Navigating cyber-security trade-offs

Sebastian Cano at Thales considers how to balance the limited budgets that most cyber-security teams are allocated with the many urgent priorities they have to address

 

Cyber-security leaders are constantly juggling finite resources in response to ever-expanding risk vectors. For CIOs and CISOs navigating today’s threat landscape, the challenge isn’t identifying which security gaps exist; it’s determining which ones can and should be addressed first. This calculus is becoming increasingly complex in 2025, as organisations balance cloud security needs against the emerging risks posed by artificial intelligence.

 

According to Thales’ 2025 Cloud Security Study, over half (52%) of security professionals globally say they’re prioritising AI security over other security spending, including for the cloud. This shift reflects a growing awareness that AI models, particularly those used in business-critical processes, present not only transformative potential but also new forms of vulnerability – from poisoned training data to model inversion and inference attacks.

 

But with security budgets already stretched across identity and authentication, data protection and sovereignty requirements, as well as managing risks from third-party connections like APIs, how can leaders rationally decide what takes priority?

 

Growing cloud complexity

For years, cloud security has dominated the spending agenda, and as the value of data for threat actors has grown, rightfully so. As enterprises transitioned workloads to hybrid and multi-cloud environments, they faced the need to classify and secure these growing data estates, implement access controls, and adequately manage increasingly ephemeral infrastructure.

 

Investments flowed into encryption at rest and in transit, tokenisation, and advanced data classification systems to protect sensitive information, which is increasingly stored in the cloud. 83% of respondents to this year’s Thales research said at least two-fifths of their cloud data is sensitive, up from 62% last year. Many organisations also deployed cloud-native detection and response tools to gain visibility across containers, serverless functions, and APIs.

 

And yet, the attack surface hasn’t shrunk in size. Misconfigurations and human error remain rife, the latter being the leading cause of data breaches in the Thales research. And the pressure to support the agility demands of a typical digital-first business keeps cloud security firmly on the risk register.

 

Evolving threat landscapes

Enter AI, both as a tool and as a target. Across all manner of business functions, it is already starting to reshape operational processes. But behind every AI capability is a model trained on underlying data, often sensitive, sometimes proprietary, and increasingly at risk.

 

Security leaders must now grapple with a new class of concerns: how to verify the provenance and integrity of training data, how to detect model drift or tampering, and how to ensure that AI-generated outputs aren’t inadvertently leaking confidential information. Even the act of embedding third-party generative AI APIs into products introduces new risks related to shadow AI usage, data residency, and prompt injection.

 

The shift in spending priorities uncovered by the Thales research suggests that many organisations are waking up to the long-term implications of AI insecurity. But pivoting attention away from cloud controls too soon may prove shortsighted.

 

Selecting the right trade-off framework

In practice, most security teams don’t have the luxury of a clean slate. They must make trade-offs. The question becomes: how?

 

One approach is to adopt a risk-adjusted ROI model that weighs the business impact of a given security failure against the likelihood of it occurring – and the cost of prevention. For example, a large enterprise using foundation models to power customer personalisation may find AI model security a higher priority than data loss prevention in its test environment. Meanwhile, a financial institution handling regulated customer data will likely deem cloud encryption, data sovereignty controls, and key lifecycle management as foundational.

 

Another practical lens is attack feasibility vs. consequence. While AI attacks may still seem esoteric to some, their potential consequences, such as model corruption or unintentional IP disclosure, can be significant. But so can a poorly secured cloud misconfiguration, leading to credential theft or ransomware. The technical maturity of the adversary, and the ease with which an exploit can be executed, should also be factored in.

 

The risks are heightened in a world where organisations report an average of 91 SaaS applications in operation. Little surprise then that 55% of respondents to the Thales research find cloud security more complex than securing on-premises infrastructure.

 

Organisations should also consider interdependencies between cloud and AI security. The two are not mutually exclusive. Many AI models are trained and deployed in cloud environments, making cloud-native security tooling (e.g. confidential computing, logging of model API calls, IAM governance) directly relevant to AI protection. Similarly, investments in data classification and access controls improve both cloud data hygiene and AI training integrity.

 

A more integrated future

Looking ahead, the most forward-thinking organisations are beginning to converge their cloud and AI security strategies under unified governance frameworks. This includes deploying data provenance controls, model transparency audits, and cross-functional risk reviews that bring together data scientists, DevOps, and security teams.

 

This integrated mindset is essential – because while today’s trade-offs are driven by budget, tomorrow’s priorities will be shaped by reputation, regulatory change, and resilience.

 

Security leaders must avoid the trap of false dichotomies. It’s not a binary choice between cloud and AI security, but rather a question of sequence, maturity, and alignment with business goals. By grounding decisions in risk, interdependencies, and long-term value, CISOs can navigate the trade-offs with greater confidence – and ensure their organisations are secured not just for the present, but for the AI-augmented future.

 

---

 

Sebastian Cano is SVP for Cybersecurity at Thales

 

Main image courtesy of iStockPhoto.com and liulolo