Again you mention the number of startups that do something, how is that relevant without reasoning why that is good?
I don't know the entire history of startups or for that matter DLP more than you do but mistakes and sabotage happen at any commercial entity and this is not an easy problem to solve at large enterprises as you probably know even more than myself, but as a startup you can define data classification and handling policies early on and a DLP is just a tool to help you enforce that and by DLP I don't mean a firewall but MS Information Protection in this case. You control how secret and sensitive information is shared and stored. You use it to build a solid culture of secure data handling. It becomes more costly and difficult as you grow larger and you avoid costly mistakes and sabotage because you have a good handle on where your data is and how it flows.
My point wasn't that startup should implement MSIP/DLP and O365 but that a checklist on HN and copycatting is not the best way. Get a consultant to help you get things straight based on your specific business goals/needs (maybe you will cash out in 5 years and just don't care so get gsuite and take the risk). There is no generic one size fits all checklist where if you do those things that means your random startup's security is going in the right direction.
If you're fintech or work with government contracts you really do need MSIP or the equivalent, if you're selling a new cool database product that is FOSS maybe you're like a decade away from even considering it. My post was anti-checklist mainly. If you care about security let a pro help you plan it according to your needs instead if checking a few boxes and hoping that was enough.
And startups do get hacked and get their data stolen although most won't advertise it to the public.
I am not beyond convincing, but I need a reason other than "it's not done this way", I don't doubt that or your experience but I have to question when my technical reason is met with "nobody does that" bigcorp or startup everyone has different needs and they should secure the data important to their business in a way that they can afford and as such a reductive checklist approach is bad and you have not made an argument otherwise so I suppose I will agree to disagree.
I understand. On a thread like this, where someone is asking directly what the set of things startups do for security as best practices, my priority is just ensuring that the thread generates an accurate answer to the question. Maybe some other thread will happen where we can debate whether AON (for example) does security more effectively than Square.
We don't need a debate you just need to provide a technical reason other than you opinion on how popular something is. As far as I am concerned you are providing incorrect information based on what is popular and promoting one-size-fits-all security planning. You picked one product and made it into a debate about it because it deviated with what you saw as popular vs what bigcorp uses.
I don't know the entire history of startups or for that matter DLP more than you do but mistakes and sabotage happen at any commercial entity and this is not an easy problem to solve at large enterprises as you probably know even more than myself, but as a startup you can define data classification and handling policies early on and a DLP is just a tool to help you enforce that and by DLP I don't mean a firewall but MS Information Protection in this case. You control how secret and sensitive information is shared and stored. You use it to build a solid culture of secure data handling. It becomes more costly and difficult as you grow larger and you avoid costly mistakes and sabotage because you have a good handle on where your data is and how it flows.
My point wasn't that startup should implement MSIP/DLP and O365 but that a checklist on HN and copycatting is not the best way. Get a consultant to help you get things straight based on your specific business goals/needs (maybe you will cash out in 5 years and just don't care so get gsuite and take the risk). There is no generic one size fits all checklist where if you do those things that means your random startup's security is going in the right direction.
If you're fintech or work with government contracts you really do need MSIP or the equivalent, if you're selling a new cool database product that is FOSS maybe you're like a decade away from even considering it. My post was anti-checklist mainly. If you care about security let a pro help you plan it according to your needs instead if checking a few boxes and hoping that was enough.
And startups do get hacked and get their data stolen although most won't advertise it to the public.