New Report Finds Cloud Security Is Getting More Expensive and Less Effective

For years, enterprises have treated cloud security as a budgeting problem. Spend more, buy more tools, hire more specialists. The assumption was simple: complexity could be contained with enough investment.

The latest 2026 Cloud Security Report from Fortinet and research partner Cybersecurity Insiders suggests that assumption is breaking down.

Based on a global survey of more than 1,100 senior security leaders conducted in late 2025, the report paints a picture of organizations pouring money into cloud defense while losing ground operationally. The problem is not a lack of technology. It is a widening gap between how fast cloud environments evolve and how slowly security teams can understand and control them.

Multi-cloud is now the default, not the exception

Hybrid and multi-cloud architectures have quietly become the standard operating model for modern enterprises. Nearly nine out of ten organizations now run workloads across multiple cloud platforms, often combined with on-premises infrastructure and SaaS services.

That diversity brings flexibility and resilience, but it also fragments visibility. Each provider introduces its own identity systems, telemetry, configuration models, and control planes. Security teams are left stitching together risk signals from environments that were never designed to work as a single system.

The report shows that most organizations now rely on two or more cloud providers for critical workloads, and nearly a third operate across three or more. As these environments scale, the attack surface does not simply grow. It splinters.

Tool sprawl is the top operational risk

The most common obstacle to effective cloud security is not budget pressure or lack of executive support. It is fragmentation.

Nearly 70 percent of surveyed organizations say tool sprawl and visibility gaps are their biggest barrier to protecting cloud environments. Security teams spend more time navigating dashboards and reconciling alerts than actually reducing risk.

This fragmentation has measurable consequences. Two-thirds of respondents say they lack strong confidence in their ability to detect and respond to cloud threats in real time. That number has increased year over year, despite rising investment.

The result is an environment where threats are often understood only after damage has already occurred.

More spending, slower maturity

Cloud security budgets continue to rise. On average, organizations now allocate more than a third of their total security spending to cloud protection, and nearly two-thirds expect those budgets to grow again over the next year.

Yet maturity is lagging. Almost 60 percent of organizations still describe their cloud security posture as being in the earliest stages of development.

The report suggests that new tools often add operational burden rather than reducing it. Each platform introduces new integrations, policies, alerts, and workflows. Without shared context, returns diminish quickly.

Money is being absorbed by complexity rather than converted into faster detection or stronger control.

Talent shortages make fragmentation worse

The operational strain is compounded by a persistent shortage of skilled cybersecurity professionals. Nearly three-quarters of organizations report an active talent gap, with cloud-specific expertise particularly hard to find.

Understaffed teams default to reactive, alert-driven workflows. Proactive measures like architecture redesign, continuous risk modeling, and automation tuning are deprioritized simply because there is not enough time.

Hiring alone does not solve the problem. Cloud environments evolve faster than new analysts can be onboarded. Manual processes do not scale in environments that change by the minute.

Identity, configuration, and data remain the weakest links

Despite years of tooling investment, cloud risk continues to concentrate in the same areas.

Identity and access security tops the list of concerns, followed closely by misconfigured services and data exposure. These risks are tightly connected. A single misconfiguration combined with an over-privileged identity can create a direct path to sensitive data.

Most security tools monitor these domains separately. Few can see how they combine into real attack paths. As a result, exposure chains often become visible only in hindsight.

Attackers, meanwhile, are automating the discovery of those paths.

Automation stops at alerts

While many organizations have introduced automation into their cloud security workflows, most of it stops short of action. Alerting is common. Autonomous remediation is rare.

Only a small fraction of organizations report fully automated response capabilities that can resolve issues without human intervention. The rest rely on analysts to investigate, prioritize, and fix problems manually.

As adversaries use automation and AI to operate at machine speed, human-paced defense models are increasingly outmatched.

A shift toward consolidation

Faced with mounting complexity, security leaders are rethinking their architectures.

If given a clean slate, nearly two-thirds say they would choose a unified security platform rather than assembling a collection of best-of-breed tools. The motivation is not vendor simplicity. It is operational survival.

Security teams are looking for shared telemetry, consistent policy enforcement, and automation grounded in unified context. They want fewer blind spots and fewer handoffs, not just fewer products.

The report makes clear that effective cloud security is no longer defined by how many tools an organization deploys. It is defined by outcomes: reduced exposure, faster response, and systems that work together as a coherent whole.

As cloud environments continue to sprawl, the winners will not be the organizations that spend the most. They will be the ones that finally make complexity manageable.