The Littlest Security Pro

A teenaged computer prodigy in India becomes the youngest CISSP in the certification's twelve-year history

At a time when teenagers are more likely to be noted for cracking networks than defending them, a computer prodigy in South Bombay, India shattered some stereotypes this month when he became the youngest person ever to be credentialed as a "Certified Information Systems Security Professional", or "CISSP," after acing the lengthy certification exam and clearing a special investigation triggered by his young age.

Namit Merchant was sixteen when he sat for the six-hour, 250-question CISSP test in Mumbai in November -- he turned seventeen later that month. While there's no official minimum age for obtaining the certification -- which is widely recognized in the industry -- aspirants are required to have at least three years of full-time professional computer security experience under their belt when they take the test.

Perhaps understandably, the CISSP test proctor became skeptical of Merchant's qualifications when the teenager checked in for the exam using his high school I.D. card. "He saw my birth date on there, and he asked me how old I was," says Merchant. "I told him I was sixteen, and that was why I didn't have a driver's license."

The proctor needn't have worried. The son of a software engineer, Mechant grew up with computers in the home, and took to them naturally. According to his resume, he landed his first IT job when he was 13, architecting security controls into payroll and accounting software for Bombay-based Compuware, then later went on to perform security work at several more Indian technology companies. Today he works for consulting firm Network Intelligence India, while finishing up his senior year in high school.

"Security is the most challenging part of computers," says Merchant. "That's why I got into it."

In December, the ethics board of the International Information Systems Security Certification Consortium -- the not-for-profit corporation that created the certification program in 1989 -- verified Merchant's three years of pubescent work experience, and granted him the CISSP credential. A frankly flabbergasted review board member told Merchant in an email that the investigation had been prompted by the organization's desire to "maintain the stature of the certification."

"I don't have the statistics handy, but I suspect the median age of CISSPs is over 30," wrote Bill Cambell in the email. "The certification was never conceived as something within reach of teenagers!"

"Obviously he's very extraordinary, and he seems to be very sincere about his interest in information security and going somewhere in the industry," says consortium spokesman Mike Kilroy. "We really congratulate him on his achievement."

In addition to the $450 test fee, the young security pro will now be responsible for annual dues, and is bound to the earnest CISSP code of ethics -- a kind of Ten Commandments of computer security work that includes such injunctions as "protect society," "act honestly" and "advance and protect the profession."

Merchant, who plans to attend a university when he graduates high school, will also have to renew his CISSP certification in three years, and retake the exam -- which he describes as challenging but "too theoretical." "There should be more practical knowledge," says Merchant. By then, he'll be nineteen years old, and may even have a driver's license to show at the door.

By Kevin Poulsen

Before it's here, it's on the Bloomberg Terminal.