I have heard the term "Harvard stupid" used for the last several years, and loved it because it conveys so much meaning in a simple way. I never knew its origin until recently when I found out that it was traced back to one of my favorite Motley Fool writers, Bill Mann, who wrote about it in October 2008:
"Harvard stupid comes from thinking that you're smarter than everyone without recognizing that you still might not be smart enough to control the evil your creations threaten to unleash. The genius financial products that kept you eyes-deep in Cristal and vacation homes nearly caused the global financial system to seize up. Do you think that the titans from the University of Maine could bring the free market, the global economy to its knees? I sure don't, if for nothing else because they don't come from the right families."
The implications of this are vast, and we see example after example of the blowback of Harvard stupid ideas.
Even with the landmark events across the continent, the lead story in the WSJ today is not Greece or Europe, but rather a firm most people outside the financial world probably never heard of, MF Global. Jon Corzine has a bluest of blue chip resume in the financial world. He was a highly successful trader, Chairman of Goldman Sachs, took them public, and then became Governor of New Jersey. He was beaten by Chris Christie and MF Global recruited him to be its CEO. He was so highly regarded that when he became CEO of MF Global, investors lent the firm money at a lower rate as long as he remained CEO. That's not cachet and buzz, that's professional status.
Did I say that the lead story was on MF Global and not on Europe? Well, that's not quite accurate, there is a European slant. We've seen a number of times at SocGen and UBS when rogue traders cost firms billions, but what happens when the trader is the CEO and his trades threaten to take down the whole firm?
Mr. Corzine took the CEO job in March 2010 with a plan to turn MF Global into a mini-Goldman. Instead of just futures and commodities trading, which generate commissions from clients, MF Global would make bets with the firm's own money.
He set out on a five-year makeover, but it wasn't easy. Last year, stocks rose, but interest rates that MF Global relies on to profitably lend to clients stayed stubbornly low, hurting profits. "We have to take risks," he said in an interview.
Last year, Mr. Corzine immersed himself in the idea of making bets on European sovereign bonds. He asked colleagues what they thought of the financial situation in Europe, talked to MF Global's risk officers and board of directors, and then starting putting on the trades in September, according to people familiar with the situation.
Mr. Corzine oversaw the European sovereign-debt trades largely on his own even after hiring a new trading chief earlier this year, a person familiar with the matter says. In one quarter where the trade worked well, it represented 12% of the firm's revenues, according to Christopher Allen, an analyst with Evercore Partners Inc. Mr. Corzine regularly reviewed the positions with the company's directors, and he was allowed by the board several times to increase MF Global's exposure to Europe, these people said.
...One person who has worked with Mr. Corzine at MF Global says he was uncomfortable that so much of the firm's strategy essentially boiled down to a bet by Mr. Corzine on European bonds. "There was no one else at the firm who was helping him think about what to do on this trade," this person says.
On Tuesday, MF Global said the positions added up to $6.3 billion as of Sept. 30. About two-thirds of the total is related to sovereign debt of Italy and Spain. In comparison, Morgan Stanley had roughly $4 billion in net exposure to debt issued by the same countries and nearly 50 times as much cash and liquidity as MF Global.
MF Global's exposure started drawing more attention as Europe's financial crisis deepened. In August, MF Global was told by one of its regulators, the Financial Industry Regulatory Authority, to move more capital to its U.S. brokerage unit because the European trades looked riskier, according to people familiar with the situation.
Last Tuesday, MF Global reported a fiscal second-quarter loss of $186.6 million that caused its stock price to plunge 48%.
Now Corzine was not some naif, he was an icon, but that was the main part of the problem. When people in MF Global lower down the food chain questioned the trades, Corzine replied from his deep experience: "Europe wouldn't let these countries go down". This is an object lesson, at the firm where he made his name, Goldman Sachs, no one would be allowed to take that anywhere near that much risk unhedged. Its an old story, it happened at Long Term Capital Management "When Genius Failed", and its happened in many places but that's precisely why risk management and safety mechanisms exist.
Warren Buffett says that he would rather work with someone with a 130 IQ who thinks he has a 125 IQ than someone with a 160 IQ who thinks he has a 170 IQ, because "that second guy will kill you."
We have the "smartest guy in the room" problem in spades in IT, developers and security people are the two leading practioners of this unappealing trait, is it any wonder software security has been so screwed up for so long?
We have to use the talents to inventing better safety mechanisms and risk management practices not circumventing them.
The simple Security Triangle I use has three parts:
- Identity & Access Services: helping the good guys get their work/transactions done
- Defensive Services: keeping bad guys out, hedging your bets against unknown events
- Enablement: making it all work in the real world
No one of these services is "security", its the right mix of the three.
Access Control services deal with Identity and Access Management, and perform authentication, authorization, attribution, provisioning and other services. These are crucial enterprise security services, but they mainly relate to getting people who work for and do business with you the proper credentials, policies and tokens to do so. They do little defend against malice, for that we need...
Defensive Services are services that deliver a Margin of Safety to the enterprise through attack surface reduction, monitoring, encryption and other methods.
The distinction between Identity and Access Management and Defensive services are that the former can be found in functional flows and use cases, the latter are conservative architectural elements and processes for that which is outside the spec.
They are both critical to security architecture, they are both mainly sourced out of the information security team, but other than that they have very little in common with each other. In fact the staffing models, tools, skill sets required and where and how to participate in the SDLC to deliver these two Security service types could not be much different.
There is a third concern which is Enablement, Enablement means optimizing and ideally driving the cost and time to deliver security services down across the enterprise.
Where this is all going is that Identity & Access services are optimistic - risk seeking services. But you cannot skimp on Defensive Services which hedge against ignorance. And last the Enablement services, usability, integration are critical to make it unappealing to circumvent the controls - security services shouldn't be vulnerable to Harvard stupid, they should make it easy to do the right thing.
MF GLobal was leveraged 80 to 1! When Lehman went under they were leveraged 30 to 1. 80 to 1 leverage isn't stupid, its Harvard stupid.