What does being a "security professional" have to do with security?

Yesterday I read this article on CSO Online entitled "7 Ways Security Pros DON'T Practice What They Preach." I knew by the title that I was going to have issues.  Information security is about the confidentiality, integrity and availability of data NOT job titles.  This is like pointing out oncologist doctors who smoke or law enforcement officers who get speeding tickets.  People are people not job titles.  When I read through the "7 ways" I didn't see anything that didn't apply to everyone else.  The article read as if someone who is a security professional is different then another employee with security awareness training.

Also when discussing security you need to remember that nothing is 100% and so we have to pick our battles.  My favorite was the hit on URL shortening services.  These services are very popular with the Twitter crowd due to the limited number of characters allowed.  They seem to think that clicking on a hyperlink that says "tinyurl.com/83jd9" is less safe than clicking on an hyperlink that says <a href="evilurl.example.com">Free Windows 7</a>.

The issue that I've written about several times has to do with educating everyone "Security Pro's" and "Joe/Jane User."  Also knowing what data we need to protect and how to protect it.  Maybe the person clicking on the TinyURL link is running a browser in a sandbox on a hardened host.  Odds are even a malicious link won't cause any harm.

Complicated fads and false promises are not the solution.  I think we have all learned that security professionals are human and creatures of convenience like the rest of us.  As its been said time and time again.  Security that is anything but simple and transparent isn't going to work.  If you want us to encrypt our storage devices then you'll  need to make it work like the unencrypted storage devices we have today.  If you want us to use strong authentication.  It will need to be easier then the passwords we use today.

Bottom line is that like everything else security should make our lives easier not harder.  We shouldn't need two sets of standards one for security professionals and one for none security professionals.  Security should be "built in" and an effect not a cause.