Blackhats can cost organizations way more than whitehats would charge in operating costs, personal identity theft, and reputation.
Whitehats are only taking advantage of the unenlightened as much as a mechanic is taking advantage of someone who doesn't know anything about cars - they provide experience and expertise and offer a service for a high price - at least, a higher price than if the client knew how to fix it themselves.
I love it when the economically illiterate attack others for "price gouging" as if the third party doesn't have a choice in the matter or they aren't "unenlightened" enough to properly appraise the value of what they are buying.
How do I know that my jeweler isn't gouging me on my fiancee's 2 caret diamond ring? Because I know that there's a fixed quantity of available diamonds, and almost everyone would buy them at a given price. And if I need to verify that, I can go to the jeweler down the street. Everyone would buy security consulting at a given price, but that quantity is even more limited than 2 caret diamonds.
Why is my house worth a third less than what it was 3 years ago? Because there's at least a third fewer potential buyers than there was when I bought it. I wasn't "price gouged" or fooled in either instance.
Whitehats specialize in security and it frees up our time to specialize and produce excess value for others. It's not a conspiracy. If Steve Jobs and LeBron James aren't tricking people into giving them money, neither are whitehats. It's the free market and, believe it or not, it produces wealth.
Just because a cartel exists somewhere in the supply chain doesn't mean I have to participate in the transaction or my perceived value of it is artificially inflated. The two caret ring was just hypothetical, but there are plenty men who value those rings more than the asking price, and their wives appreciate that. (at least the sensible ones do)
Also foolish to forget that time is money, you pay knowledge workers for the time they spent studying. You too can "save" $10,000 by doing security yourself, but only if you spend several years training and understanding the domain.
Where can one buy security for $10,000 anyway? I'm not mentally disabled and have spent many weekends learning about info security. What are they even talking about?
Sure, but what blackhats often claim is that even if a company pays whitehats large sums of money, it is often fairly easy for the blackhats to do just as much damage as they could before.
Whitehats are only taking advantage of the unenlightened as much as a mechanic is taking advantage of someone who doesn't know anything about cars - they provide experience and expertise and offer a service for a high price - at least, a higher price than if the client knew how to fix it themselves.