The high value portion of the CORL VRM program is the follow through to completion. We didn’t have the time or resources to dig deep into the issues found. I see value in the CORL's organized approach: listing out remediation items; communicating with our vendors; then following-up with our vendors to dig into compensating controls, evidence of policy, etc.
CORL is extremely valuable because a) you provide a service we would have a hard time doing ourselves as a small shop. You are an FTE augmentation, and I consider you my employees working on my behalf, so CORL becomes my team of ~100 people, and b) the CORL methodology and the thoroughness is very much in tune with my background in the financial services industry, where I built third-party assessment programs.
CORL is a ‘force multiplier’ for our InfoSec Program. It is not possible for us to accomplish at this level, with this amount of efficiency, on our own. Even if we had an FTE... It would take a year or more, where CORL can do it in a month. We cannot reproduce this in-house.