Public cloud has become the major underpinning of enterprise infrastructure strategies and innovation delivery. Cloud’s self-service access, elasticity, scalability, quick deployment, and access to new infrastructure and services with little up-front costs has brought about accelerated delivery to market and rapid uptake by enterprises.

But adopting public cloud also brings security risks. Multitenancy means that there is an increased attack surface. Even simple lift-and-shift migration without refactoring or proper governance or infrastructure hardening can lead to untethered spend, insecure and noncompliant workloads, and the risk of potential security breaches. Simply put, turning on the “lights” of a cloud account does not equal digital transformation. New methods of governance, new modes of collaboration, and new ways of working are fundamental to successful cloud adoption.

Cloud strategies continue to change and evolve as new cloud technologies and services are introduced, and as a result, the cloud security strategies of five years ago are already outdated. CISOs are finding that the way their business uses cloud is constantly moving like goalposts on wheels. Cloud security must also evolve at this pace.

Here are some of the most critical cloud trends that CISOs need to be aware of for 2025:

• Securing AI in the cloud. The onslaught of generative AI has meant that CISO organizations have also had to pivot. Lack of transparency around black-box AI models, susceptibility to bias, ethical considerations, threat actors that can exploit open-source models, and AI models that hold large amounts of data vastly increase an organization’s attack surface. CISOs should be addressing these three concerns: 1) reviewing the security controls and governance of cloud-managed AI services; 2) agreeing on the security roles and responsibilities between the cloud provider and your security team; and 3) upskilling the AI capabilities of the security and broader cloud infrastructure team to secure these new services.
• Workload placement for cloud sustainability. New sustainability reporting requirements in the EU have forced enterprises to focus on their carbon footprint. North American companies are following suit. One method of meeting sustainability requirements is through placing workloads in more sustainable availability zones. For example, this could involve ensuring that an availability zone powered by solar power or other renewable energy sources is preferred to one powered by a gas-fired plant. Cloud teams rely on cloud management solutions and carbon footprint data to inform workload placement. Workload placement recommendations often only look through two potential lens: lowest cost or lowest carbon footprint. CISOs might find that these concerns trump data sovereignty concerns or move data to availability zones without the required security controls. CISOs need to ask where their data will reside and implement controls over sensitive data to avoid automatic movement by workload management solutions that break security requirements.
• Sovereignty and regulatory requirements. In recent years, new sovereignty requirements such as SecNumCloud, Cloud de Confiance from France, and the Cloud Computing Compliance Controls Catalog (C5) from Germany, along with the push to keep data in-country, have created a broader push for private and sovereign clouds. In particular, EU and APAC countries have been attempting to more heavily leverage non-US-based cloud providers, create sovereign clouds, or leave workloads on-premises. The Australian government announced an AUD$2 billion investment into a top secret government cloud. Saudi Arabia’s Vision 2030 introduced strict data sovereignty measures. CISOs operating in such environments know they need to meet these sovereignty and regulatory directives but have to balance this with allowing the wider IT team to deliver capabilities that the business needs and wants. CISOs should focus on ensuring that they understand which data types require sovereign cloud services, skeptically review claims about sovereignty by some hyperscalers, and seek to protect only the data that requires this protection, in order to keep the business on side.

If you want to further explore your options when it comes to cloud security strategies, be sure to check out Forrester’s Security & Risk Summit, coming up in Baltimore on December 9–11. I’ll be presenting a session in the Cloud & Application Security track entitled “Cloud Market Trends That Will Disrupt Your Security Program.” We’ll take a deep dive into the biggest trends that your CISO should be aware of and outline what your security program should be doing in preparation.

I hope to see you at the Security & Risk Summit in Baltimore!