At a time when teenagers are more likely to be noted for cracking networks
than defending them, a computer prodigy in South Bombay, India shattered
some stereotypes this month when he became the youngest person ever to be
credentialed as a "Certified Information Systems Security Professional", or
"CISSP," after acing the lengthy certification exam and clearing a special
investigation triggered by his young age.
Namit Merchant was sixteen when he sat for the six-hour, 250-question CISSP
test in Mumbai in November -- he turned seventeen later that month. While
there's no official minimum age for obtaining the certification -- which is
widely recognized in the industry -- aspirants are required to have at least
three years of full-time professional computer security experience under
their belt when they take the test.
Perhaps understandably, the CISSP test proctor became skeptical of
Merchant's qualifications when the teenager checked in for the exam using
his high school I.D. card. "He saw my birth date on there, and he asked me
how old I was," says Merchant. "I told him I was sixteen, and that was why
I didn't have a driver's license."
The proctor needn't have worried. The son of a software engineer, Mechant
grew up with computers in the home, and took to them naturally. According to
his resume, he landed his first IT job when he was 13, architecting security
controls into payroll and accounting software for Bombay-based Compuware,
then later went on to perform security work at several more Indian
technology companies. Today he works for consulting firm Network
Intelligence India, while finishing up his senior year in high school.
"Security is the most challenging part of computers," says Merchant. "That's
why I got into it."
In December, the ethics board of the International Information Systems
Security Certification Consortium -- the not-for-profit corporation that
created the certification program in 1989 -- verified Merchant's three years
of pubescent work experience, and granted him the CISSP credential. A
frankly flabbergasted review board member told Merchant in an email that the
investigation had been prompted by the organization's desire to "maintain
the stature of the certification."
"I don't have the statistics handy, but I suspect the median age of CISSPs
is over 30," wrote Bill Cambell in the email. "The certification was never
conceived as something within reach of teenagers!"
"Obviously he's very extraordinary, and he seems to be very sincere about
his interest in information security and going somewhere in the industry,"
says consortium spokesman Mike Kilroy. "We really congratulate him on his
In addition to the $450 test fee, the young security pro will now be
responsible for annual dues, and is bound to the earnest CISSP code of
ethics -- a kind of Ten Commandments of computer security work that includes
such injunctions as "protect society," "act honestly" and "advance and
protect the profession."
Merchant, who plans to attend a university when he graduates high school,
will also have to renew his CISSP certification in three years, and retake
the exam -- which he describes as challenging but "too theoretical." "There
should be more practical knowledge," says Merchant. By then, he'll be
nineteen years old, and may even have a driver's license to show at the
door. By Kevin Poulsen