Vulnerability Analysis is deceptively easy. Security Red Teaming requires more than that.
What is an Information Security Red Team? The handbook points out some differences from usual risk analysis. I remember another company that had their group doing software inventory. Somehow, Red Team is more than that.
Maybe your organization has hired an impressive "hacker group"? In too many cases, simple vulnerability scanning software alerts on dozens of secret, almost mystical configuration mistakes that might create risk. And too often, the IT group that paid all that money must meet with business managers and somehow 'connect the dots'. They must make a compelling argument for software or more people, often costing millions of dollars. And this spend is justified through a 30 minute diatribe on signatures-based versus heuristics detection technology.
Red Teaming isn't so obscure. Our scenarios in our proposals are written in business-savvy terms. Debating what might happen if Windows is not updated is seldom as convincing as presenting captured data. Discussing the impacts of shutting down HVAC for five minutes, thanks to poor environmental control security, is a more engaging debate than talking about bits, bytes and more IT Security tools.
No, Red Teaming and pentesting is more influential because its results illustrate best the penalties paid for lax security--far more convincingly than data recitations. We demonstrate just some of the very real impacts in understandable demonstrations.
Not getting traction on getting support for security initiatives? Consider researching pentesting, Red Teams, etc. More importantly, consider how your program relates to your organization. Are you a silo in an isolated service group? Or are you truly interested in what your organization does? Can you provide insightful examples of the bottom-line impacts to operations if your bits/bytes/tools recommendation isn't followed?