[yeukhon]

I argue security starts with being paranoid. Not that I don't trust anyone I work with, including myself, but I can leak emails or my computer can get hacked. Shit happens. So I would start with the worst case and ask myself how to defend against any leaks.

External service SLA can be joke. It's always aftermath thought. Damage control is always on the customer side because customer has to rotate / invalidate leaked credentials, so first step for me is to have a process to invalidate credentials as often as possible.