[Kalium]

> I worded this badly. This is optional on a case by case basis, i.e. there's a cost-benefit to using each 3rd-party, and this burden is worth considering for each. It's still not a massively onerous burden tbh if you do use a lot of 3rd parties.

I'm up close and personal with a vendor assurance process right now. It's often a non-trivial amount of time for any given vendor.

> I'm sorry but if you're really defending companies with no competent security measures in place, regardless of size, I think you're in the wrong forum here. If you are a commercial entity of any size there should be moral hazard in ignoring security of your users' personal data.

I'm sorry, I worded this badly. I'm saying that small startups have a tendency to prioritize getting a product working and seeing if it's worth investing heavily in before standing up a strong information security unit. You're absolutely, completely, 100% correct that there should be incentives to be very careful with user data.

I think it's possible to see where some people might find the level of expense and expertise required to be appropriately careful somewhat scary. I can even see where some people might decide to not create a social media startup to challenge Facebook because of this fear.