A list of things to ask about the state of a company
How often do deploys happen?
Are deploys fully automated?
Who has access to production systems?
Who has access to staging/development/pre-production?
Who has access to any/all source code repositories?
Who has access to deploy to production?
How often are system passwords rotated?
How often are user passwords rotated?
Is there a third party vendor routine scan?
Who is responsible for building monitoring?
Are there system-level monitors?
Are there application-level checks (can a user login, etc)?
How many people are on the on call rotation?
Does development/engineering participate in on call/emergency response?
What were the last three emergencies that had to be dealt with and who was responsible for triaging, managing, and solving the incident?
Do backups exist?
How often are backups tested (e.g. restored and validated)?
Are there support contracts?
If private infrastructure, how many network links exist for production?
If private infrastructure, is there a refresh cycle?
How many network links exist to each office?
Who has administrative access to email/account management?
Is there a minimum amount of vacation required of each employee?
Are employees allowed to work from any location?
Are on call personnel mobile devices compensated for in any way (hotspot, phone, etc)?
What type of devices are provided to new employees? How often are those devices refreshed?
Is there a personal develoment budget?
Is there a library/book sharing system? Can relevant books be purchased?
Is there a mentoring structure in place?