Pick an organization then describe the security that the organization uses to protect information. Security professionals are naturally cautious about sharing security information. The inquiry should focus on how the organization protects data and information. Focus on the security culture rather than specific techniques.
Questions to consider asking:
How many resources are dedicated to information security?
Who is responsible for the overall security strategy?
Has the strategy been successful? Is the strategy adequate for the risk?
Has the environment been challenged in some way?
Why or why not?