At the Frontline: A Q&A with Boston Scientific CSO Lynn Mattice

Jan. 3, 2005
Boston Scientific's Lynn Mattice discusses asset protection, outsourcing security operations, and dealing with terroristic threats

Vice President and Chief Security Officer of Boston Scientific Lynn Mattice recently shared his thoughts with Security Technology & Design and As CSO of one of the world's leading biomedical research and manufacturing companies, Mattice faces issues of managing multiple facilities, creating security around highly proprietary research facilities and working his way through a new world that can put a terrorist on any doorstep. In this exclusive interview, Mattice shares his thoughts on outsourcing security, protecting assets, combining environmental and security monitoring and more. With 15,000 employees to look after, and a business that did $3.5 billion in revenues in 2003, Mattice has a lot on his shoulders. Here's how he does it all.

[Editor's Note: For more of this interview, see the January 2005 issue of Security Technology & Design magazine, which features more of Mattice's thoughts on corporate security.]

Name: Lynn Mattice
Title: Vice President and Chief Security Officer, Boston Scientific
Most Recent Security Technology Purchase: Electronic visitor control system
Years in Industry: 30

SIW: The products your company develops carry a hefty price tag, as does much of the equipment you use to develop those products. How do you deal with loss prevention and the protection of your physical assets?

Mattice: We have a very structured program of security education and awareness. It starts out with our new hire awareness programs. We have information systems available on our intranet Web site for employees to be aware of different things they need to understand. We also have a program where I send out fairly frequent advisories and awareness pieces.

We have structured material controls as well. For instance, with gold or platinum that's applied to our products in some of our product areas, we have very structured programs of weighing the product as it goes onto the floor for production. We know how much weight is applied to different products, so we can calculate easily based on what the output is for that shift versus the scrap and what is left, whether we have any shrinkage on that shift.

SIW: What type of environmental monitoring systems do you use in your research labs, and do those solutions integrate with any portion of your security system?

Mattice:We have gotten into drug delivery systems, where we have drugs actually impregnated into our devices, so we have to have very sophisticated environmental monitoring programs. All of those are integrated into our environmental management systems, which are then monitored not only by our EH&S people but as a backup by our security command center so that we can ensure that responses are made immediately.

SIW: How has the increased focus on bioterrorism or ecoterrorism impacted your security plans?

Mattice:I would have to say that we already had a very structured program in place. In 1997 Boston Scientific broke the billion dollar mark through one of our acquisitions, and determined that now that they were facing a new world of heavy international involvement, which they hadn't done a lot of up until that time, it was time to create a corporate security function. From that rime we've evolved into a $5.5 billion company. Since 1997 we've continued very aggressively in the acquisitions program, and our security program has evolved with that. The foundation we put in place in 1997 is the foundation you see here today. So we haven't had to rush out and do a bunch of new things, because we were already dealing with the issues of today, so there really wasn't anything new for us to do.

We have a very robust monitoring program for CCTV; it's event-driven. We have the ability with the centralized system to shut down facilities anywhere we need to shut them down when we have to, to monitor events anywhere in the world and stay abreast of all the issues we're having to deal with on a day-to-day basis. So our global command center truly becomes a crisis management center for our company.

I think the other aspect of it, though, is that if you have a well structured program, your employees will respect that. One of the telling issues was that when 9/11 hit, we received a flood of messages from our workforce telling us how much they appreciated the types of controls we had in place. The whole philosophy behind an effective security program dealing with the protection of your personnel is to create an environment that they can come into and feel safe and comfortable, and allow them to focus all of their time and energy into creating value for the corporation. If they're worried about who's going to come through that door, or whether they're safe, they're not going to be focused on the next new product we're going to be sending out the door, the next new innovation we're trying to create. So that's where corporate security function can provide incredible value for the company.

SIW: Terrorist attacks continue to occur outside of Iraq and Afghanistan, and the attackers clearly do not confine themselves to targeting political officials and military personnel. With that in mind, what steps do you take to implement executive protection for company officials traveling abroad?

Mattice:I have a philosophy generally that executive protection in many cases is fairly significantly driven by the ego of the protectee. We take what I consider to be a very realistic approach to executive protection. It is a risk-based program that deals with who's going, where are they going, what are the circumstances they're going to be going into, and what are they going to be doing while they're there. For instance, if we have a senior executive that's going to be going into a high-risk environment, we take a very low-key approach to their arrival and departure and their movement while they're there. There isn't a broad range of people that have knowledge of where they're going or what they're going to be doing while they're in that place. We put on protective measures as necessary. Lots of times you see people driving around in big limos. We'll drive them around in a routine sedan that blends into the environment, or put them in a van. We'll do things that are atypical to normal executives, and if there's a need for a press event, we have them do that as they're exiting the country rather than entering it.

SIW: Does your security department use in-house staff, or do you outsource all or portions of your program?

Mattice:I outsource all of it. I am the only security person on staff at Boston Scientific. My direct staff here at headquarters is provided by a vendor. My resources around the world that I use are all provided by outside resources. And I do that specifically because it doesn't matter how good we think we are, none of us have that local contact and local knowledge that's necessary to be effective (at a remote site). That doesn't mean I won't send one of my local staff people overseas to deal with an issue that's evolving, but I do it with the help of local resources.

SIW: How do you control quality and performance with a completely outsourced staff?

Mattice:Just like you would anywhere else. We have performance objectives and standards that they have to meet, we have metrics that measure their performance, we do a balanced score card program on suppliers, we have project manager that we use to track the progress of each individual on each project. We have what I call my red-yellow-green reporting system, which tracks which issues as they're evolving and which ones are in critical mode.

SIW: Does your outsourced staff come with all the knowledge and skills necessary to do their job, or do you train for them yourself as well?

Mattice:I have no problem sending people out for training. The most important key is finding the right people. And I go out of my way to not look for security people, but to look for bright people that I can mold. That's not to say there aren't a lot of bright people in security, but I don't want to have to battle with the people on philosophy. I know what philosophies work in here, and from a strategic standpoint I know what we can do in this company. What I try to avoid is getting somebody who has a trenched approach to life because this is the way they've always done it in their security environment. I've found that by structuring the program in the manner I have, we're able to select very bright people, bring them in and train them to the methodologies and approaches that work for us rather than having to try to break habits. I'm trying to keep us heading towards the company goalpost, not the individual's goalpost.