2025 review: From corporate comfort zone to freelance chaos universe

In 2025, I made the leap from corporate cybersecurity strategist to full-time freelance cybersecurity consultant — and it turned out to be the best professional decision of my career. Here’s an honest look at what happened.

2025 was a breakthrough year for me.

For years, I dreamed of building my own business practice – properly, intentionally, and on my own terms. Like many security professionals, I was excellent at advising others on risk… while personally avoiding one of the biggest risks of all: leaving the comfort zone. Time was doing its relentless tik-tak, and I was counting my birthdays, thinking the change might never come. I kept thinking: „I still have A LOT to learn”, „maybe next year?”, „once I build a bigger client portfolio”, etc. Spoiler: There is never a good or bad time for such changes.

This year, the conditions changed. As my best friend – who has known me since kindergarten – use to say in such moments:

„The universe isn’t whispering anymore. It’s shouting to you to follow your way.”

This year, I went from corporate cybersecurity strategist to full-time freelance consultant. What are the best and worst things about freelancing? Complete independence. You make all the decisions. You bear all the risk. You don’t need approval(s) to invest in learning. You also don’t have a safety net, guaranteed income, or anyone to blame when things go sideways.

My colleagues keep telling me: „On freelance, it’s never certain. You better get used to it.”

Chapter 1: „Independence Day”

Back to school: ISO/IEC 27001:2022 transition. One of the biggest advantages of being a freelancer? I don’t need a three-level approval process to justify a training budget. I am the HR department, and I am a very generous boss.

My first move? Getting certified in ISO/IEC 27001:2022 transition training. Perfect timing – just before the September deadline when the last wave of organizations struggled to recertify. (If you want to know why waiting until the last minute is a terrible idea, I wrote about that here: click link.) The truth nobody tells you about ISO transitions: It’s not just updating your documentation. It’s understanding how subtle wording changes – sometimes just a few words – completely shift the meaning of controls. The devil is in the details.

Fun fact: When ISO changes „should” to „shall,” that’s not editorial flair. That’s your workload doubling.

But I didn’t stop at security. Then came AI.

The AI Governance: Where everyone’s running, nobody’s steering. I realized that while everyone is talking about AI, very few people are talking about AI Governance. I’ve sat on three AI-related speaking panels this year, and my message hasn’t changed: AI is everywhere, but where’s the governance? (More thoughts here: click link)

The Global AI landscape in a nutshell:

• 🇺🇸 USA: Driving at 260 km/h, occasionally forgetting to check if the car brakes work (= „human rights”)
• 🇨🇳 China: Driving at a speed that ignores any speed & car limits (= „human.. what?”)
• 🇪🇺 Europe: Well, the good news is we have the best brakes in the world, and we care about speed limits! But we’re still looking for the „start” button…

A decade ago, I started my ISO/IEC 27001 journey. This year, I decided to do the same with AI governance. I completed not one, not two, but three courses:

• ISO/IEC 22989:2023 Understanding AI Concepts and Terminology
• ISO/IEC 42001:2023 Lead Auditor
• ISO/IEC 42001:2023 Lead Implementer

My strategic bet: Europe’s approach to AI – balancing innovation with ethics – might become the global standard. Not because we’re moving fastest, but because it’s moving in the right direction. Organizations that build ethical AI governance now won’t be struggling when regulations hit. And trust me, regulations are coming faster than your legal team can read them.

Chapter 2: Project #30 & the plot twist I didn’t see coming

Early 2025: Transition season opens. The year started with a bang, project #29 – leading a major telecom in Europe through their ISO/IEC 27001:2022 transition. We had rebuilt their Statement of Applicability (SoA) from the scratch, analyzing every single amendment between ISO Annex A, the 2013 and 2022 versions. We all knew the September 2025 deadline was appearing like a final boss in a video game, and we ensured my Client didn’t get „Game Over” on their Certificate.

Mid-2025: Then came Project #30 & the AI curveball. A world-leading ERP software vendor needed help transitioning a handful of Business Units to ISO 27001:2022. Major milestone, right? Plot twist: Thereafter, they also needed support with ISO/IEC 42001:2023 implementation (AI Management Systems) across several Business Units (Project #31). Suddenly, I went from theory to practice on AI governance. Zero to 100 km/h. AI Manuals to Boardroom. PowerPoint to Politics.

The second half of 2025: It was the busiest period of my career. But also the most satisfying! Nothing beats helping global leaders navigate unexplored territory while everyone else is still arguing about the map. What ISO 42001 implementation taught me (list is not complete):

1. ISO 27001 + ISO 42001 streamlines the opportunity for an Organization. If ISO 27001 is already implemented, you are not starting from zero. You are standing on a very strong foundation. Think of it this way: ISO 27001 governs information trust, whereas ISO 42001 governs decision trust. Together, they form a complete digital trust architecture.
2. AI governance is 40% technical, 60% organizational psychology. Your biggest challenge isn’t the algorithms – it’s convincing Departments or Business Units that their „smart tool(s)” count(s) as AI. And yes, you/they need the oversight over those tools. What I suggest is to start with the AI Tool Register (as it’s done with Assets registers for ISMS). Treat the AI Tool Register as a behavioral change instrument, not a documentation task.
3. Everyone thinks their AI use case is unique. It is not often. Most organizations are using the same 2-5 AI applications in slightly different contexts, e.g. Content generation (text, code, images in Business Development), decision support (or prioritization in ERP Systems); pattern detection (or anomaly detection in Cybersecurity Tools). Once leadership realizes that „we are not governing dozens of AI systems – we are governing four models/categories” … ISO 42001 suddenly becomes more manageable.
4. The AI risk conversation triggers existential fear. I’ve watched executives go from „AI is our future!” to „Wait, what if … ?” in real-time. During TPRM, you’re not just discussing CIA (Confidentiality, Integrity, Availability). You should already step in with the new EFT trio introduced by AIMS (Ethics, Fairness, Transparency). So your Third Party Risk Assessments should be adjusted accordingly.

If I had to summarize ISO 42001 in one sentence based on my current experience:

„AI governance is not about controlling machines – it’s about helping humans stay accountable while using them.”

Chapter 3: The crystal ball — what 2026 brings (spoiler: there’ll be more acronyms)

My calendar is booked through February 2026, and the pipeline looks like a „Who’s Who” of organizations realizing that the „Wild West” era of data is over. Between NIS2 and the EU AI Act, the pressure isn’t just coming from regulators – it’s coming from your customers and geopolitics, too.

Organizations today face more regulatory and risk pressure than at any point in modern business history. It’s not just cybersecurity anymore – it’s a Goulash Soup of overlapping regulations:

• NIS2 → Coming in hot across the EU
• EU AI Act → Already reshaping how companies think about automation
• DORA → Financial services are sweating
• Expanding cyber threat landscape → Because attackers took a course in efficiency, but geopolitical matters too. In Poland, we know it very well…

The questions I’m hearing from leaders are:
Q: „How do we balance governance and agility?”
Translation: „How not to become compliance red-tape while also not going to jail/pay huge fines?”

Q: „Are we managing third-party and supply chain risks properly/effectively?”
Translation: „Our vendors keep having breaches, and we don’t know who’s using what”

Q: „How do we prepare for upcoming regulations without killing business & innovation?”
Translation: „We hired data engineers, but nobody knows what they’re building or if it’s compliant”

What I’m looking for in 2026 (and how I can help you)

For Startups: the vCISO you actually want to talk to
Building security from scratch is pretty hard. I know it. But building it while everything is burning is even harder. I know it. Building it while your engineers roll their eyes at every compliance requirement is hardest. I also know it…
What I ensure & bring with my practice: Strategic security leadership without all the negative aspects typically associated with large enterprise security approaches. ISO transitions that don’t slow your performance. AI governance that helps you differentiate, not just comply.
Who I work best with: Founders who understand security is an asset, not a „tax”. Teams that are ready to build things right from the start.

For Medium-Large Enterprises: PM who has seen every plot twist (even a security program won’t be my first rodeo)
If you need someone who can navigate:

1. ISO 27001 recertification without disrupting operations
2. Cross-functional teams who „don’t have time for security”
3. Certification bodies with opinions about everything
4. Budget constraints that make no sense
5. Executive stakeholders who want „the summary version”

What I bring: Battle-tested experience across 30+ projects, multiple countries, multiple industries. I’ve seen many curveballs thrown during audits and certification processes. I know which peaks we can attack together, and which we should politely avoid.
What makes me different: I mix board-level strategy with hands-on delivery. I can translate regulatory requirements into business language. I can make compliance interesting for stakeholders.

The uncomfortable truth about 2026

1. Regulations aren’t slowing down and won’t. 2. Threats aren’t getting simpler. 3. Your competitors are already figuring this out 😉

I bet the organizations that will grow aren’t the ones with the biggest security budgets. They’re the ones who can turn challenges into advantages. Especially in today’s demanding times.
If your organization is:

1. Navigating ISO transitions (27001, 42001, 22301, 9001)
2. Preparing for NIS2, AI Act, or other incoming regulations
3. Wrestling with third-party risk and supply chain security
4. Looking for strategic security leadership without full-time overhead
5. Trying to make AI governance actually work

Let’s talk… Reach out via the contact form or connect with me directly on LinkedIn.

I’m a strategist who delivers. An auditor who implements. A consultant who’s been in your shoes.

Take Action

• Option 1: Drop a comment with your biggest 2026 security or compliance challenge in the comments section of this LinkedIn post. I’ll respond with initial thoughts.
• Option 2: Connect with me directly on LinkedIn to discuss how I can support your specific situation.
• Option 3: Follow my LinkedIn profile for upcoming insights on ISO, AI governance, and navigating regulatory chaos without losing your sanity.

The universe might be shouting at you, too 🙂

And final thought. Yes – my colleagues are right: freelancing is never fully certain. But then again… neither is corporate life. At least now the uncertainty is mine.
#2025 Thank you! #2026 Welcome!