We’re excited to add Bill Newhouse to our roster of executive interviews. His lengthy career in the public sector has spanned more than 38 years and a number of high-profile agencies, including the National Security Agency (NSA) and the Office of the Secretary of Defense.
Bill is an active member of the cybersecurity community as a speaker, educator, and engineer. In his current role at the National Institute of Technology’s (NIST) National Cybersecurity Center of Excellent (NCCoE), he works with public and private sector organizations to develop new standards and practical guidance to improve cybersecurity everywhere.
His work has also included spearheading the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, which sheds light on the complex nature of cybersecurity as a professional discipline and helps organizations better structure their roles and train incoming talent.
Our Executive Interview Series has included other excellent guests, including:
- Author and speaker Thomas P. Vartanian.
- Erick Cook from Cook Technology Solutions LLC.
- J. Trent Adams from Proofpoint.
- John Carlson from the ABA.
- Lorri Janssen Anessi from BlueVoyant.
We hope you enjoy this conversation and that it provides some useful insights as your bank navigates the technical landscape that is cybersecurity.
Background and Professional Experience
Q: How did you get into the cybersecurity industry?
I studied at Georgia Tech; a school that had a strong cooperative education program, which is where you work a quarter, you go to school a quarter, then you go back to the employer that you’re co-oping with.
Ultimately, I chose to co-op with the National Security Agency (NSA) and they dutifully ran me through the clearance process. So my federal career started while I was in college, which means I hit my 38 years in December ‘24.
I got my start in cybersecurity at the NSA which cared about data. I ended up in a telecommunications project for a while there and got a strong understanding of “from DC to light,” as we used to say, moving things around telephone modems, satellites, and fiber optics.
I graduated as an electrical engineer and went into roles where I designed, tested, and modeled networks. From there, I went to field assignments that NSA has around the world.
At that time NSA had a research office that was called the National Information Assurance Research Lab, which was a precursor to the word “cybersecurity”.
I did information assurance work and then they started calling it cybersecurity. And through that role, I coordinated research, and then the government had a couple initiatives to coordinate more and to communicate across agencies. Through those roles, I met NIST people, which is part of the U.S. Department of Commerce.
Q: Tell us about your current role.
I’ve always wanted to know how everything works. People gave me opportunities at NSA for 23 years to understand how a lot of stuff worked, and to help people understand what we were doing and building.
NSA protects data for the national security systems, and they’re the policy people for that. NIST are the policy people for protecting data in non-national security systems, so we don’t mark data as confidential or top secret.
At NIST, we recognize that there is sensitive PII and other data that is vital and needs to be protected. My work has moved into the cryptography space of late, and NIST is the standard body for cryptography for the non-national security part of government.
A Walk on the Data Breach
Q: Have you ever had your personally identifiable information compromised?
Around 15 years ago there was a data breach at the Office of Personnel Management (OPM) that included all my data.
This breach also included lots of data from people I know that was vacuumed out of the system.
Q: What’s NIST’s response in a breach like that?
There’s a complexity challenge and NIST has been involved in the foundation to say, “Hey, here’s an aspect of security that you should follow.” But implementing that is hard. That’s why failures and breaches happen.
Every time there’s a breach, somebody’s trying to figure out why it happened and then make sure that never happens again. Often, preventing a future breach means doing something that we never did before.
For example, requiring multi-factor authentication for every user, so that you don’t reuse accounts or passwords.
We’ve asked IT vendors to stop leaving the default password as admin and password. If somebody just throws a device onto your network, it’s not open the way it was. Vendors have followed these kinds of concepts.
Then there’s also the other angle of usability and social engineering on this stuff: Did it happen because of the technology or did it happen because somebody was tricked into enabling access? Often the latter.
At NIST we do everything with an open, transparent process, invite people into the meetings and workshops, and then draft papers and invite comments: We need that industry expertise.
For example, what the financial services sector experiences is valuable for us. If our guidance is far off from what they need, then it may not suit anybody else, including the federal government. So we can all learn together and we believe we’re creating that model of trust and transparency.
Q: How do NIST’s standardization policies work?
When NIST standardizes an algorithm, it triggers industry adoption via international standard bodies.
The cryptographic foundation is one example of a standard at work. For instance, the transport layer security (TLS) is something everybody experiences without knowing they’re experiencing it, because when they’re browsing the web, that little lock symbol shows that your traffic is going via TLS protocol back and forth between a host (your computer) and a server (the website).
When we develop standards we put them in front of enough experts to see if it holds up as a strong mathematical property that can’t be broken or exploited. But there are a lot of other things that go into that process to validate the algorithms.
The federal government must do things because we write the policy and then the Office of Management and Budget (OMB) says “Thou shalt.”
Voluntary adoption of NIST standards is a common bar. The processes that we run are open and transparent.
Public and Private Cooperation on Standards
Q: How does NIST engage with the banking sector?
I work at the NIST National Cybersecurity Center of Excellence, which is an applied cybersecurity center. Since we started about a decade ago, we’ve been trying to build demonstrations and asking vendors to join so we can show some things about cybersecurity.
We’ve always had somebody here who’s been designated as the financial services sector lead—right now, that’s me. My responsibility is to communicate with this community.
Every time we meet somebody, we ask to include them in our community of interest, which is primarily in the U.S. and North America. One of my projects includes migration to post-quantum cryptography, and it’s international. So ultimately I try to connect with anybody in the financial services sector.
We also work with the Department of Homeland Security Science and Technology Directorate (S&T) and the Financial Services Sector Coordinating Council (FSSCC) R&D Committee on digital identities.
What can we do together to research and help make it easier to know your customer is a legitimate human being? The idea of a national ID card was tricky politically, but we have state ID cards. And the financial services sector has to leverage that information.
Q: Are there trade-offs to closer cooperation and standardization?
If you use a technology provider that gets exploited at some foundational level, that’s bad because everybody is affected in your organization.
Then you aim for vendor diversity, but how do you judge the quality of what they do?
If they’re using standards, at least you have the ability to say, “What standards are you implementing? Show me.” If you’re using standards, then we can communicate.
But if somebody bakes their own security architecture that relies on a magic technique, how can the big standards bodies (like ITF, ETSI, IEEE, or ANSI) communicate that the method is something that everybody could do consistently? And if they can’t, then you’re hedging your bets in unmeasurable land.
If you stay on the standards side of things, you at least have some ability to talk about interoperability and measure that.
Here at the NCCoE, we took on a zero-trust architecture project focused on authentication, credentials, and access management. And we demonstrated interoperability among a bunch of vendors.
Large government agencies or large banks have a different model than local states or a small business. Not all can afford vendor diversity, and will want to buy from one cloud provider.
If you’re using standardized things, you’ll benefit from all the ways that standardization allows you to interconnect and interoperate.
Cybersecurity Education for Everyday People
Q: What can you say about the gap between the sophistication of the technology and the technical proficiency of the average user?
We have a usability group here at NIST, and they’ve opened up a forum to allow more conversations. I helped work on a federal cybersecurity R&D plan in 2011, and there’s been an acknowledgment that we’re making this stuff hard for the average user.
We need to bring usability experts into the conversation. The IMPACT 2025 focused on this issue: Are we building systems that are designed to help people?
We’re giving people supercomputers in their laptops and in their mobile devices. Every vendor is thinking they’re making it easy.
NIST is trying to get people to understand that standards can help. But that’s a big abstraction from the average user.
Right now, I’m focused on getting people interested in migrating to post-quantum cryptography, as there is a threat that a quantum computer will sometime in the near future break asymmetric encryption.
What do banks need to know about asymmetric encryption? The technical folks running the networks know what it means. But do bank customers also need to know what it means? For them, it’s probably reduced to a simple lock symbol in the address bar.
However, if you expose people to the idea that there are cryptographic algorithms in your devices, from the moment your smart speaker tells you something or you ask your phone something, it will inspire a whole generation to understand why the things they care about are being protected.
Q: Does NIST work with the Cyber Risk Institute?
The Cyber Risk Institute operationalized NIST’s cybersecurity framework (CSF) and banks have implemented it, both as CSF 1.1 and now 2.0.
In fact, they were one of the first groups to jump on our cybersecurity framework, and they built a measurement tool. It’s important for organizations to examine how their cybersecurity space compares to the industry, using the CSF as a lens.
Peering Ahead to a Post-Quantum Cryptography World
Q: How will quantum computing change the cybersecurity landscape?
Quantum computers can do things a classical computer can’t do at scale.
Nine years ago NIST started to work on a process to standardize post-quantum cryptographic algorithms, which need to be in place on the day a quantum computer will be able to break asymmetric encryption and exploit public-private keys.
Since NIST started the standards process, we have one key exchange mechanism and two digital signatures that are quantum resistant. They’re also designed to resist classical attacks on cryptography and run on the CPUs and hardware that we have today and in the near future.
The Quantum Economic Development Consortium (QED-C) is the group to follow and learn about all the wonderful things happening with quantum technology.
At NIST, our focus on encryption is a wedge of their focus, too. So people invite me to come talk about quantum.
Q: How can people know whether they are protected?
The international standards bodies that are doing TLS have a long list of all the different places you need to insert these new algorithms, and they are still working out the details.
When they release the new standard for TLS 1.3, companies will start to build stuff that has post-quantum cryptography (PQC) inside and will allow you to interoperate with another company using the same standard.
At the bank level, there are people who are on top of this. The FS-ISAC is on standards bodies, and they’re working on the challenges. The financial services sector has always had a strong commitment to using technology wisely.
Q: How are regulators approaching issues of quantum cybersecurity?
They’re paying attention. The adoption in migration to post-quantum cryptography is noted by two federal documents.
There’s a challenge when you see regulators in a meeting: People get a little leery about talking about their issues. People are generally happy to come to us and have these conversations because they don’t get fined for telling us they need stuff.
We’re also not a service that says, “Here’s how to implement something exactly.” People still ask us for a reference version or guide, which is constrained by resources and availability. This is why NIST sticks to standards without going into a reference guide, as it could not possibly cover all the nuances that might exist in implementing them.
To keep you ahead in cybersecurity and industry best practices, we invite you to:
✅ Stay connected—Sign up for our monthly newsletter to receive exclusive banking and cybersecurity insights.
✅ Follow us on LinkedIn—Don’t miss important updates, including our upcoming webinars, by following our page.
✅ Schedule a call—Let’s discuss how .Bank can enhance your bank’s security.
