Companies today face the challenge of effectively protecting data in an automated manner, replacing the blind blocking of business processes with intelligent content control. In our conversation with Maciej Kaczynski, CEO of BTC, we look at the full spectrum of these strategic challenges – from the realities of EU rigour and the role of artificial intelligence, to the dilemmas of cloud infrastructure, to business metrics for modern IT leaders.
Klaudia Ciesielska, Brandsit: The year 2026 marks the full maturity of the NIS2 regulation, DORA and the amended KSC. From the perspective of a system solution provider – has the Polish market actually undergone a transformation or merely adapted the documentation to the new requirements?
Maciej Kaczynski, BTC: Over the last two years, we have observed two parallel phenomena. On the one hand, some organisations have indeed treated NIS2, DORA or the KSC amendment as an impulse for a real overhaul of security processes. On the other hand, there is still a group of entities that try to reduce regulatory compliance solely to the formal layer – policies, procedures and documentation.
However, the market is maturing. Boards of directors have begun to understand that cyber security is no longer solely the domain of IT departments. Today, it is part of business continuity, operational resilience, legal liability or an image element. DORA in particular has had a very strong impact on the financial sector, enforcing regular resilience testing, scrutiny of ICT vendors and full visibility of technology risks. We have significant examples of this, as our clients are analysing their systems themselves and informing us of possible vulnerabilities, something we did not observe before.
In practice, the biggest change has been in the approach to managing the IT environment. Just a few years ago, many organisations did not have full knowledge of their assets, users, type and amount of data collected. Today, automated IT inventory and monitoring is a strong foundation on which to embed elements of vulnerability management, identity control or mechanisms to prevent data leakage.
We are also seeing a huge increase in awareness among executives. Not so long ago, the conversation about cyber security ended with a question about a firewall or anti-virus. Today, boards are asking about process resilience, response times and guaranteed recovery times, liability for errors, vendor risk levels or compliance with regulator requirements.
“Regulation is no longer just a legal obligation – it has become a mechanism to force the professionalisation of cyber security.”
This does not mean, of course, that the transformation is complete. In many organisations, there is still the problem of fragmented tools, which we now see in the purchase of tools with very broad functionalities or highly integrated. According to our research, 2025 and 2026 are the years to invest in good tools, while their proper and effective use is yet to come. Regulation is no longer just a legal obligation – it has become a mechanism to force the professionalisation of cyber security.
K. C.: Requirements such as ISO 27001 or the aforementioned NIS2 place great emphasis on entitlement management. Why has ‘identity’ become the new defence perimeter in 2026 and how should modern IAM systems organise this – often chaotic – area in companies?
M.K.: The modern working environment has virtually abolished the old model of a secure network boundary. Covid has greatly accelerated the transformation – something that was impossible before is now the order of the day. Today, users are working remotely, using cloud services, SaaS applications, mobile devices and distributed environments. In such a reality, it is the user’s identity that has become a key element of security. This is important in larger organisations and entities with high staff turnover.
Cybercriminals understand this very well. The vast majority of successful attacks today do not start by breaking through a firewall, but by taking over a user account, escalating privileges or exploiting misconfigured accesses. Therefore, organisations need to know not only who has access to data, but also why they have this access, when it was granted and whether it is still legitimate.
The problem is that, in many entities, entitlement management has developed haphazardly over the years. Employees change positions, projects and roles and permissions remain. Added to this are technical accounts, shared accounts or the lack of a central access policy. As a result, organisations are often unable to clearly answer who has access to critical systems. As recently as four years ago, it was very difficult for us to sell and implement an IAM-class system. Today, we have implementations in entities for 9,000 employees, and the queue of implementations to be completed is long.
Modern IAM systems must therefore act as a central control and automation mechanism. It is no longer just about user logins. Today’s IAM should integrate the onboarding and offboarding processes of employees, automatically assign roles according to organisational policy, control excessive authorisations and continuously analyse anomalies.
The concept of ‘least privilege’, or minimum necessary privileges, is also very important. A digitally resilient organisation is not one that trusts all users, but one that can limit the potential impact of human error or account takeover.
Given our experience with IAM system implementations, it is clear that the functioning of this type of system must be based on management and employees. We have developed effective solutions in the form of an ‘Employee Panel’, where the employee can see his or her entitlements and at any time request the removal of redundant ones or the confirmation of existing ones. The manager, on the other hand, can see his and his team’s entitlements. Entitlement reviews in this model are carried out quickly, efficiently and with very few errors.
In practice, we observe that entities that have sorted out the area of identity and access significantly reduce audit times, meet regulator requirements more easily and respond to incidents more quickly. IAM has ceased to be an add-on to the infrastructure – it has become one of the key elements of the security strategy.
K.C.: Managing data under pressure from KSC and DORA requires more than just blocking USB ports. What should a modern DLP strategy look like that actually secures data, rather than just generating thousands of dead alerts for administrators?
M.K.: The classic approach to DLP for many years was mainly based on simple blocking rules. And these are indeed implemented in most entities. The problem is that organisations are inundated with a huge number of alerts, most of which have no real business relevance. Administrators have started to treat DLP systems more as a source of hype than real security support.
Meanwhile, today’s working environment has completely changed the nature of information flow. Data moves between the cloud, mobile devices, instant messaging, AI systems and business partner environments. It is not possible to effectively protect information solely by locking USB drives.
A modern DLP strategy must be contextual first and foremost. The system should understand what data is being processed, who is using it, for what purpose and whether the behaviour deviates from the normal pattern of activity. We treat differently a finance department sending a report to an auditor and a mass export of customer data performed outside of working hours.
“Even a poorly implemented or poorly supervised DLP system despite failing to fulfil a key role (…) can prove salutary in the preparation of evidence. And we are encountering such situations with increasing frequency.”
The combination of DLP with data classification and risk analysis is also becoming crucial. Organisations need to know which information is critical, which is regulated and where it actually resides. Without this, security systems are operating in the dark. It should be mentioned that there are now technical possibilities for tagging and tracking data or files, but these require good implementation and adequate human resources, which unfortunately organisations have and will continue to struggle with.
A huge role is being played today by automation and the use of AI to reduce false alarms. Systems should autonomously identify anomalies, correlate events and prioritise incidents so that security teams can focus on real threats.
I would like to stress that even a poorly implemented or poorly supervised DLP system, despite failing in its key role of preventing data leakage, can prove to be salutary in the preparation of evidence. And we are encountering such situations more and more frequently.
At BTC, we strongly emphasise that an effective DLP must not block business. Data protection must be transparent to the user and support the organisation, not hinder daily operations. The most mature organisations are no longer asking “how to lock down data”, but “how to securely enable its use”. And this is the true philosophy of modern information protection today.
K.C.: Modern systems, like your Bluur AI, rely on intelligent anonymisation. Why, in the age of NIS2 and RODO, are classic data protection methods no longer sufficient in a world where we need to share documents faster and more often than ever?
M.K.: The traditional approach to data protection was mainly based on restricting access. The problem is that modern business requires a constant exchange of information – with customers, partners, regulators or AI systems. The same data is involved in multiple processes across multiple systems. Today, a document very rarely stays in one place. It is analysed, transmitted, archived, shared in the cloud and processed by various applications. In such an environment, classic protection methods are no longer sufficient, as they do not eliminate the most important problem – data overexposure.
Intelligent anonymisation changes the philosophy of security. Instead of completely blocking access to a document, it allows its content to be made available in a controlled and regulated manner. This is particularly important in the financial, medical or public administration sectors, where documents contain a huge amount of sensitive data.
Systems such as Bluur AI can automatically identify personal data, confidential information or business secret elements and then anonymise them in real time. On top of that, they don’t interpret this data because, for example, Bluur doesn’t understand it in the document. Over the years, we have taught Bluur to think about the structure of the document and the data in it, not just in Polish and not just Polish documents. This is a unique solution on a global scale.
More and more companies are using AI models to analyse documents and automate processes. However, without proper anonymisation, there is a risk of data entering the systems that should never be disclosed.
In practice, this means a shift in approach from ‘access protection’ to ‘content protection’. And it is this direction that will dominate the next few years. Organisations can no longer choose between speed and data security. They must learn to pursue both goals simultaneously.
K.C.: There is a lot of talk about the potential of AI, but less so about the risk of ‘hallucination’ in defence systems. To what extent is artificial intelligence today a real support for incident detection, and to what extent a marketing promise?
M.K.: Artificial intelligence is undoubtedly changing cyber security, but the most important thing today is to separate the real possibilities from the marketing hype. AI is not a magic solution that will automatically protect an organisation from all threats.
AI’s greatest value is its ability to analyse vast amounts of data and detect anomalies that a human would not be able to spot quickly enough. In modern security environments, the number of incidents runs into the millions per day. Without automation and machine learning mechanisms, effective analysis would be virtually impossible.
At the same time, it is important to be aware of the limitations. AI models can generate erroneous conclusions, over-interpret data or overlook important business context. In cyber security, such ‘hallucinations’ can lead to both false alarms and the overlooking of a real incident. However, even such a solution is more effective than a human.
Therefore, AI should play the role of an intelligent assistant to the analyst, rather than a completely autonomous decision-maker. The most successful organisations combine automation with the expertise of security experts. Humans are still key in risk assessment, context interpretation and decision-making.
It is also worth remembering that cybercriminals are also using AI. We are seeing increasingly sophisticated phishing campaigns, automation of attacks and attempts to bypass detection mechanisms using generative AI. This means that organisations need to develop AI competencies not only on the business side, but also on the security side.
We are now at the stage of rationalising expectations of AI. After a period of tremendous enthusiasm, the market is beginning to understand that artificial intelligence is an extremely powerful tool, but requires the right data, oversight and well-designed processes. Those entities that treat AI as part of their security strategy and not just a fashionable buzzword will indeed gain an advantage.
“We are currently at the stage of rationalising expectations of AI.”
K.C.: It is often repeated in the industry that “you cannot protect what you cannot see”. In your opinion, is a full inventory of resources in distributed environments still the foundation, or has it become only a secondary support in the age of SOC systems?
M.K.: It is still the absolute foundation. In fact, it’s fair to say that in 2026, the importance of full resource visibility is greater than ever before. Many organisations today have hybrid environments including in-house data centres, public cloud, mobile devices, IoT systems and SaaS solutions. The problem is that the infrastructure is changing dynamically – devices appear and disappear, applications are deployed automatically and users work from anywhere. If an organisation does not have up-to-date knowledge of its assets then it cannot effectively assess risk or respond to incidents. A SOC without a full inventory operates partly ‘blindly’. In practice, many major incidents start precisely with unmanaged resources – forgotten servers, outdated devices, test environments or unauthorised applications. Cybercriminals know very well that an organisation’s weakest point is the areas invisible to the security department.
Therefore, a modern inventory cannot be a one-off project carried out once a year. It must be an ongoing process, automated and integrated with security systems.
At BTC, we clearly observe that organisations that have a structured inventory and asset management layer detect anomalies faster, manage vulnerabilities more effectively and meet regulator requirements more easily. SOC is extremely important, but its effectiveness depends on the quality of the input data. And the primary source of this data remains precisely the full visibility of the IT environment.
K.C.: In 2026, the ‘cloud or own infrastructure’ debate has taken on new colours, particularly in the context of business resilience. Which model do you think wins in the battle to be named ‘safer’ for mission-critical organisations?
M.K.: There is no one-size-fits-all answer to the question ‘what is more secure’ today. In general, there is no safe system or safe organisation. Rather, the key question is whether an organisation can effectively manage risk in the chosen model.
Until a few years ago, the discussion about the cloud was very emotional. Today, the market is maturing and we are increasingly looking at the subject pragmatically. Large cloud providers offer a level of security, redundancy and operational resilience that many organisations would not be able to build on their own.
At the same time, the cloud model introduces new challenges – especially related to configuration responsibility, access control, provider dependency or data location. Many incidents in the cloud are not due to operator errors per se, but to misconfiguration on the customer side.
For mission-critical organisations, we are increasingly seeing a hybrid model. Key systems and the most sensitive data remain under the full control of the organisation, while some services are moved to the cloud for greater flexibility and operational resilience.
“The future belongs to organisations that can consciously combine both worlds. It is not about ideologically choosing ‘cloud’ or ‘on-prem’, but about building an architecture that is resilient to failures, cyber attacks and business disruption.”
The approach to business continuity has also become very important. DORA or NIS2 nowadays not only require systems to be secured, but also the ability to quickly restore services after an incident. In this context, the cloud often offers an advantage through scalability and automation. And we observe failures of various systems at our customers, where you then hear “let’s move quickly to the cloud”.
In my opinion, the future belongs to organisations that can consciously combine both worlds. It is not about ideologically choosing ‘cloud’ or ‘on-prem’, but about building an architecture that is resilient to failures, cyber attacks and business disruption.
K.C.: How is eAuditor Cloud changing the approach to digital transformation? Does the cloud actually accelerate resilience building, or does it generate new 2026-specific risks?
M.K.: The cloud is definitely accelerating digital transformation as it allows organisations to deploy new services faster, automate processes and scale their environment without having to expand their own infrastructure.
In the case of eAuditor Cloud, the key value is to simplify the management of security and IT resources and to get the system up and running quickly (basically an hour). Organisations today expect solutions that are available quickly, easy to deploy and can be centrally managed regardless of the users’ location.
The cloud model also significantly increases data availability and enables ongoing monitoring of the environment. This is particularly important in times of hybrid working and distributed teams.
At the same time, it must be clear that the cloud does not eliminate risks – it changes them. In 2026, one of the biggest challenges is misconfigurations of cloud services, excessive user rights and uncontrolled use of SaaS applications.
There is also the problem of so-called shadow IT, i.e. services deployed outside the control of the IT department. Employees are increasingly using AI tools, cloud applications and collaboration platforms on their own, increasing the attack surface.
Successful digital transformation therefore requires full visibility of the environment, central management of security policies and automation of control processes.
The most mature organisations today treat the cloud not as an end in itself, but as part of a digital resilience strategy. The technology is there to support the business, increase flexibility and improve security – but only if it is deployed consciously.
K.C.: From the management’s point of view, investment in IT is a cost. What indicators should a modern CIO use to prove that automating access management or data protection really protects the company’s bottom line?
M.K.: This is one of the most important challenges for today’s IT leaders. Boards of directors today don’t want to hear only about technology – they expect a concrete impact on business risk, business continuity and financial performance.
The modern CIO should therefore speak the language of business and not just the language of infrastructure. Metrics related to risk reduction, incident response times, service availability or operational cost reduction are becoming very important.
“Technology is there to support the business, increase flexibility and improve security – but only if it is implemented consciously.”
In the area of IAM, it is possible to measure very concretely a reduction in the time it takes to grant and revoke authorisations, a reduction in administrative errors or a reduction in the risk of unauthorised access. Automation of these processes translates directly into lower operating costs and greater regulatory compliance.
When it comes to data protection, the key metrics are the number of incidents, the time to detect a threat, the effectiveness of data classification or the mitigation of the risk of information leakage. The cost of downtime and potential regulatory implications are also increasingly important. Today, a successful cyber-attack can mean not only financial losses, but also reputational damage, customer churn and legal liability for management.
Therefore, security should not be regarded as a technological cost, but as an investment in the stability of the organisation.
K.C.: You have visited several cities as part of the roadshow. What real-life problems do participants most often bring to these meetings and are they different from those we faced just two years ago?
M.K.: This year BTC has decided to return to organising roadshows in Poland. Seven cities are behind us, with two more to go. Comparing the previous roadshow (8 years ago) and the current one, you can definitely see a change in the nature of the problems raised by the participants. You can also see the huge technological progress, great knowledge and awareness of managers and IT employees. Just two years ago, questions about specific technological tools – antivirus, firewalls or basic infrastructure security – dominated. Today, the conversations are much more mature and strategic. Participants mainly ask about operational resilience, regulatory compliance, automation of security processes and control of a distributed IT environment.
The topic of asset visibility and identity management comes up very often. Actors are beginning to understand that without full control over users, devices and data flows, it is difficult to talk about real security.
Data protection in the context of AI also remains a huge challenge. Organisations want to make use of new technologies, but at the same time they are concerned about losing control over information. So we are increasingly talking about anonymisation, data classification and the secure use of AI models.
Audit and reporting issues are also resonating strongly in regulated sectors. Clients are looking for ways to simplify compliance processes and reduce manual work.
K.C.: If you had to name the single most important IT leadership competency for the second half of 2026, what would it be?
M.K.: For me, the key competence is the ability to combine technology with a business perspective and the ability to take responsibility for decisions.
Today’s IT leader can no longer be solely a technology expert. He or she must understand business processes, operational risks, regulator requirements and the impact of technology decisions on the functioning of the entire organisation. And taking responsibility for decisions, including those that are technically very difficult, business-critical, often with consequences several years from now, but also unpopular, is a huge challenge.
The IT environment is changing extremely rapidly today. The development of AI, regulations such as NIS2 or DORA, cloud transformation and the growing number of cyber threats mean that leaders need to make decisions faster than ever before. Therefore, the ability to build organisational resilience becomes paramount. An IT leader should be able to anticipate risks, integrate technology with the business and create a company-wide security culture.
Communication is also becoming increasingly important. The CIO or CISO must be able to talk to the board in the language of business value and not just technical parameters.
Technologies will change, tools will evolve, but organisations will continue to need leaders who can combine security, innovation and business responsibility. And this is what will define effective IT leaders in 2026 and beyond.
