About

Leadership & Expertise

The experience behind the platform — senior cybersecurity leadership grounded in real-world delivery.

Steven Elce

Founder & Principal Consultant

Steven is a senior cybersecurity leader with extensive experience across governance, risk, compliance, operational technology security, and client-facing assurance delivery in regulated and critical sectors.

His career spans consultancy leadership, practice development, and hands-on delivery across energy, defence, aerospace, maritime, government, financial services, and critical national infrastructure. He has led and delivered cybersecurity programmes ranging from enterprise-wide governance transformations to OT/ICS security assessments for operational environments where availability, safety, and continuity are non-negotiable.

Steven founded elce.ai to address a structural problem he encountered repeatedly across engagements: organisations investing significant effort in compliance activity across multiple overlapping frameworks, yet struggling to demonstrate genuine, continuous assurance confidence to boards, regulators, and operational stakeholders.

C-PAP is the direct result of that experience — a platform designed to consolidate multi-framework compliance into a single canonical model that delivers proportionate, evidence-led assurance without duplicated effort.

Areas of Expertise

Cybersecurity Governance Risk Management OT/ICS Security IT/OT Convergence Regulatory Compliance Assurance & Audit Practice Leadership Client Delivery

Framework Expertise

ISO 27001 IEC 62443 NIST CSF 2.0 NCSC CAF NIS Regulations ISO 22301 NIST 800-82 NIST 800-53 CIS Controls ISO 42001

Sector Experience

Energy Defence Aerospace Maritime Government & CNI Financial Services Healthcare Telecommunications

The Thinking Behind C-PAP

C-PAP was not designed in isolation from delivery reality. Every design decision in the platform — from the Canonical Control Model's structure to the assessment methodology and reporting architecture — is informed by practical experience of what works and what fails in real-world assurance programmes.

Canonical by Design

The CCM exists because we saw organisations maintaining separate control sets for every framework — duplicating effort, fragmenting evidence, and creating inconsistency. One control model, mapped to multiple frameworks, eliminates that structural waste.

Evidence-Led Assurance

Compliance programmes too often focus on policy documentation rather than operational evidence. C-PAP's evidence lifecycle model ensures that assurance claims are backed by current, attributable evidence — not assumptions.

Proportionate to Context

A financial services firm, an energy utility, and a defence contractor face different risk profiles, regulatory obligations, and operational constraints. C-PAP's operating context model and overlay domains ensure the assurance model fits the organisation, not the other way around.

Work With Us

If your organisation needs structured cybersecurity assurance that goes beyond compliance documentation, we would welcome the conversation.

Get in Touch