However, a FSP's website and web services still leaves it dangerously exposed - the network perimeter can no longer be like an impenetrable wall, rather it has to be porous, letting in customers and partners crucial to doing one's business. It is perhaps not surprising then that most hack attacks are http based, bypassing the firewall and aimed at the web server, in order to exploit the "seams" between applications.

Online banks, such as Egg, cannot afford to have their security breached. It has taken time for web-based financial services to build sufficient customer confidence, a successful hack attack can set this process back months and have a significant impact upon revenue and transaction volume. Website defacement, despite the company website residing on a server unconnected to those holding customer data, is a visual warning to prospective customers that the FSP is incapable and/or uncommitted to providing necessary security levels.

A recent Gartner report predicted that by 2005, 60 percent of organisations would be outsourcing the monitoring of at least one perimeter security technology. Why are FSPs doing this? It would appear to be against the general accepted principles of security, but there are a number of advantages. Firstly it can dramatically reduce the associated costs. Secondly, by outsourcing the management and monitoring of the firewalls and IDS systems a company frees up valuable IT resources.


Information security infrastructure can be very complex, comprising of different products such as firewalls, intrusion detection systems, VPNs, anti-virus systems and web server shields. Typically, these solutions will be from different vendors. With such a complex environment it becomes a challenge to manage and monitor all these devices. Not only do you need highly skilled security staff, but you also need them round-the-clock, as security is by definition a 24/7/365 process.

Providing the resources to maintain and monitor the environment on a 24-hour basis requires a lot of manpower. The costs are therefore expensive. By outsourcing time-consuming, repetitive tasks, FSPs can focus their own security resources on activities that support the security objectives, such as overall policy compliance. Selecting a quality managed security services partner will allow institutions to increase their security profile while managing the costs.

As stated earlier what is being outsourced is the operational aspects of some security technologies. Organisations will not and should not outsource their security responsibilities. They will still need to develop a security management infrastructure and supporting processes. This will include the security outsourcing and how the security partner interfaces with the FSP. Perhaps a better term is "co-sourcing", to indicate the overall control and responsibilities that the FSP retains.