The Ford Foundation supports grantees around the world who are working tirelessly to build a more just and equitable future. But this vital work often comes with risks, from online intrusions to physical threats. We know that addressing inequality in all its forms requires supporting our grantees to fortify their digital and physical safety so they can continue their important work.

Recognizing this, Ford invested in a five-year Grantee Safety Program that I had the honor of managing. I first served as a Technology Fellow and later as the senior cybersecurity program manager in Ford’s Technology and Society program. The Grantee Safety Program was designed to equip grantees with the tools and knowledge to navigate these challenges securely. Here’s what we did and what we learned. 

Cybersecurity

Ford takes a holistic approach to grantee cybersecurity in order to foster a culture of safety. This includes a tool to provide assessments, interactive learning experiences, research, and open forums for discussion, all of which empower grantees to proactively address digital threats. This comprehensive approach builds a safer and more resilient social justice ecosystem.

Cybersecurity Assessment Tool (CAT) and webinar series

The first major project the Grantee Safety Program undertook was the development of an assessment tool designed to help civil society organizations strengthen their cybersecurity footprint. While there are many excellent tools available for individuals to assess their digital security, there are fewer tools purpose-built for organizations, and even fewer for nonprofits. 

To move this project forward, we assembled a group of global cybersecurity experts with different professional interests and backgrounds, from protecting pro-democracy movements to supporting high-risk individuals. Together, we spent more than nine months combing through existing projects, discussing how best to measure and gauge an organization’s cybersecurity strength, and brainstorming approaches. 

Ultimately, the work we produced became the heart of the Cybersecurity Assessment Tool (CAT), a 70-question workflow that produced hundreds of recommendations for organizations with low, medium, and high levels of cybersecurity. The tool was originally designed specifically for BUILD grantees and is now available to all organizations to fortify their digital security.

The CAT 1.0 has lived on the Ford Foundation website since 2020, and it has received approximately 3,500 visits per month since launch. In 2022, we launched a comprehensive redesign and relaunch of the tool, which resulted in a 2.0 version that is now in beta. Starting in 2025, The Engine Room will become the custodian of the CAT 2.0, keeping it updated, secure, and developing outreach plans to explain the value of the CAT and attract new users from across the globe, with particular emphasis on the Global Majority.

The tool is referenced by organizations around the world, including cybersecurity professional groups, NGOs like TechSoup, the Global Cybersecurity Alliance, and even the U.S Cybersecurity and Infrastructure Security Agency (CISA). 

To support the launch of the CAT, we undertook a multiple-month webinar series for BUILD grantees known affectionately as CATFOOD, or Cybersecurity Assessment Tool Forum for Open Online Dialogue. (One of our principles: security may be serious, but it doesn’t have to be boring.)

In each of these hour-long webinars, the team behind the CAT project explored a series of key cybersecurity topics, from endpoint protection to ransomware. We also covered some less conventional topics, including how organizations can build a culture of security and “pressure test” their security when employees go on leave. 

As part of this series, we worked hard to make security an approachable topic that organizations felt comfortable exploring in a non-judgmental space. By encouraging an open, welcoming attitude towards security, we showed that shame, guilt, and negativity had no place in the conversation when our grantees discussed their own safety. 

Cybersecurity Reports and Research

In partnership with foundation regional offices and programs, the Grantee Safety Program developed landscaping and analysis on cybersecurity resources, providers, recommendations, and approaches that were best fit for grantees. This included collating a list of cybersecurity experts in our 2020 report, Cybersecurity Capacity Building Technical Assistance Providers ‘The Honest Mechanics’ list. Crucially, this resource served as an inventory of global cybersecurity providers who are better aligned with the mission and capacity of civil society organizations. 

For grantees based in Latin America, we supported a landscaping and analysis of the cybersecurity provider network in the region, conducted with the Andean regional office and the consultants at WINGU. The report Cybersecurity and Cyber Resilience in Social Organizations of the Andean Region (2022)  is available in Spanish and in English.

We have continued this initiative by supporting the Technology and Society Program and the Middle East North Africa regional office with their upcoming report focused on landscaping and analysis, with recommendations for grantee partners and our offices.

Cyber Coffee 

The CATFOOD series taught us an important lesson: Ford grantees were eager to understand, improve, and talk about their security. That’s why, shortly after we wrapped our webinars, we launched Cyber Coffee as a safe space for discussions about security challenges, successes, and questions. These sessions, which have taken place twice per month since 2021, have allowed Ford grantees an off-the-record opportunity to ask questions of cybersecurity experts and share their own experiences as they seek to achieve their goals safely. From 2021 to 2023, the program grew to include more than 200 registered attendees. 

Cybersecurity Tabletop Exercise 

In addition to a safe space to talk, grantees also appreciated the opportunity to be interactive and even playful when discussing a serious topic. We enlisted the help of game designer Jason Li to bring cybersecurity to life through an interactive tabletop exercise. This helped grantees understand cyber risks, explore solutions, and build a stronger security culture—all while having fun. 

We hosted the tabletop exercise as part of our CATFOOD and our Cybersecurity Academy programs (more below), so that grantees could experience what such an exercise entailed and how to run a version themselves. These exercises can be invaluable in helping organizations think through the risks they face and begin to develop solutions.

Participants played either the role of a global nonprofit or a hacktivist collective, then selected attacks and defenses from a menu of hundreds of possible combinations. Through a turn-based approach, participants had the chance to see how their choices played out, complete with special dice rolls and prompts. 

In addition to being entertaining, this exercise also helped participants—many of whom were unfamiliar with key cybersecurity concepts—learn as they played. Along the way, they discovered a key principle: while attackers inherently have an advantage, a strong threat model and preparation can go a long way towards keeping an organization safe. 

After multiple successful iterations of the exercise, Jason developed a publicly accessible version available at Cat and Mouse Game.

Cybersecurity Academy 

In 2022, we were able to expand our cybersecurity programming from BUILD grantees (approximately 15% of the foundation’s grantee pool) to all Ford grantees.

As part of this expansion, we launched a formal learning platform that would allow attendees to join a cohort of their peers for four months of training. Over the course of two years, we enrolled three cohorts into the Cybersecurity Academy program, providing more than 300 grantees with monthly learning opportunities. 

To help all participants learn on their own schedule, we created the Cybersecurity Academy learning portal, which made articles, checklists, lesson recordings, and notes available for asynchronous study. 

One grantee that attended the Academy reported it was “an eye-opener,” while another noted that the “sessions helped demystify a number of concepts I had heard about and gave me a ‘big picture’ view that will help with further learning in the future.” In fact, 88% of our 2023 participants reported that their organization was in a stronger place because of the Academy.

For Academy alumni, we also made specialized training available through additional lessons from Tactical Tech as part of their Exposing the Invisible program. This four-part series helped more than 70 grantees improve and safeguard their online research practices. 

Cybersecurity Pit Stop Program 

Also launching in October 2024, the Pit Stop Program will provide one-on-one support for six selected grantees who have attended our Cybersecurity Academy and been active participants in our Cyber Coffee sessions. Grantees will benefit from a personalized assessment with a cybersecurity professional followed by a period of hands-on work resolving a particular security challenge or concern. 

Grantmaking

The Grantee Safety Program grantmaking strategy focused on meeting the immediate need to support the safety of our grantees and their mission. This included strategic investments that can advance long-lasting change in the recipient organizations. Our grants included:

• Support to abortion care providers to remove personally identifiable information from the internet

• Funding to improve cybersecurity and forensics programs within leading advocacy organizations
• Support for digital security rapid response programs for civil society groups
• Funding for cybersecurity and training for press freedom, police accountability, harm reduction, and racial justice organizations 
• Support for conferences, events, training, and certification in the cybersecurity and online privacy space 

Physical Security

In our hyper-connected world, threats that begin in the digital realm can quickly escalate to physical risks. That’s why we also focused part of our Grantee Safety Program on the physical security issues facing our grantees, from workplace safety to event security. 

Rapid Assistance Security Initiative (RASI)

Starting in 2022, in collaboration with various Ford Foundation programs and in partnership with NEO Philanthropy, we launched a special fund for US-based grantees who were facing immediate physical security challenges. As part of this effort, grantees could connect with a physical security expert for an assessment, then be matched with funding and access to vetted providers to help them address short-term risks. Grantees have been able to use RASI funding for needs including active shooter preparation, office security improvements, and relocation of staff during a credible threat. To date, the RASI program has awarded over $1 million in grants to over 70 grantees.

Physical Safety School

Launched in October 2024, the Physical Safety School is inspired by the success of our Cybersecurity Academy program. Led by the experts at Collective Security Group, this online academy aims to help US-based organizations improve their physical security posture, including the safety of their offices, events, and staff. 

What We Learned

Security can be interactive, constructive, and—yes—even fun. For many organizations, security represents a function, department, or role that says “no,” making their work more complicated or time-consuming. We wanted to reframe security as a topic that could lead to constructive dialogue and interactive learning. We found that grantees were more likely to engage with key security concepts when they were tied to interactive learning activities like our tabletop exercise.

Don’t forget to emphasize the fundamentals. Like any discipline, security can quickly become filled with technical jargon. We pushed hard to present our work in plain language as much as possible. Even so, we found that grantees absorbed the material best when we focused on the fundamentals rather than going deep into higher-level topics. A self-selecting group of individuals within our grantee organizations even became “security champions” and took advantage of all of our offerings.

People are the strongest part. There is an adage in security that humans are the “weakest link” in every system because of our penchant for taking shortcuts and making mistakes. And while that’s true, our work also proved the opposite. Grantees from across the globe supported one another throughout our programs, cheering on each other’s successes and navigating challenges together. This sense of solidarity proved that when we collaborate, we are all safer. 

Together, we can make security approachable. Security is often a taboo subject for many organizations. Some view it as traumatizing or frightening, while others worry about making costly mistakes that could cause harm. We found that providing a safe space for discussion about security-related topics helped defuse some of that tension. With the right context and enough encouragement, a constructive dialogue that helps make organizations comfortable is possible. 

It’s ok to provide resources and connections when needed. Traditionally, grantmakers have been hesitant to provide resources and funding directly linked to security needs for their grantees. Our programs, especially the RASI and Cyber Coffee efforts, showed there was a strong appetite among grantees for more resources to prioritize their security needs. Grantmakers don’t need to be experts in security to help their grantees—instead they can use their powers as facilitators to make the right connections between grantees and providers.