(from Software Quality book)
If you work for a company that doesn’t have a strong AppSec team, or a company that has not seen powerful (or public) exploitation of their assets, you need to write some exploits.
Never underestimate the power of a good exploit.
A good exploit will dramatically change the business' and developer's perception of what security actually means to their company.
But, when you do write them, they have to be very professional, and look the part. Ideally, they should show a criminal business model that makes sense in the industry you are in. For example you could show data being extracted, sold, and manipulated by remote attackers.
It is important that you show those exploits to all parts of the company. From legal, to business-owners, to architects, to developers. You know you've one it right, when your've answered the question "Why should we do security/appsec?"
So, if you should find yourself having to justify security, then you’re at a stage where you need some really good professional exploits that will allow people in management to ask the right questions.
And those questions are, "Can you fix it? Can you solve 'that' security issue from hitting my company? Because I don’t want 'that' (the demo you’ve just done) to happen here.”