Money makes the world go around and your management knows this however, most companies don't like spending a dime on security where they don't need to. A method I've found for making them sway from this position is to not only justify the the business case FOR protecting themselves, but also the business case for protecting customers, vendor relationships AND for MAKING money off of security.
When I first started in my company, security wasn't an iota of a thought. Sure they had a firewall here, VPN there, antivirus here, etc., etc., we had individuals that didn't understand the technology, proper deployment, etc.
After reviewing our current infrastructure, I began laying out the roadmap of what I wanted to accomplish. 1) Securing our network 2) Developing an internal security team 3) Raise security awareness 4) Develop a mechanism to earn off of a secure infrastructure and services.
1) Was simple since I was tasked with being the lead security tester for a SIGv5 audit + PCI Assessment. Since I understood security in practice more than anyone else, my company flipped out at the thought of losing clients for audit failures and losing the right to process credit cards, etc.
2) A little tricky since I had to make management understand the benefits of training me and my colleagues. Management's fears will be "they will jump ship once certified..." I discussed with them the benefits of being able to go to clients with "credentialed" staff as opposed to "who are you again."
3) We do mailings every here and there where I will take news excerpts to raise awareness. Since we're a small company, I can interact and explain things to most employees. I use a lot of analogies to help them understand. This allows my colleagues to take the information with them and use it at home too. Something they appreciate more when presented to them like that.
4) After going through these motions for 3-4 years here, I developed, documented, explained, configured and deployed services to not only us here, but to certain clients. This enabled management to take a step back and focus on offering security as a service.
Anyhow, there is no "one size fits all" solution. Management does not like spending money. You should focus on fact that the costs of a compromise are a lot higher. Point out the FACT that even the biggest companies (Google, Raytheon, etc) are compromised and we KNOW they've spent on security. Make it a business case: the cost of NOT securing versus the one time cost of a compromise. Regulatory controls are your friend: If you need to maintain compliance, focus on the benefits of keeping compliance. Also focus on educating them about the potential revenue they CAN make by touting: "A Secure Company", "Defending our Clients", etc., most companies are aware of the security risks and most companies would prefer to do business with a company that is responsible as opposed to having "zero security."
In the event you do business with certain companies, it will be inevitable anyway. One of our clients is in the top 3 telecommunications sector worldwide. We were forced to do a SIG audit or risk losing business. After going through the motions with senior management, they then understood what the fuss was about. Being able to hand over a "statement of security accounting" shows the partner/client/etc., that you take business serious.