Shauli Zacks
Published on: April 16, 2025
In this SafetyDetectives interview, Christian Nicholson, Co-Founder and Lead Consultant at Indelible, shares how a love of the internet and a knack for pen testing shaped a career in cybersecurity. With experience spanning KPMG, Foundstone, and SANS, Christian brings a unique, solutions-driven perspective to the industry. Indelible was born from that mindset: a consulting company built to solve complex, one-of-a-kind security problems that don’t fit into standard playbooks.
Can you share a bit about your background and what led you to Indelible?
I really started in this industry as a pen tester. I was a child of the internet—I grew up on IRC. I’ve always had a love of the internet, though I didn’t really know if it would ever become a real job. I’m fortunate that, due to my age, it ended up becoming an emerging career at the time.
I started my career with a big corporate job at KPMG. I was one of a handful of pen testers there. At the time, there weren’t too many of us in the Big Four. I was offered an opportunity to move to KPMG Japan to help run the AppSec department.
But in the middle of that, I stumbled into an opportunity with Foundstone—one of the original three consulting companies in the cybersecurity space, along with ISS and @stake. I remembered seeing Foundstone courses when I was just starting out. They were some of the original training resources available in the industry, alongside SANS.
Around the same time, I got into the CyberAces program with SANS under a National Science Foundation grant. That allowed me to pursue several SANS certificates and eventually become a SANS instructor and one of the SMEs on their staff. I helped with question auditing and authoring for the GIAC exams and helped prepare tests.
All of this gave me the opportunity to join Foundstone, where I met the global lead of services in the company and the original founder of Indelible who also invited me to join him. Fast forward several years and I have become CEO of Indelible, a position that was never in the game plan. Those that know me have heard me say “I never set out to own a company or be a CEO”. It’s the kind of a career move that found me, not the other way around. However, I grew more confident that there was a different way to approach security to make it more effective and solution oriented. This is what Indelible is about.
Several times in my career I knew we could solve a client problem in a different way, but I had to work within the confines of my current employer. Either they weren’t interested in selling those services, or there wasn’t an appetite to implement the right tech stack. Being told no so many times is why I am so passionate about what we do at Indelible.
What sets your company apart in the cybersecurity consulting space?
Our primary goal is to earn trust through results and become a valued partner and advisor—not just another consultancy doing assessments. We’re in it together to help our clients solve real problems that hold them back from being able to scale, operate more efficiently or execute their roadmap. All our planning is based around understanding their business and developing short-, mid-, and long-term goals. We don’t just assess; we also help with implementation.
One of the things we really focus on is solving what I like to call the ‘snowflake problems’—the one-of-a-kind challenges that don’t fit into a standard playbook. Over the years, I’ve had the chance to participate in DEF CON, BSides, and several other major conferences, and through that, I’ve been lucky to build relationships with some incredibly talented people across the industry. So, when a client wants to explore something new or push the boundaries of an emerging technology, there’s a good chance we can provide someone who’s been hands-on in building or shaping solutions in that space. That kind of access is hard to come by, and it’s something we’re proud of our network of trusted partners.
With the evolving cyber threats, how do you help organizations stay ahead of the attackers?
It’s always a game of cat and mouse. One of the first things we teach in any SANS course is to assume you’re compromised. It doesn’t matter how big you are or how great your tooling is. If your goal is to stop every attack, you’ve already lost. The key is to redefine what “winning” means.
If you’re a credit card processor, your crown jewels are the transaction data, credit card numbers, and personally identifiable information. That’s what you must protect. You’ll always be better at detecting than preventing. Winning means knowing what’s critical and being ready to respond.
We stay ahead by hiring people who are truly passionate about security—not just clocking in and out. They stay involved in the community, go to events, and share intel. I’m part of several private sharing communities—Slack channels, Discord groups—where we trade insights in real-time.
It’s a circle of trust, and it gives us early warnings—often before news articles even break. That helps us guide clients proactively.
What are some of the biggest cybersecurity challenges companies often overlook until it’s too late?
I love this question. The two biggest are cost and people.
Security is a cost center—it’s expensive, and it doesn’t generate revenue. That makes it a tough sell for leadership.
Convincing companies to invest in security tools or people can be a challenge. Often, the only time companies are willing to spend is during or immediately after a breach. That’s when everyone is suddenly on high alert.
We always say: Don’t let a good crisis go to waste. That’s when you can get the funding.
But the truth is, the cost of prevention is always less than the cost of recovery. We use those metrics when talking to clients—investing upfront is a lot more cost-effective than cleaning up a breach.
How do you balance security compliance requirements with practical real-world defense?
We start by asking: What assets do you have to protect? Who are you protecting it from? What are your risks? How are you going to protect them?
Too many companies focus on checkbox compliance—doing just enough to pass audits. But that’s not real security.Compliance for the sake of compliance isn’t helpful. If you’re secure, you’ll likely be compliant. But being compliant doesn’t necessarily mean you’re secure.
At Indelible we encourage clients to go beyond the bare minimum but focus on what goals really matter. A client that truly understands their threat profile from multiple angles is a client that is securing the right systems and spending their budgets effectively. As in my earlier example—if compliance says to protect every endpoint in your org but none of them can access sensitive data, why are you doing it?
Of course, the above is exaggerated, but the point stands: If a client understands what they need to protect, who they are protecting it from, and how to protect it, you’re way ahead of the game.
What’s your advice for businesses trying to build a resilient security culture?
There are many different aspects to building a culture of security. One such I’d like to focus on is the use of automated tools. Many businesses are taken in by whatever Gartner says is the best for the job or has been recommended by others. But Gartner reports are often marketing-driven and a tool that works well for another team, doesn’t mean it will fit your organization. Also, just because a tool scores well in a lab doesn’t mean it’s right for your team.
Pick tools that solve your problems in your way—even if it’s not the most popular option.
However, don’t be a tool junkie. I see so many teams rely too much on tools but don’t truly understand how the tool is helping them perform tasks. It’s clear when we run a tabletop exercise and say, “You don’t have access to your EDR—what do you do?”, and they scramble. It’s not that the team isn’t good enough to solve the problem manually, but most of them have been lulled into the false assumption the tool will always be available.
The teams that operate most effectively no matter what the scenario, learned the fundamentals. know how to solve problems manually, understand what the tools do, how they do it, and why. Then it doesn’t matter which EDR you use—you’ll understand what it’s doing under the hood. Or worst case can operate without them when the situation comes up.
If you build knowledge from the ground up, and have a true understanding of the problems, you’ll be far more resilient.
