"Almost nobody uses either." I am very aware, I noted that in my comment. Are you saying O365 and AIP are inferior than gsuite, if so I would like to hear why, I don't favor either I just haven't seen why. DLP is absolutley a foundational security practice, especially for a startup because they usually have some "secret sauce" and all it takes is one employee leaking that and most people that leak/sell-out just print or take the document with them, a starup maybe drowning in VC money but it all comes down crashing the moment you someone else does it better.
As far as the security hire and pentesters, I don't particulary mind the norm so long as you made that decision and planned on it from the start.
Also on O365, if you're a mac shop I still say it's better but for windows shops (as rare as that is at a startup) you must use AAD and it solves a lot of problems out of the box when you marry it with O365 and you don't have to worry about google banning you on a whim and crashing your business. I am all for best practices but those are different than monkey-see-moneky-do copying without critically reasoning and defining why that decision is best.
DLP is not a foundational security practice. It's a product category and little else. I've spent a good chunk of time in my career working on DLP[1], mostly at large enterprises (the only place this gets seriously deployed), and I've never seen it do anything useful. I can count on zero fingers the number of startups that buy and operate these tools.
In the entire history of startups, no startup has ever outcompeted another based on DLP.
Startups overwhelmingly use Google. I'm not interested in arguing with you about how startups should use Windows, or Active Directory; it's just not relevant. The question was asked "what's the checklist for startups", not "what's the checklist for AON".
Again you mention the number of startups that do something, how is that relevant without reasoning why that is good?
I don't know the entire history of startups or for that matter DLP more than you do but mistakes and sabotage happen at any commercial entity and this is not an easy problem to solve at large enterprises as you probably know even more than myself, but as a startup you can define data classification and handling policies early on and a DLP is just a tool to help you enforce that and by DLP I don't mean a firewall but MS Information Protection in this case. You control how secret and sensitive information is shared and stored. You use it to build a solid culture of secure data handling. It becomes more costly and difficult as you grow larger and you avoid costly mistakes and sabotage because you have a good handle on where your data is and how it flows.
My point wasn't that startup should implement MSIP/DLP and O365 but that a checklist on HN and copycatting is not the best way. Get a consultant to help you get things straight based on your specific business goals/needs (maybe you will cash out in 5 years and just don't care so get gsuite and take the risk). There is no generic one size fits all checklist where if you do those things that means your random startup's security is going in the right direction.
If you're fintech or work with government contracts you really do need MSIP or the equivalent, if you're selling a new cool database product that is FOSS maybe you're like a decade away from even considering it. My post was anti-checklist mainly. If you care about security let a pro help you plan it according to your needs instead if checking a few boxes and hoping that was enough.
And startups do get hacked and get their data stolen although most won't advertise it to the public.
I am not beyond convincing, but I need a reason other than "it's not done this way", I don't doubt that or your experience but I have to question when my technical reason is met with "nobody does that" bigcorp or startup everyone has different needs and they should secure the data important to their business in a way that they can afford and as such a reductive checklist approach is bad and you have not made an argument otherwise so I suppose I will agree to disagree.
I understand. On a thread like this, where someone is asking directly what the set of things startups do for security as best practices, my priority is just ensuring that the thread generates an accurate answer to the question. Maybe some other thread will happen where we can debate whether AON (for example) does security more effectively than Square.
We don't need a debate you just need to provide a technical reason other than you opinion on how popular something is. As far as I am concerned you are providing incorrect information based on what is popular and promoting one-size-fits-all security planning. You picked one product and made it into a debate about it because it deviated with what you saw as popular vs what bigcorp uses.
As far as the security hire and pentesters, I don't particulary mind the norm so long as you made that decision and planned on it from the start.
Also on O365, if you're a mac shop I still say it's better but for windows shops (as rare as that is at a startup) you must use AAD and it solves a lot of problems out of the box when you marry it with O365 and you don't have to worry about google banning you on a whim and crashing your business. I am all for best practices but those are different than monkey-see-moneky-do copying without critically reasoning and defining why that decision is best.