Introducing the HackerOne Champion Program and Our First Champion of the Quarter
The most effective security leaders don’t operate in isolation. They learn by comparing notes with peers who’ve faced the same pressure, made the hard tradeoffs, and lived with the consequences.
For years, we’ve seen this dynamic play out among HackerOne customers. These leaders weren’t gatekeeping their learnings. They were talking to people, sharing what actually worked, being honest about what didn’t, and helping others avoid learning the hard way.
The HackerOne Champion Program is officially here, and it is our way of supporting and recognizing those leaders. It’s designed for security practitioners who actively contribute to the community by sharing lessons, advising peers, and helping shape how modern security is practiced.
Erika Voss, CSO at Blue Yonder, is our first Champion of the Quarter. Her approach to rebuilding customer trust shows exactly what this program is about
Champion Q&A: Erika Voss on Rebuilding Customer Trust at Blue Yonder
When customers are anxious, they don’t want a “we take this seriously” statement.
They want to know someone is listening and they want confidence that the company will show up, even before every detail is known.
That’s the lens Erika Voss brought to Blue Yonder when she joined after a public security incident. Her job, as she describes it, is straightforward and hard: rebuild trust with customers and rebuild the company’s reputation through action.
It’s also why she’s HackerOne’s first Champion of the Quarter.
From Prisons to Incident Command: Why Erika Leads with Operations
Erika didn’t start her career in a security operations center.
She started in physical security, working in a men’s closed-custody prison and building muscle memory around emergency preparedness and business continuity. Later, she gave a presentation on FEMA’s Incident Command System (ICS) and how that same operating model applies to technology incidents: clear roles, clear terminology, clear accountability.
Then she got recruited into disaster recovery, and on day two in that role, everything became real.
Blue teams talk about resilience. Erika lived it: a malicious employee triggered a logic bomb and wiped their Active Directory, forcing a 10-day recovery effort. That moment shaped her career-long fixation on the “why,” the behaviors behind incidents, and the operational discipline it takes to respond under pressure.
A Career Built Under Pressure (Rebuilding and Reimagining)
Erika’s path through security has a pattern: she tends to join organizations at inflection points.
She moved from state service into federal contracting, then into large-scale resilience work at Amazon, including building global continuity for fulfillment centers after Japan’s tsunami, earthquake, and nuclear event exposed how fragile “normal operations” can be. She later worked on AWS data center resiliency, Microsoft supply chain security, and global GRC at Oracle as it evolved into a public cloud provider.
Her takeaway from that whole arc is simple: You can’t fix what you won’t name.
And trust is earned when leaders are willing to say the hard thing out loud, then do the work to change it.
In our conversation, Erika emphasized: “People aren’t buying a product. They’re buying trust.”
So when Erika joined Blue Yonder last April, she didn’t stay inside the org chart. She went straight to customers.
The first months weren’t comfortable. She describes the first four months as “painful” because customers had complaints, concerns, and real issues they needed addressed. Her instinct was to listen, then explain where the company is going, what investments are being made, and what “trust by design” should mean for them.
The Unconventional Move: Funding a Customer Trust Arm Inside Security
Erika’s biggest initiative at Blue Yonder is also the thing she thinks more CISOs will eventually do: she intentionally funded a customer trust arm on her team. People told her she was crazy but did it anyway.
Blue Yonder’s Trust organization, led by VP Sam Archey, ensures trust isn’t treated as a moment-of-incident activity, but as a continuous operating model.
Sam’s team is designed to be always-on and customer-facing, providing 24/7 availability during security incidents so customers are never left waiting for clarity. But their role extends well beyond crisis response. The team partners closely with internal security, engineering, legal, and customer-facing teams to enable consistent, timely, and credible engagement, whether that’s translating technical signals into customer-relevant context, strengthening security awareness across the company, or helping teams communicate risk and resilience with confidence.
At its core, customer trust comes down to real-time information. Erika’s model is “if we see something, we say something,” even if the message is simply: we’re investigating and we’re with you through it.
And she makes an important distinction: her role isn’t a “field CISO” function. It’s closer to a trust officer function, focused on how security shows up with customers, how ROI is communicated, and how credibility is built and measured.
Proof Points Customers Can Hold: AI Red Teaming for Customer Confidence
When asked for a concrete initiative influenced by customer needs, Erika points to AI.
Blue Yonder is investing in AI agents and autonomous capabilities, and Erika sees AI as a double-edged sword: more value, but also more attacks and a need for faster detection.
That’s why her team is doing AI red teaming with HackerOne. In her words, the power of this work is that it doesn’t just help security teams see risk differently, it provides customer confidence and trust because you can credibly say: we’re validating these systems, and we’re doing it with the right partner.
What “Success” Looks Like for a CISO Rebuilding Trust
Erika’s success metrics are refreshingly grounded. She looks for:
- Detection and response improving: MTTD and MTTR trending down.
- Patch management maturity: Vulnerabilities move too fast to fall behind.
- Executive leadership trust: The ELT believes in the program and the decisions.
- Stability during peak season: For supply chain, the busiest window is roughly Nov. 1 to Jan. 1, and success is getting through that without disruption.
That’s CISO strategy in plain language: measurable improvement, executive confidence, and business stability customers can feel.
The Risk Area Erika Wants the Industry to Talk About More: Insider Threats
Erika also highlights one topic she thinks the industry avoids: insider threats.
She pursued her doctorate in cybersecurity specifically to drive change, with a focus on insider threats and the behavioral warning signs organizations often ignore. She calls it part of “cyber hygiene foundation” and points out there’s a MITRE insider threat framework, yet not enough real attention on it.
The Part Nobody Wants to Admit: Trust Takes Time
Erika is candid about the reality of stepping into a senior security role during a critical moment.
New CISOs want quick wins, but the job is often: learn the architecture, build relationships, and navigate competing priorities. She says it takes six to nine months just to understand the lay of the land, and ultimately, the real job is culture change, which takes years (she references an article she recalls from Harvard Business Review about culture change timelines).
That honesty is what customers respond to.
Why Erika is Champion of the Quarter
Erika’s story is about a leadership mindset that treats trust as something you earn with customers, not something you ask them to grant you.
That mindset is what the HackerOne Champion Program exists to recognize: security leaders who share openly, lead through hard moments, and help raise the bar for others along the way. That’s what a Champion looks like.
If that’s you (and you’re a current HackerOne customer), join the Champion Program to share with and learn from peers, and contribute to a safer internet.
About the Author
