Deciphering the IT Expert's Technical Knowledge
There are three broad categories into which an IT expert might fall—generalist, specialist, and practitioner—and one expert may fall in all three of these categories for different areas of expertise:
- Generalist. A generalist can be ideal to address a diverse and potentially ambiguous mix of technical issues. A generalist should be well versed in a broad spectrum of technology disciplines and have senior management and supervisory experience. A generalist's familiarity with management practices increases the likelihood that he or she has good communication skills and the ability to articulate complex subjects in a concise and clear manner. The generalist brings an awareness of the underlying technology governance, policies, processes, and procedures.
- Specialist. A specialist has a narrow and focused competence based on long immersion in a particular field; for example, specialist knowledge in ethical hacking practices, computer forensics, or data encryption algorithms.
- Practitioner. A practitioner has garnered deep "hands-on" knowledge of the necessary practices to conceive, design, deploy, and support technology solutions. These skills are firmly grounded in the practicalities, risks, and stability of implementing technology.
Of course, identifying the technical subject matter that is relevant for your case and matching that subject matter with a qualified expert is the first step in finding the right expert. It is vital that the expertise actually fit the facts of the case so that the opinions offered will be germane to the issues in dispute. For example, in some cases, platform-specific experience may be essential, such as Java or C# programming language, IBM's web and application servers, or SAS data-mining and analytic tools. In other cases, counsel may require an expert who can authoritatively speak to industry best practices, such as PMBOK (project management methodology), the ISO 27000 family of standards (information security), or ITIL (best practices in IT processes and procedures). In yet other cases, what will be required is training in assurance and audit, to attest to conformance with regulatory requirements or industry standards. Examples include Sarbanes-Oxley Act (oversight of financial accounting and reporting), PCI (payment card technology controls and standards), the Health Insurance Portability and Accountability Act (security and privacy of health care data), and "Safe Harbor" (protection of personal information).
Don't overlook the importance of industry fit. In theory, IT experience should be readily transferable across industries. In reality, however, an expert with no industry experience may face a steep learning curve, and there is the risk that important issues may be lost in translation. Industry experience may also enhance credibility on the stand.
IT differs from many other areas of expert testimony in that education, certification, and licensure requirements are still poorly defined. Bill Gates, as is well known, never graduated from college, yet no one would challenge his qualifications as an expert based on his lack of a diploma. Many experts you may consider fall within a gray area, with certifications and diplomas of uncertain value and claims of experience that are impossible to verify. Even if the certifications touted by an expert sound like a confusing alphabet soup, these credentials are formal badges of credibility and industry recognition that may be given weight by the jury. Examples are project management professional (PMP) from the Project Management Institute, certified information systems security professional (CISSP) from the International Information Systems Security Certification Consortium, Inc., and certified information system auditor (CISA) from the Information Systems Audit and Control Association (ISACA). Other accreditations are based on the ISO standards; ISO27000 series for information security best practices. A highly regarded quality-focused accreditation is 6-Sigma, which promotes a prestigious "black belt" certification. Alternatively, the accreditation is aligned to a specific technology provider or product offering; for example, Cisco's certified voice professional (CCVP), Microsoft's certified solution developer (MCSD), and Oracle's database administrator certified master.
After narrowing the field of potential expert witnesses who have the requisite qualifications, the next step is to identify the expert with the intangible qualities that will make him or her most effective as a collaborator in case development and as a witness before the jury. Although the image of the computer geek or "propeller-head" might be endearing, it also captures issues that can undermine effective communication. The effective expert witness is a teacher and a team member. If these skills are missing, then it will be difficult to benefit from the expert's technical skills.
If your case budget permits, you should consider retaining an IT consulting expert to assist you in selecting the testifying expert and then developing the expert's testimony. The consulting expert should be entrusted with the big picture and the challenge of bridging the gap between the testifying expert's area of specialty and the story that needs to be presented at trial.
Keywords: litigation, expert witnesses, expertise, specialized knowledge, qualifications, generalist, specialist, practitioner
Nick Robinson is an accredited information technology advisory consultant and expert witness, specializing in the best practices of IT governance, risk, and compliance from a legal and regulatory context.