How to Vet Security Outsourcing Providers

Lynn Mattice, director of corporate security and business intelligence for medical device maker Boston Scientific, does a lot of outsourcing.

October 01, 2004 — CSO — Lynn Mattice, director of corporate security and business intelligence for medical device maker Boston Scientific, does a lot of outsourcing. We talked to him about the security concerns that come with it, and how to do business without surrendering control.

CSO: How do you evaluate people or companies you're thinking of doing business with abroad?
Lynn Mattice: If we're going to look for a contract manufacturer or an organization to distribute our products, we start out with the basics: We do a full due diligence on the firm, what it's about, and we talk to companies that are doing business with them. We also do a review of the full set of 20 to 25 indices that are available to us to make sure we're not dealing with someone who's been put on a list of money laundering organizations or organizations that support terrorism. We also use the ASIS risk assessment guidelines.

If an organization gets through that first phase, we then start a more in-depth review. We start looking at things like how the organization is structured. If we're going to do outsourced manufacturing, what's the environment the facility is in? What are the potential natural or human-caused disasters? What's the supply chain like? What's the IT environment like? Do they do background checks on employees? How do they protect their own information? What's the network architecture like? We do risk assessments—ports, firewalls, system controls, backup protocols, disaster-recovery programs, network connections to other companies.

We also look at whether there are intellectual property protections in place in that country. Countries like India and Brazil, for example, have deplorable intellectual property law histories.

Where are some of your offshore locations?
We've got contract manufacturing in Mexico only. We have distributors in 25 to 30 countries. Every one of those goes through the kind of investigation [previously described]. Then we do various ongoing reviews and run them through the indices on a regular basis. You also have to do Sarbanes-Oxley 404 reviews to make sure you're in compliance. Things like money laundering indices, lists of organizations that support terrorism, names of people on those lists.

How do you communicate your findings?

Typically I'll send an e-mail and give [the person or company] a red, yellow or green light. If it's yellow, that means we're still checking on an issue, such as supply chain or a reputational issue. Or we'll get on conference call—it depends on what the issue is and the criticality of the issue.