Technology

The Littlest Security Pro


At a time when teenagers are more likely to be noted for cracking networks

than defending them, a computer prodigy in South Bombay, India shattered

some stereotypes this month when he became the youngest person ever to be

credentialed as a "Certified Information Systems Security Professional", or

"CISSP," after acing the lengthy certification exam and clearing a special

investigation triggered by his young age.

Namit Merchant was sixteen when he sat for the six-hour, 250-question CISSP

test in Mumbai in November -- he turned seventeen later that month. While

there's no official minimum age for obtaining the certification -- which is

widely recognized in the industry -- aspirants are required to have at least

three years of full-time professional computer security experience under

their belt when they take the test.

Perhaps understandably, the CISSP test proctor became skeptical of

Merchant's qualifications when the teenager checked in for the exam using

his high school I.D. card. "He saw my birth date on there, and he asked me

how old I was," says Merchant. "I told him I was sixteen, and that was why

I didn't have a driver's license."

The proctor needn't have worried. The son of a software engineer, Mechant

grew up with computers in the home, and took to them naturally. According to

his resume, he landed his first IT job when he was 13, architecting security

controls into payroll and accounting software for Bombay-based Compuware,

then later went on to perform security work at several more Indian

technology companies. Today he works for consulting firm Network

Intelligence India, while finishing up his senior year in high school.

"Security is the most challenging part of computers," says Merchant. "That's

why I got into it."

In December, the ethics board of the International Information Systems

Security Certification Consortium -- the not-for-profit corporation that

created the certification program in 1989 -- verified Merchant's three years

of pubescent work experience, and granted him the CISSP credential. A

frankly flabbergasted review board member told Merchant in an email that the

investigation had been prompted by the organization's desire to "maintain

the stature of the certification."

"I don't have the statistics handy, but I suspect the median age of CISSPs

is over 30," wrote Bill Cambell in the email. "The certification was never

conceived as something within reach of teenagers!"

"Obviously he's very extraordinary, and he seems to be very sincere about

his interest in information security and going somewhere in the industry,"

says consortium spokesman Mike Kilroy. "We really congratulate him on his

achievement."

In addition to the $450 test fee, the young security pro will now be

responsible for annual dues, and is bound to the earnest CISSP code of

ethics -- a kind of Ten Commandments of computer security work that includes

such injunctions as "protect society," "act honestly" and "advance and

protect the profession."

Merchant, who plans to attend a university when he graduates high school,

will also have to renew his CISSP certification in three years, and retake

the exam -- which he describes as challenging but "too theoretical." "There

should be more practical knowledge," says Merchant. By then, he'll be

nineteen years old, and may even have a driver's license to show at the

door. By Kevin Poulsen


The Good Business Issue
LIMITED-TIME OFFER SUBSCRIBE NOW

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus