Hi mchugh48 and welcome to the forum!

I have faced this dilemma many times. Here is what I have done:

1) Build a presentation showing how to add security to  every step of the SDLC (Software Development Life Cycle). I focus on cost reduction by "thinking" about security in the early stage;

2) Show them how, by implementing security into the development framework, we could same a lot of $$$ on subsequent projects. For example, creating a solid filter for user input in web applications could easily be reused by all other projects using the same platform.

3) Security training for developpers. I personally do free "Lunch and hack" sessions at work about twice a month. In these sessions, I will talk about a single topic, for example SQLi, demonstrating an attack or two and showing them how to protect themself. This is also a great way for me to make them aware of my skills  (Hey, I am a contractor )

4) If you end up finding vulnerabilities before the system goes in production, talk to management about how this costly mistake could have been easily avoided by doing xyz earlier.

I hope this can help you.

Security is a huge part of every infrastructure and application project. It can't just be ignored or weakly implemented. This results in major losses down the road, and is more costly. What happens when your application or project has a security flaw or is exploited? You lose customers, you lose money, you lose trust, and your reputation is ruined. Surely the cost of a little prevention is worth it.

I can't say I've ever dealt with a project that had an unreasonable time frame for completion. When my boss once demanded I setup a web-based application with an unreasonable time frame I flat out told him "No." I implemented basic filtering and network/firewall restrictions on this web-based system. Lo and behold, a couple months later, the application's programmers found a flaw that allowed crackers to access the admin panel and steal user data. Since I implemented restrictions on our server I saved us from being cracked and having our customers be exploited.

Speak money to a company and they'll usually listen. Tell them that making security a focal point in the beginning often reduces the chance of exploits. Like H1t said, sometime you can make a security application that can be used in several different projects, and that saves a lot of time and money.