Ep. 130: Keith Terreri - The Intersection of a CFO & CIO

Keith Terreri, Chief Financial Officer and SVP of Corporate Operations & IT at NECAM, joins Count Me In to talk about the intersection of the CFO and CIO roles. Keith is a highly motivated, personable, and versatile financial executive with over 30 years of finance experience. Keith has spent a significant amount of time in his years at NEC reducing the cost structure at NECAM where over $25 million in RHQ costs have been reduced. His current responsibilities include Accounting, FP&A, SCM, Corporate Operations and IT. In this episode, he talks about what the convergence of these various responsibilities looks like on a daily basis and how the functions blend so well together. Regardless of the size of the business, Keith believes finance and technology serve as the foundation for control, risk mitigation, and cybersecurity for any organization, so download and listen now!

Adam: (00:05)
Welcome to episode 130 of Count Me In, IMA's podcast about all things affecting the accounting and finance world. This is your host, Adam Larson and today I'm pleased to introduce our featured guest speaker, Keith Terreri. Keith is the Chief Financial Officer and Senior Vice President of corporate operations, and IT for NEC Corporation of America. In his double role of CFO and CIO, he has developed a wealth of skill and knowledge necessary for effectively overseeing and managing accounting, FP&A, supply chain management, corporate operations and IT. In this episode, Keith describes the convergence of these two pivotal roles and explains the value each team brings to the business regardless of the organizational size. Let's head over the conversation to learn more.

Mitch: (00:57)
So our listeners are well aware of the changing role of the CFO. It's something we talk about all the time, you know, the need for a strategic foresight decision-making business partnering is something that's very popular. A lot of this is due to the evolution of technology, but you have a unique role. You have a double role of CFO and CIO at NEC. So what does this convergence of the two roles really look like to you on a daily basis?

Keith: (01:22)
Thanks, Mitchell. That's actually a great question because it's certainly different than when I was just CFO. The convergence of these two roles, it's actually been a very eyeopening experience to say the least. So the convergence has come with some great synergies, and also a significant amount of risk management. From a synergy perspective, obviously our back-office functions of OTC, which is order to cash, PTP, which is procure to pay and record to report, or RTR have been greatly enhanced, right? So finance corporate operations, and IT are all one team now and communicating regularly. The interaction in visibility for both groups has been fantastic as one team and under this scenario, we work on a daily basis to make sure not only our ERP is running smoothly, but also our network and data is secure. For a risk management perspective, obviously cybersecurity has become a major part of all IT team's responsibilities over the last several years and now it's a part of daily operations for companies. However, in this dual role it's been becoming increasingly clear to me that cyber security is everybody's responsibility, not just the IT department. As everybody knows, ransomware attacks are very prevalent right now making cybersecurity the utmost importance on a daily basis. So we constantly monitor our network for security purposes and many companies are moving towards a zero trust approach from a cyber security information perspective and so that is also part of our daily discussion. Customers are also getting much more stringent, you know, on their contract requirements, requiring information security clauses in the contracts with us, so that we have to be very cognizant of that as well. So now we are very involved as we continue to make contracts with our customers. So, I mean, all in all it makes for quite a different daily routine than just finance.

Mitch: (03:32)
Well, as far as finance goes, you know, I know much of your career prior to this role, prior to taking on CIO also was specifically in the finance function. So talk a little bit about how those experiences and those skills helped you prepare for the responsibilities you just discussed and what you've taken on involving IT.

Keith: (03:51)
That's another great question, Mitchell, thanks. I mean, primarily, it was really my training in risk management that has helped me the most. Always concerning myself with the downside of either operational or finance issues has been very helpful throughout my career and now with that, the added responsibility for IT, thinking about the downside, or any type of issues from an IT perspective, has really been a good mix for me. Also having had experience in cyber liability insurance probably since it started, or when it was first offered, I've almost kind of grown up with that. So as a CFO, financial risk management is very important and frankly cyber risk has become, definitely become a financial risk to everybody these days based on all of the cyber activity that's out there in the world. I mean don't forget, I mean risk management is not only for services you provide to your customers, but also for your own network and your data. So you've got two things you have to look at from a risk management perspective and we do this frankly, on a regular basis. So when you think about all the, you know, traditional finance experience, most of the times the CFOs are responsible for risk management insurance. I think that the cyber liability insurance, which is changing rapidly as we've seen in the last month or so is very important for both the CFO and the IT guys to understand completely. I particularly, if you have a chief information security officer, that employee needs to be very familiar with how the policy works, if you should ever have a claim.

Mitch: (05:34)
Now, oftentimes because of the risk management perspective, you were just talking about how that falls on the CFO's shoulders. They're usually responsible for forging a relationship with the CIO because of the cyber security, cyber liability, things like that and the joint relationship is responsible for handing the priorities of finance and IT individually. We spoke a little bit your role prior to this call and, you know, you serve both. So how do you really communicate the needs and further support the relationships of two different teams as one person?

Keith: (06:08)
So this was definitely something I wanted to focus on when I took over IT three years ago. And I really think, you know, as a CFO and being able to look holistically at the financial statements and also preparing our annual budgets and forecasts, it becomes slightly easier to allocate resources for cybersecurity and for IT initiatives. There's no longer in my mind, right? In the way we have things set up a competition for funds or resources between finance corporate operations and IT. So it really makes for a more collaborative approach on resources so that when we prepare our annual budgets, we go together as a team and we've already kind of vetted out, you know, the priority of funds and funding for resources. The entire team discusses and ranks the needs so that we're all in sync. You know, one of those slogans I adopted early on with the finance team was “we're all IT now”, and that has really helped kind of change the mentality and increase the collaboration between the two groups. I mean, under this type of scenario, there's no longer any finger pointing and everybody accepts accountability. You know, in a traditional scenario where you have the two teams separated, in a traditional scenario, there separation of these two teams can create friction, which is not necessary in today's ultra fast paced business world. The entire leadership team of finance and IT, and corporate operations meets once or twice a week. They think that's an update from my perspective, but really it's for them to interact and update each other so that we're all on the same page and so no one person can say, “I didn't know IT was doing this”, or “I wasn't aware of finance wanted to do that”. And this communication has brought foresight and respect, into the team's relationships and I think once you have that, if you didn't have it previously, it's almost like a revelation and I've been really proud of the team's efforts to collaborate together. So for us, it's really worked beneficially and having both of these groups together and we're definitely one team all in sync.

Mitch: (08:25)
So I just have a quick follow up on that and two parts, the first one might be a bit of a layup, but the, you know, what I'm interested in is you have these two different teams collaborating and working together, prioritizing, do they have different needs? And, you know, you talked a little bit about that competitive nature in the beginning. What kind of, you know, different communication styles do the different teams need to adjust to for each other?

Keith: (08:50)
Well I think from a communication style perspective, I think everybody on the senior leadership team, they're senior leaders, right? So they're typically a director, senior director or vice president, and they've, you know, been in their current roles either with us or other companies for a long enough time to understand and respect, you know, other divisions and other departments and I think that once you have the right bunch of people together and everybody's communicating, and there's an awareness, right. So if you have different needs and different requirements, you know, you have to provide a forum for them to explain that. So like, IT may be very focused on cybersecurity when we're putting the budget together and we may need to allocate some money there, but cut some other costs in other areas where we may want to hire a consultant or something like that and it's a trade-off. So we talk about that and you have to, you have to risk review everything and figure out what's the riskiest from a financial perspective and allocate the dollars that way. I think from the finance team's perspective, they are often financial reporting and the ERP system, and really focused on providing services to their customers, their internal customers, which are the business units, you know, being in a traditional shared services group. So I think that the IT group is focused on things from the outside and the finance group is focused on things internally and as long as you have good communication between the two, it can really be a true synergy to have the two together.

Mitch: (10:32)
Now, again, just to recap real quick, we're talking about the convergence of finance and IT, the role of the CFO and CIO. I think it's fair to assume the underlying need or demand for this relationship to really work, either simultaneously or independently is control, right? And we talk a lot about internal control, you talked a little bit about risk management from the finance side, cybersecurity and cyber control from the IT side. Both of these teams need relevant, reliable data, right? That's really what it comes down to. So with your dual role, you mentioned earlier, you know, who's responsible for cybersecurity and it's really everybody, but from your hands-on experience in both functions, what can businesses do to enhance their control, enhance their cyber security and ensure that the finance and IT departments are effective in doing their jobs?

Keith: (11:24)
Yeah, it's another great question Mitchell and maybe I have a new answer for you. I mean, basically everyone is responsible for controls and cybersecurity. That's one of the things that we've really been trying to promote, you know, over the last several years, particularly as cybersecurity has become much more of a risk on a daily basis, so that it's everybody's responsibility, not only cyber security concern from the outside and using good business judgment on things you do with your laptops, et cetera, and access and passwords, but also internally and how we provide services to our customers, if they're web based or if you're using AWS or anything like that, making sure that we're following all the policies. On the organizational chart, you know, I'm responsible for control and cybersecurity, but, without the help of all of our employees to use good business judgment, it's really an impossible task, right? You've got to use good business judgment in your daily business as an employee. Internal controls are also the responsibility of everyone all the way down to the transactional level. You know, following delegation of authority, those types of things. A lot of times, cybersecurity it's just common sense, regarding access and such things as you know, multi-factor authentication. All businesses, you know, need to make sure there's sufficient awareness regarding cybersecurity and also the company's information security policies. So continued corporate communication or IT communication however that company does it, about new cyber attack mechanisms is very important. You know, it’s really just about awareness, awareness, awareness, and good business judgment and when we do our quarterly town halls, my last slide is always about using good business judgment and making sure we're protecting our business at the end of the day. I mean, for companies with both the CFO and CIO roles separately, I would suggest a new level of communication, where in the leadership of both departments communicate on a regular basis so everyone knows what everyone is doing, not just as a regards to Oracle or SAP or whatever ERP that you use, which is your traditional interaction. Networking, cybersecurity, and those types of things are very important on the finance and corporate operations side so that people can use better judgment once they're more informed. When changes need to be made, make sure both groups are involved and buy into the change management approach so that they can then be change agents for the rest of the company. For the companies that do not have a specific CISO role or chief information security officer role, I would suggest outsourcing this type of activity. Data classification and those types of things are very important if you should ever have a cyber event and there's a ton of third parties out there that can help you do everything from penetration testing, you know, helping to develop your incidence response plan, if you should ever have an event and often, for companies this is a more economical route to take, because I think I heard a statistic the other day, there's about 4 million open cybersecurity positions across the US and the positions are very expensive to hire, you know, from the outside. So usually bringing in a consultant or a firm to help you with this is awesome. You know, a more economical route to take. I mean, lastly, make sure both senior team leaders understand the cyber risk insurance policy and how it works and don't forget to include the legal folks as well, because if you have an event, all three groups need to be involved and if you have an incidence response plan, obviously you've already worked through all this, but these are very important things that, you know, from a communication perspective between the CFO and the CIO.

Mitch: (15:17)
Well, those are great steps to follow and thank you for putting that together. I want to take it one step further as we close out the conversation, because I know you did just mention some companies may not have all of these different roles at their disposal, you know, internally. So we want to be sure we provide direction for some of the smaller companies too, our listeners who work at smaller companies. How does today's conversation really apply to them? You know, what can your responsibilities or your experience, you know, the convergence of the CFO and CIO, how can that be broken down so it's more relatable to individuals who might not have this kind of exposure?

Keith: (15:51)
Yeah, I think that's another great question, because really most likely as smaller companies, maybe you don't even have a CFO, you just got a finance director, they may already have partial or complete responsibility for the IT aspects of the business. I really think today's conversation has just as much relevance to smaller companies because there's still reputational risk to your company if there's a data breach or cyber event, and this can be devastating for your business, for your owners, you know, or if you're venture capital owned or PE owned, or just personally owned by somebody can be devastating. And there's really, there's no way to hide from cyber risky today's world. Many of the biggest companies with significant IT and cyber resources, you know, continue to get attacked and you read about in the paper almost every week, right? So what I've tried to do here is break it down into some steps, whether you're a CFO, a CIO, or a CEO, president of a company, there's four steps I would recommend. First of all, step number one, identify the risk, right? Ask yourself if my network were hacked and data stolen, or my e-commerce webpage got ransomwared, how would it affect my business? If this is a material effect on your business, then you've got to continue to go to these next steps, right? So identifying that risk, number two, step number two, define how much of that risk you're willing to retain and then get cyber insurance for the remainder of that. In any company, any size can get that type of insurance so I would highly recommend that unless you think you can retain the entire risk. Third step would be to hire an outside cybersecurity firm to help enhance whatever internal resources you have, whether it's one person, a half a person or 10 people to be vigilant with your network and your data. And four, I mentioned this earlier, but practice constant awareness with your employees, whether you have 10 employees or a thousand or a hundred thousand, the concept is still the same. Get everybody on board, using good business judgment and these are really, these four steps I think are relevant for any size company, large or small, it can really help you get your hands around what you need to do from a cybersecurity perspective.

Closing: (18:19)
This has been Count Me In, IMA's podcast providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at www.imanet.org.

©Copyright 2021 Institute of Management Accountants. All rights reserved.