Thomas Lemon

Managing Director, Country Market Leader

Tom is Protiviti’s UK Country Market Leader and leads our UK Technology Consulting practice. He has over 20 years of consulting experience and joined Protiviti in 2004 to help launch the UK business. Tom has considerable experience providing technology, risk, compliance and internal audit solutions to large global clients across multiple industries.  He specialises in technology strategy and change, cyber security, operational resilience, IT governance, risk management, data privacy, and large-scale project and programme delivery.


  • Tom is part of our global operational resilience leadership team and oversees all of our operational resilience work with clients and industry bodies in the UK.  He helped to develop Protiviti’s operational resilience framework and methodology and is regularly involved in industry forums and events on this topic.
  • Tom oversees our cloud practice in the UK. Engagements have covered topics such as cloud governance, cloud controls, SOC2 readiness, cloud architecture, cloud security, and cloud adoption.
  • Tom is a PCI Qualified Security Assessor (QSA) and oversees all of Protiviti’s PCI DSS engagements across Europe.  He is part of our global PCI leadership team. Tom has clients ranging from retail / merchant organisations, to payments companies, banks and service providers across the payments ecosystem.
  • Tom and his team helped to design Protiviti’s global IT risk management approach and methodology.  He has supported multiple clients with the design, implementation and execution of their technology risk management operating models and related processes.
  • Tom led the delivery of a cyber security executive awareness initiative at a large global bank. He designed and personally delivered 40+ one-to-one awareness sessions with C-level executives at multiple locations in Europe, the USA and APAC.
  • Tom and his team have supported a significant amount of GDPR compliance projects, including performing assessments, and designing and executing compliance programmes. This work has included designing privacy operating models, performing extensive data mapping projects, designing and implementing privacy processes such as the data protection impact assessment, subject rights processes, and many more.
  • Tom led a project to help a large global bank define their cybersecurity strategy. His work included interviewing senior leadership across the business, IT and information security functions in order to draw out strategic goals and objectives. He helped the CISO articulate his vision and develop this through to a series of initiatives within the bank’s cybersecurity programme, using the NIST Cyber Security Framework as a reference point.
  • Tom led a project at a global bank to enhance their cyber security programme governance. Tom’s team was responsible for shaping and building momentum across all programme work streams, supporting the regional CISO with designing his target operating model, and identifying gaps in planned initiatives and recommending solutions to support the programme’s success. Tom also led a work stream to conduct a business focused risk assessment using Protiviti’s cyber security risk assessment methodology, in order to help the client better prioritise its programme based on business needs.


  • Technology Strategy and Change
  • Cyber Security
  • Risk management
  • Operational resilience
  • Data Privacy
  • IT Governance
  • Project, Programme & Portfolio Management


  • MMATH Mathematics (Hons), University of Bath
  • Certified Information System Auditor (CISA)
  • PCI DSS Qualified Security Assessor (PCI QSA)
  • Certified Information Security Manager (CISM)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Project Management Professional (PMP)