If you can only ask one question to a vendor to understand their security program, what is it?For…

If you can only ask one question to a vendor to understand their security program, what is it?

For me - What's the title of the person running your security program and who do they report to?

Having a random engineering leader double as "CISO" means you don't have anyone responsible for security.

Likewise, if the person running security at a software company reports to the IT manager, it tells you far more about their program than asking if they encrypt your data at rest.