to design, build and implement a new recertification tool for a global bank, which formed part of their strategic identity management platform. The tool was built in order to cater for huge volumes of system access data across the bank and a new workflow-based recertification model. Tom also designed and implemented enhancements to the bank’s logical access management operating model based on the new solution and the business requirements that it was designed to achieve.
  • Global End User Computing Programme: Tom led the European team supporting the delivery of a global project to improve the controls around EUC applications across a large global energy business, including their trading division. He also shared global project manager responsibilities and reported directly to senior client stakeholders. Tom’s team was responsible for implementing good practice design standards across hundreds of EUC applications developed in Excel and Access. He was responsible for designing and delivering global training activities across the Group and contributing towards sustainable governance processes. Tom supported the implementation of the ClusterSeven spreadsheet change control system across the Group for the most critical EUC applications.
  • IT Governance Project: Tom designed a framework to improve the governance of intra-group third party IT service providers at the UK company of a large insurance group. The framework included an agreement between parties, a consistent set of control objectives, a reporting and monitoring process and a consideration of ongoing assurance activities.
  • Supplier Audit: Tom led an audit of the external WAN provider for a large global bank. The review was of several ITIL processes that the supplier operated in support of two critical services they provided to the bank. Our review covered the supplier’s Change Management, Incident Management, Problem Management and Hardware and Software Lifecycle Management processes. We were asked to mobilise a team within 24 hours to conduct the review, due to a recent series of major incidents that impacted the services. We achieved this mobilisation and completed the review in the required timescale. We received positive feedback from our client stakeholders and the report helped our client negotiate a satisfactory response to the incidents that occurred impacting those services and associated control breakdowns. The report was communicated to the CIO and to other senior management in IT.
  • IT Risk Management Programme: Tom defined the IT risk and control governance framework for a large global bank, in accordance with their internal enterprise risk management policy and aligned to the COBIT framework. Tom led a team that set and agreed IT control requirements in Group policy, defined key indicator reporting requirements for monitoring risk hot spots and implemented processes to identify IT control deficiencies resulting in non-compliance with policy and to monitor remedial activities. Tom worked with business and IT executive level stakeholders to embed the risk and control framework across the organisation.
  • Sourcing & Supplier Management Process Enhancements: Tom led a project to enhance a global bank’s sourcing and supplier management processes in order to cater for additional control requirements and better manage logical access risk presented by suppliers. The project delivered updated contract schedules, including specific control objectives that suppliers would be required to meet, enhanced supplier assurance processes, in order to monitor control effectiveness at suppliers, and an improved mechanism to review supplier services in order to determine the scope of control objectives that suppliers must meet.
  • IT Risk Management Transparency Project: Tom designed and implemented a process to interpret and communicate technology risk and control information from the IT organisation of a large global bank to its customer business units as part of a global transformation programme. Tom managed a large number of senior stakeholders, chaired multiple working groups and steering committee meetings, delivered detailed process maps, a reporting toolset and supporting materials and managed the implementation of these across the firm.
  • Distributor audits: Tom performed European-wide distributor audits on behalf of a large multinational information technology hardware manufacturing and research firm. Tom helped develop the distributor audit methodology based on his review of contracts between the IT firm and its distributors. He extensively applied his data analysis skill set to model key contractual terms and conditions in automated routines with the purpose of using client and third-party data to recalculate rebates and program related payments to identify instances of overpayment.
  • Trading Business End User Computing Project: Tom supported a project to map critical front office processes and managed a subsequent phase of the project to improve controls around the development and use of spreadsheets at a large, multinational oil and gas company. Tom documented and implemented a Business Critical Spreadsheet Policy, including supporting governance processes and training programs. He liaised extensively with key business and IT sponsors to identify and publish a workable set of control processes to support the key principles defined in this policy. Tom developed a spreadsheet analysis methodology using a combination of automated tools and manual techniques. He also managed a team of developers responsible for performing remedial actions to address spreadsheet design deficiencies identified via this analysis approach.
  • Sarbanes-Oxley Compliance Projects: Tom provided consulting services supporting a number of large multinational organisations, primarily within the Banking, Energy, Manufacturing and Service industry sectors, achieve and maintain compliance with the Sarbanes-Oxley Act. Tom recently provided SOX consulting services to a global bank, assisting them with their year 1 to year 2 transition. The client’s objective was to move from an expensive project to an efficient and effective ongoing compliance process. To help achieve this, Tom streamlined the General Computer Controls methodology by implementing a risk based approach and an improved issue assessment process. Tom has also managed large teams responsible for delivering IT process documentation and controls testing activities in support of achieving Sarbanes-Oxley compliance.
  • Royalty Audits: Tom managed the royalty audits of two European licensee locations of a leading global apparel company. The audits looked at the completeness and accuracy of the licensee’s royalty calculations and the appropriateness of deductions from reported sales. In addition, an analysis of shipping locations was performed to identify if licensed goods were being sold to locations not included in contract terms. Manual techniques were combined with data analysis activities to conduct the audit efficiently and effectively.
  • Royalty Audits: Tom conducted a series of royalty audits at a licensed manufacturer that used his client’s intellectual property. Tom used manual and automated audit techniques to recalculate the royalty payments due and validate conformance with selected contract clauses.
  • IT Audit – Project Methodology: Tom reviewed the project methodology being used by a large media company. His focus was on the requirements specification process for a sample of projects across the organisation’s portfolio. Thomas was responsible for meeting with key stakeholders, identifying areas of non-compliance with internal policy and identifying opportunities for improving the process in accordance with best practice principles.
  • Application Controls Review: Tom managed a review of application controls across two instances of SAP in client locations across Europe. Tom used Protiviti’s Assure Controls tool to perform a snapshot analysis of key configurable controls within SAP. He identified effective key controls to be incorporated into the client’s Sarbanes-Oxley documentation and highlighted critical settings that were not good practice and presented a potential risk to the firm.
  • Security Review: Tom evaluated the adequacy of systems and processes established by client management to administer and secure network routers and firewalls at a large media company. Tom managed a team that was responsible for organising and completing all aspects of the audit. He conducted key stakeholder meetings and reported results directly to the Head of IT Audit. The final report included observations and recommendations that were discussed and agreed with all business owners and the Head of Internal Audit before being issued.
  • Application Baseline Testing: Tom worked with business and IT staff at a large multinational oil and gas company to baseline a number of key financial applications to support the company’s Sarbanes-Oxley compliance activities.


  • Cyber Security
  • Data Privacy
  • Identity and Access Management
  • IT Governance & Risk Management
  • Project, Programme & Portfolio Management
  • End User Computing
  • IT Audit


  • Financial Services


  • MMATH Mathematics (Hons)
  • University of Bath
  • Certified Information System Auditor (CISA)
  • PCI DSS Qualified Security Assessor
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Project Management Professional (PMP)
  • Prince 2
  • ITIL​​