Most business managers see anything to do with security, including IT security, as a non-revenue generating expense. Money going down the drain if you will. They also don’t understand security concepts.
Therefore you need to avoid approaching them from a security standpoint and approach from a liability or revenue generating standpoint. What liability issues would they face if their IT system were breached for example? An example might be the liability some businesses are now facing because their IT system was breached and customer records were stolen. There are also ways the IT security can reduce operating cost of a business. These are the thing you want to present.
I think that Nevadascul made some excellent points. Many companies now have a legal obligation to keep their information secure whether they want to or not. Compliance with Sarbanes-Oxley, HIPAA, and a host of other regulations makes security mandatory, not optional.
Unfortunately, the companies that have the poorest security are often the most difficult ones to sell security consulting services to. You can make the greatest business case in the world, explain the great liability that the company faces, etc., but at the end of the day, most of these people won`t take action until after a crisis occurs.
I have been in physical security for 35 years (the last 22 years as a consultant) and have never found an easy solution to this problem. Selling security for the most part is a crisis driven business. I would say that about 80% of my clients come to me just after a major theft or compromise of information. There are a few super concientious people who consider security on a proactive basis, but you will probably starve if you depend on this type of client for business.
I hate to be negative about your "discussion group" idea, but I doubt if this will be effective from a business development standpoint. The people who would come to this event are not the people who would buy your services. I think you may attract a following of "techies", but doubt that a busy business owner or manager would attend this type of event.
I have sometimes said that selling security consulting services is like selling brain surgery services - if the client has a need, they will be eager to talk with you, but if they don`t have a need, no amount of selling in the world will get them to go under the knife.
So, the key to success is getting the client to be able to locate you when they have a need. I have found that the best way to do this is to develop a network with other trusted advisors who will refer the client to you just after an event has occurred. Examples of advisors that have referred work to me include attorneys, private investigators, insurance brokers, property managers, and other consultants. Just ask yourself, if a company has just had an information security breech, who are they likely to call first?
I have identified close to a hundred different individuals who fall into this category and I attempt to keep in relatively close contact with them. I try and take a least one person a week to lunch. The relationship works both ways; if someone I know has a need for their services, I pass along their name.
Another thing that has been successful has been "lunch and learn" sessions. About four times a year, I do lunch time presentations at the offices of law firms, architectural firms, and property management companies. (your choice of groups will probably differ). I pay to have lunch catered in, and provide an educational lecture on a current security topic. I usually get at least one project as a direct result of each session, and many attendees call me months after the session with questions or referrals.
Good luck with you efforts. Feel free to contact me offline. I see that we are in the same state, so there may be some opportunities to work together.