Digital Forensics practitioners work with a lot of organizations – big, small and everything in between. Over the nearly two decades that I have been involved in the industry, I’ve seen one mistake that organizations make over and over when choosing who to use. I don’t blame the organization—at least not directly. It’s not like they’ve set out to deliberately make a poor decision. In fact, it’s not even that there’s a right and a wrong answer – instead, it comes down to the fit for your particular situation. The mistake that I continually see is not understanding the difference between a vendor and an Expert and which is the best choice for you, your organization and the specific issue at-hand.
I can see the organization’s philosophy within seconds of having a conversation. Sometimes it goes like “we’ve got a case and we want to know what your rates are – can you just send us a rate-card so we can compare”. In other situations we may get directed to “contact Janet, she’s the one that handles vendors” or maybe it’s the rare situation where the individual calls and asks for some very specific services – “we need your best price for running 40 keywords over 2 laptops as quickly as possible.” As we start delving deeper, we realize that this is an Intellectual Property Theft matter and solving that issue with mere keywords is much less effective than being able to analyze the artifacts that a true digital forensics expert will undertake.
You see, there are two types of Digital Forensic practitioners in the world. There are those that behave like a vendor and then there are those of us that see our role in the world as much more than just a vendor. And while the use of a vendor in this context may come across as a negative, that truly is not my intent – again, certain situations call precisely for that. However, the title of this entry is What to Expect When Working with a Digital Forensics Expert ; so that’s what we’re going to look at. (Full disclosure: Vestige has always defined itself as an Expert.)
The Case for an Expert over Vendor
In our experience, a lot of digital forensic companies, cybersecurity organizations and ESI-providers act as vendors. They oftentimes are order-takers, simply delivering whatever it is that the client asks for. They perform this work for a price and because it’s relatively difficult to differentiate between vendors, this work is often differentiated on the one thing that they have left – price. By all means, if your particular situation is straight-forward, you know (or at least think you know) exactly what it is that you need, then the lowest-cost provider may be exactly what is needed.
On the other hand, if you have an idea of what it is that you’re after, but not exactly sure how to get there or what the best approach is, perhaps you’re seeking more of a solution rather than simply performing tasks. When this is the situation, I would contend you need an Expert. Digital forensics experts, by their very nature, do not view themselves simply as order-takers. In fact, Experts’ competitive advantages fall in their ability to solve problems and to be a resource for their clientele. To a consummate Expert, everything they do is focused like a laser-guided missile on one problem and one problem only – solving the client’s issue in the “best” manner.
But what’s “best”? In fact, there are many ways to express something being the “best”. Perhaps it’s the best price, or the most accurate report, fastest turnaround, involves the most people, is the most confidential – the list goes on. Ah, but the true professional…the Expert, will determine that exact point in collaboration with the client. You see, for one particular client in one specific matter the best solution may be getting results within two days. Whereas that same client, in a different matter, may need the most comprehensive investigation. The true digital forensics expert not only artfully determines this, but collaborates to get to the best solution for this particular client and matter, while being flexible and confident to deliver.
But here’s a word of caution. It’s not about just doing whatever it is that the client wants. Quite the contrary. The true Expert recognizes that his or her client comes to them precisely because the client wants the guidance and advice that the Expert can provide.
So What Do you Get with an Expert?
First and foremost, you should expect the Expert that you’re working with to listen to the facts in the matter and ask about the constraints in the matter – what budgetary constraints are there, what about timing, what else? Those are critical pieces of information that must be weighed.
Multiple Vantage Points
Upon understanding the needs and constraints, a digital forensics expert will be able to provide you with multiple options and help guide you to choosing the optimal option for your situation. The Expert brings into the mix all of the knowledge gained from previous education, training, matters that have been worked and more. It is this rich experience that makes the Expert truly an advisor.
Walking Away when it Doesn’t Make Sense
A true Expert will be the first to step in and tell you that something can’t be done or isn’t going to be as fruitful as you hoped. An Expert should be able to provide you with some level of confidence – think percentages – with the requests and options. Don’t be afraid to ask your Expert the likely success rates of going down one path versus another. They may not be exact, but it is rare that they wouldn’t be able to give you a sense of their confidence in the various options. A digital forensics expert will also tell it like it is and be willing to walk away if it doesn’t make sense. An Expert isn’t going to blindly go along with the client just to “appease” the client – for the Expert knows that when this simple rule is violated everyone walks away unhappy – the client is unhappy because they don’t get the result they were hoping for and the Expert walks away unhappy because they couldn’t deliver on it, they probably sunk a lot of additional time and resources in chasing that path, etc. It’s just a lose-lose situation. Ask your Expert for examples of times when they’ve walked away from business—I guarantee it will be enlightening.
Long-Term Client versus Short-Term Win
An Expert knows that great work performed today will translate into a long-term satisfied client. This fact, in and of itself, should drive the Expert in his or her short-term decisions. Talk to the Expert you are considering and understand how often they work with the same clients and referral sources. Find out where their business comes from – do they “purchase” matters (think “advertising”) or does their work speak for itself – resulting in word-of-mouth referral business? Closely related to the previous topic, find out what decisions they have made in a matter or a client relationship that wasn’t likely the best short-term decision for them, but fostered a long-term relationship between themselves and their clients.
Doesn’t Take a One-Size-Fits-All Approach
Too often, vendors are relegated to the tools they have at their disposal. And when the only tool they have is a hammer, suddenly, everything looks like a nail. You’ve seen that…you’ve dealt with vendors that flat-out have to work a matter in a specific way, can’t handle some component of it, or in general try to circumnavigate the issue to get their solution to fit. An Expert starts by understanding the problem and putting together a customized solution, drawing from their experience, education, training, skillset and a wide range of tools. Ask the organization you’re considering how their solution is able to accommodate the unusual and non-mainstream issues that might arise.
Consultative in Nature
Sure, an Expert values their time…but you’ll rarely find an Expert bird-eyeing the clock to make sure that every minute you’re talking with her or him, that you’re being billed for it. Quite the contrary. Most digital forensics experts freely give their time, expertise and provide guidance pro bono (to a reasonable degree). Watch out for organizations that are not willing to spend a reasonable amount of time up-front on understanding the issue at-hand and to not only consider how they can assist, but more importantly articulate exactly what they can and cannot do.
Focused on Total Cost vs Lowest Dollar
It’s ironic, oftentimes an Expert’s “rate” may appear on the surface to be higher than another provider (vendor). This must be examined closely, for oftentimes the knowledge, experience, tools, processes, procedures and approach that an Expert takes can significantly affect the total cost. It is often the digital forensics expert that approaches the task much smarter and as a result the end investment is less than competing alternatives. Remember – “if you think hiring an Expert is expensive…wait until you’ve hired an Amateur”
While I’m sure there are other benefits that I have missed, the purpose of this article is to provide you with some food-for-thought as to the differences between vendors and Experts, to let you know that there’s a time and a place for both – and that you need to consider the overall objectives when considering which path to choose, as there’s no right or wrong answer – just a difference in comfort. Finally, I wanted to provide some specific questions and considerations for you to use when evaluating your provider. If your matter calls for a digital forensics expert, Vestige would love to be in the list of organizations you consider. Feel free to give us a call (pro bono, of course) to discuss your matter. We’ll objectively help you assess your matter and provide options as to what can and can’t be done, provide you with pricing and answer any questions that you may have.
By Damon S. Hacker, MBA, CCE, CISA,
President & CEO at Vestige Digital Investigations
For more information CONTACT US.