On a more serious note than my previous post, I'd likely ask the following questions as well as some of those already posted.
1. What kind of 3rd party audits have you passed and when have the last 4 been conducted? What kind of audits are coming up?
2. How often do you run penetration tests and who runs them? Any 3rd parties? Have you ever been breached?
3. What is the deployment process for both front-end code and database code? Does that include peer reviews? Do the reviewers and DBAs have "stickable" authority to reject code?
4. Do you have a dedicated QA team? Do you have a viable "ticketing" system to track faults, rework, and deployments? Source control?
5. What environments to you maintain and who can deploy code to them (Dev, QA, UAT, Staging, Prod, etc)?
6. Do your front-end Developers write mostly stored procedures or mostly rely on the ORM to generate database code? What is the ratio there?
7. What is your RPO/RTO, where is the DR site, and what is the transfer latency? Have you done a fully disconnected BCP test (Business Continuity Plan)?
8. Do you have an infrastructure team, who does the backups, where are they stored, and have you ever done restores to ensure they're viable?
9. Can I sit with the Developers?
There's more like that and they should probably come out during the interview as a part of bi-direction conversation rather than at the end.
--Jeff Moden
Change is inevitable... Change for the better is not.