Heidrick & Struggles Information Security

Heidrick & Struggles implements a comprehensive and resilient Information Security program designed to protect the confidentiality, integrity, and availability of client and organizational data. The organization maintains an attestation of SOC 2 Type II compliance, reinforcing a rigorous commitment to security best practices. Information Security policies are meticulously developed in alignment with the ISO 27001 framework, ensuring a systematic approach to risk management. Cybersecurity incident response protocols are established to facilitate prompt identification, reporting, and mitigation of security events. The secure software development lifecycle (SDLC) is integrated within the broader change management process to ensure that all system enhancements are reviewed for security risks. Third-party information risk management procedures are in place to thoroughly evaluate external partners before engagement, reducing supply chain risks.

Well-documented procedures strictly govern access controls to enable the timely provisioning and deprovisioning of user privileges, with access granted solely on a “need to know” basis following the principle of least privilege (POLP). IT change control mechanisms further support the integrity and traceability of system changes. To ensure robust compliance and transparency, regular, independent SOC 1 and SOC 2 audits are conducted for all key SaaS providers. Employees receive annual security awareness training that addresses evolving threats, including phishing, social engineering, device security, and the protection of sensitive information.

From a technical perspective, H&S employs regular, independent third-party vulnerability assessments and penetration testing to identify and remediate security weaknesses proactively. Systems are routinely patched to address the latest vulnerabilities, while all remote access is safeguarded with multi-factor authentication (MFA). Data is hosted in world-class data centers, protected by advanced physical and environmental controls, and all information transmitted is encrypted to maintain privacy. Security monitoring is continuous, operating 24/7/365, and the IT environment is architected for redundancy and resilience, ensuring uninterrupted business continuity. Collectively, these measures demonstrate H&S’s unwavering dedication to upholding the highest standards in information security and risk management.

At Heidrick & Struggles, Cybersecurity also plays a vital role in artificial intelligence (AI) and machine learning (ML) due to the sensitive nature of the data processed in these technologies. AI and ML models are vulnerable to threats that can result in manipulated outcomes, privacy violations, or system failures. Therefore, securing the development, deployment, and maintenance of these systems is essential to maintaining the trust and reliability that clients and partners expect from us.

AI and ML are increasingly being used as powerful tools within cybersecurity itself—for example, to detect anomalies, respond to threats in real-time, and automate incident response. However, this also calls for the responsible use of AI/ML in cybersecurity, ensuring that algorithms are transparent, promote fairness, and minimize bias. Responsible AI practices at H&S include safeguarding privacy, ensuring accountability for decisions, thoroughly vetting third-party AI vendors/partners, and continuously evaluating models for ethical and secure behavior.

As AI and ML continue to shape the future of cybersecurity, a strong emphasis on both protecting these technologies and using them responsibly is critical to building secure, resilient digital systems.

Given the fast-moving world of Artificial Intelligence (AI), in 2023, we established an Acceptable Use Policy for Generative AI at Heidrick & Struggles. A cross-functional working group was established to vet proposed AI use cases and tools, and to develop pilot programs for exploration and learning within safe parameters.  Since then, Heidrick has developed a more formal and comprehensive AI governance framework as we deploy and adopt AI technologies across our organization, alongside the increasing global regulation of AI.

We maintain reasonable technical and organizational measures to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. As part of our data governance processes, we periodically assess our data privacy compliance program with external experts to help identify ways to improve and evolve our policies and practices. We will continue our efforts to make our dealings regarding personal data transparent, including informing individuals about how they can exercise their rights to access and control their data, thereby empowering them to make informed choices in the process. Certain jurisdictions, such as the European Union (EU), assign rights to individuals (called “data subjects”) or anyone whose personal data is being used, processed, or transferred.

We maintain a Global Privacy Policy to ensure compliance with applicable data privacy laws, including the collection, use, processing, disclosure, retention, and destruction of data. We regularly update our Privacy Policy, which is available in multiple languages, to reflect new and updated data protection laws and regulations that apply to our business and our latest service offerings.

Through our privacy policies and approaches, we inform individuals whose personal data we process of the data we collect, how we use it, with whom we share it, for what purpose, how long we retain it, and how we protect it.

The foundations of our business are confidentiality and security. Without them, we would not be the trusted partner we are to our clients. Our employees participate in our ongoing training and awareness program to remind them that privacy is our top priority, protecting our candidates, clients, participants, and colleagues.