Inquisitive IT

Whats your security destination

Cybersecurity Roadmaps

What is your Organization’s Security Destination?

Day 1 : Assess & Plan

Your organization decides what security destination or roadmap is ideal. Do you want to implement 150 CIS controls over 2 months or 2 years? We can plan for that. How about HIPAA compliance? or another regulation like FTC? We have you covered. Our security roadmaps (often called Compliance as a Service) is a integral part of offering secure IT. 

NYDFS Cybersecurity requirements PDF

SEC Cybersecurity Guidance PDF

FTC Start With Security PDF

CIS Controls Poster

Gap Assessment

Weekly Progress

Inquisitive will share a planning platform with your organization that will guide, schedule, task, and document all of your control implementations. The standard cadence is 1 control implementation per week. Your organizations security posture gradually progress week by week as will your security culture. 

Compliance Control Implementation

Continuous Testing & Improvement

Once you reach your desired security destination, you can choose to test your controls effectiveness with an external audit, a penetration test and/or simulation. Going forward, controls will be updated with changing best practices, and reviewed on a recurring basis to make sure controls remain effective.

Penetration Testing


A control is a security defense that may entail a policy, procedure, or technology. Controls deter, prevent, detect, and correct risks. 

Inquisitive IT provides all customers a detailed CIS roadmap. For customers requiring an additional overlay, we have a small upcharge for additional frameworks/standards. Good News: Most standards reference CIS Controls and CIS provides a great foundation to build a security program. 

Inquisitive will discuss and recommend additional security tools if warranted by those overlay standards. Most technologies are included in our standard plan. 

The CIS (Center for Internet Security) organization is a grass roots global effort of public, private, and military cybersecurity volunteers working together to produce best practices for running a security program. NIST, SOC2, and others often refer to CIS controls. Every few years, the standards are updated based on recent global breach data and a healthy debate from its security volunteers.  CIS Controls have the fewest conflicts or interest and is a great example of cybersecurity defenders collaborating to create a better playbook for security. 

MSP Stands for Managed Service Provider. MSPs are IT outsourcing firms for small and medium sized businesses. Although Inquisitive IT would certainly be considered an MSP,  Inquisitive differentiates itself by focuses on Google Workspaces and security compliance and roadmapping. This is a rare combination. 

MSSP stands for Managed Security Service Providers. MSSPs can vary greatly in their service offerings, but largely offer SOC (Security Operations Centers) and 24/7 incident response. They monitor tools like SIEM (Security information event management) and EDR (End Point Detection).  Their is a bias toward MSSPs focusing on detection and response, Although Inquisitive IT is focused on “security first”, our company is unlikely to be labeled as an MSSP. 

VCISO is a Virtual Chief Information Security Officer. Inquisitive security roadmapping and compliance is a role that is largely filled by either a virtual CISO or CISO. We believe our value proposition and dedication to providing security supports the the VCISO title. 

Inquisitive IT cannot audit your organizations security program because we believe we need to maintain independence and a 3rd party audit would be applicable to validate the implementation and current state of controls.

You Want an IT Provider that will build a security culture, not re-sell you tools

Come see how Inquisitive IT is different