By 2025, cloud computing will not be merely a requirement for operations but a strategic driver and a major line item in budgets. Yet the Flexera 2025 State of the Cloud Report defines a two-pronged challenge for enterprise IT leaders: 84% of respondents cite governing cloud costs as their main concern, while 77% still name security as a top issue. The intersection of cost management and cybersecurity has produced a new reality for IT decision-makers and CISOs. Achievement in this arena requires closer alignment between cost optimization methodologies, active security techniques, and interdepartmental cooperation.
Cloud Cost Strategy Is Security Strategy Now
Multi-cloud and hybrid approaches are now standard, with 70% of enterprises currently leveraging at least a public and private cloud. While this architectural transition delivers flexibility, it also heightens complexity. Businesses tend to support multiple providers on average, 2.4 public clouds per business, with varying configurations, compliance rules, and billing models. For cybersecurity professionals, this growth means more possible points of entry, wider attack surfaces, and more variables to protect.
The challenge is not merely to protect individual workloads but to build integrated security postures across environments. This means making identity and access controls a part of it, rolling out centralized monitoring tools, and integrating cloud governance with the overall security framework. Silos are no longer an option for cloud management. Security and infrastructure now have to work as a single front.
The GenAI Disruption: Opportunity and Risk
Generative AI (GenAI) has experienced explosive adoption 83% of organizations using or actively testing GenAI services. So, FinOps and security teams need to anticipate their exponential growth. AI workloads often exhibit high compute use, sensitive training data, and the utilization of third-party APIs, all of which create new cost centers and threat vectors.
From a security perspective, the unauthorized deployment of AI models, or “shadow AI,” is a significant threat. Such deployments typically have not undergone vetting, governance, or integration into other security systems. Cybersecurity executives need to create strong policies around AI experimentation and require thorough vetting of all experiments on data privacy and risk before they grow. Furthermore, AI cost prediction must be incorporated into FinOps dashboards so that sudden spend surges are not encountered, which can undermine budgets and cloud cost management initiatives.
Security’s Role in FinOps: A Strategic Shift
Traditionally, experts have viewed cloud cost optimization in strictly monetary terms. But that is shifting. The Flexera report indicates that organizations waste 27% of cloud spending on infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS). These inefficiencies do more than drive up costs; they create security risks.
Idle instances, stale services, and orphaned storage buckets tend to go unchecked in FinOps-lacking environments. Each of these is a security liability waiting to happen. Certainly, with the convergence of FinOps and security initiatives, organizations can actively detect and decommission unnecessary assets, impose patching policies on idle environments, and implement guardrails on provisioning and resource consumption.
This alignment also allows CISOs to join cost conversations with risk context. To illustrate, explaining the elimination of redundant software licenses is not merely for cost savings, it’s about eliminating unnecessary access points. FinOps, when used together, is a force multiplier for enhancing both security and operational effectiveness.
Managed Service Providers: Strengthening or Weakening Security
As cloud environments expand, numerous companies outsource parts of their infrastructure to Managed Services Providers (MSPs). The Flexera report indicates that 60% of organizations currently make use of MSPs in some form. While MSPs can provide domain-specific expertise and transfer operational weight, MSPs also bring governance complexities.
CISOs need to ensure that third-party vendors have the same compliance and security standards as in-house teams. They include well-defined role and responsibility definitions, regular audit frequencies, and the capability to revoke access quickly in the case of a breach. Service-level agreements (SLAs) need to incorporate continuous monitoring, real-time reporting, and incident response plans. Lacking sufficient oversight, use of MSPs has the potential to leave blind spots that weaken the overall security posture.
Cloud Centers of Excellence (CCOEs): Security’s Strategic Partner
The increasing use of Cloud Centers of Excellence (CCOEs), currently available in 74% of organizations, has revolutionized the way organizations control cloud operations. Cross-functional teams consisting of IT, finance, security, and operations stakeholders gather to create cloud best practices, simplify provider evaluation, and facilitate governance alignment.
This is a chance for cybersecurity leaders. Through a seat at the CCOE table, CISOs have a chance to influence cloud architecture, procurement, workload placement, and compliance decisions. They can ensure that security is baked into the design process, rather than tacked on after deployment. In addition, CCOEs are increasingly tasked with analyzing the success of FinOps efforts. A close collaboration between the CCOE and security leaders will prevent cost savings from being achieved in the name of risk exposure.
What Leading Security Teams Are Doing Differently
Top-performing cybersecurity teams now actively participate in infrastructure and financial conversations. They deeply engage in decisions around cloud spend, provider management, and AI deployment. According to the Flexera report, organizations that actively involve security in their FinOps processes report fewer instances of wasted spend and better alignment between technical controls and cost controls.
These teams are taking proactive steps such as:
- Enforcing tagging policies and automation to track cloud assets accurately
- Collaborating with FinOps teams to assess the security implications of underutilized or over-provisioned services
- Requiring security sign-off on SaaS purchases to ensure compliance and minimize third-party risk
- Including cybersecurity KPIs in cloud governance metrics to tie risk reduction directly to operational performance
By embedding security earlier in the cloud lifecycle, these organizations are building resilience that goes beyond threat mitigation, they’re enabling sustainable digital operations.
The 2025 report signals a shift in enterprise priorities. While cost control and security remain distinct objectives, their intersection is becoming more apparent. Enterprises that silo these functions are at greater risk of overspending, underperforming, and under-securing their cloud investments.
Security leaders must evolve into cloud strategists, understanding pricing models, resource planning, and the nuances of multi-cloud operations. Likewise, FinOps practitioners must begin incorporating risk-based thinking into their frameworks. The future of secure, cost-effective cloud operations lies in unified leadership, shared accountability, and cross-functional visibility.
Key Takeaways:
The cloud is no longer a simple infrastructure choice, it’s a complex, evolving ecosystem that demands strategic oversight. For CISOs and cybersecurity teams, 2025 is not the time to remain reactive. The growing intersection between cost management and security creates both a risk and an opportunity.
By aligning with FinOps, participating in CCOEs, and leading the governance of emerging technologies like GenAI, cybersecurity leaders can directly influence operational efficiency, financial control, and business resilience. The organizations that understand and act on this convergence will be the ones that secure not just their data, but their future.
State of the Cloud full Report offers exclusive benchmarks, insights, and strategic takeaways that every CISO and cloud security leader should leverage to stay ahead in 2025.
FAQs
1. How can CISOs practically align with FinOps teams without slowing down security operations?
CISOs can embed security protocols into existing FinOps processes by contributing risk metrics to cost dashboards, participating in provisioning reviews, and implementing automated tagging and resource monitoring. This enables real-time risk visibility without adding bottlenecks.
2. What’s the best way to manage “shadow AI” deployments before they become security liabilities?
Establish mandatory review gates for all GenAI experiments. Require teams to submit privacy impact assessments and risk evaluations before any AI model is trained or deployed. Use centralized access controls and restrict API usage to pre-approved services to prevent unauthorized deployments.
3. What specific security risks are linked to underutilized or idle cloud resources?
Idle VMs, storage buckets, and unused endpoints are often not updated, monitored, or patched, making them soft targets for attackers. They may also store outdated data without encryption or access control, increasing the risk of breaches and compliance violations.
4. How should cybersecurity teams vet Managed Service Providers (MSPs) for compliance and security alignment?
Request SOC 2, ISO 27001, or similar compliance certifications. Define detailed SLAs with clauses for real-time monitoring, access management, and breach reporting. Conduct regular joint audits and insist on the right to revoke access quickly if standards aren’t met.
5. What role should CISOs play in a Cloud Center of Excellence (CCOE)?
CISOs should contribute to cloud architecture design, provider vetting, workload classification, and compliance strategy. Their involvement ensures that cost-saving decisions don’t compromise security, and that security is integrated from the start, not patched in later.
