I recently had an acquaintance of mine pose a question - "Does anyone manage a red team, or have experience with the business case/funding needs for starting [SIC]?" To provide a bit of background - this individual is the director of security orchestration in a Fortune 500 company. He doesn't work for a small mom and pop store, his employer has the resources, and no doubt the risk exposure (potential for loss) that could justify the employment of an internal red team.
Without going too much into detail on business risk, a red team could help reduce risk (operational, financial, legal/compliance, reputational - four main types) to the organization in a quantifiable way. You need to speak in these terms if you want the support of senior-level individuals. They talk and understand risk. To get the funding you need a business case, and it should tie to reducing risk where you can show that the company is overexposed. This process is, no doubt, unquestionably hard. However, if you belong to the Fortune 500, you can find many cases, I'm sure, to present as a reason to increase spending and put together a team of 4-5 people. Besides the HR costs of putting together a team, I would budget at least 10% for training and travel. The benefit of traveling to a conference or attending in-person training and networking cannot be overstated.
Let's talk about what a red team is for a minute. For starters, I don't have as much experience on the red side as I do on the blue, but I know for a fact, as a defender, I would have been better at my job if I had a team that was constantly trying to by-pass me and my defenses. The red team could test security on the network as well as internal, custom built applications. How valuable would it be to your employer that you know about vulnerabilities in your own, proprietary applications? And then you can take that knowledge to the DevOps team and have them fix it! A red team could serve this function. The red team could identify malware on the network by creating organic intelligence derived from internal tools, such as malware analysis and log correlation. The tools available today are numerous. A red team is a perfect spot for such tools.
The key to any team is cohesion. The team needs to work together well to drive value for the organization. There are several specialties that you will need which is why you need a team. You will need one person with a background in intelligence. Possibly ex-military, but not necessarily. They need to understand objectives and have an analytical mind to connect the dots between what they can collect and what you know about the environment. You will also need a technologist. She is your keyboard ninja. She knows her way in and out of Linux and Windows like the back of her hand. You may even get lucky, and she knows networks, routers, and switches, too. If she only knows systems, you will need to invest in a network engineer. You will need a programmer to handle the application security side of things. He can double as your automation (scripting) engineer.
As side from those three to four roles, you also need someone to direct the team. This leader should be a seasoned individual that understands all aspects of red teaming. They need to know how the output of the team will be a direct input to other business processes and how that can affect the business. The red team leader will be the glue of the team that can step into any role and provides backup.
Red teaming, as a concept, was born from the need to think adversarially. At its conception, the idea did not make sense for the business world. As businesses became more reliant on information technology, this need changed. Operations rely on computers and networks for most companies in the modern world. How many could still operate if the internet or email or phones went down for an extended period? Not many, and I'm sure a majority haven't even pondered the question.
So, to the original question - business case and funding to set up a red team - you need to find where your company is exposed and sell the red team as mitigating the risk. The cost is tied to HR / Training / Travel / Tools for a team of four to five. It’s hard to put a number because location and talent will be a big factor. A red team in NYC or San Francisco will cost more than a red tam in Atlanta or Austin. As long as you are reducing risk and driving value in a quantifiable way, the C-suite should listen and support.