Project Management in the Age of Geopolitical Cyber Risk

Sanctions, Tariffs, Supply chains. Welcome to project management 2025.

Author

Khalil Rahim
November 10, 2025

Hello Fellow,

When tariffs rise and borders harden, project plans don't just shift but they can stall in worst case scenarios.

In early 2025, renewed trade tensions sent hardware costs soaring overnight. The Russia-Ukraine conflict kept European data centre grids under stress. For project managers, this isn't distant politics. It's the next change request in your inbox.

In today's issue, learn:

  • How global trade wars quietly explode project scope

  • How to stress test supply chain exposure before it fails

  • A practical playbook for sudden data residency mandates

  • Why this lands on your desk, not just Legal or the CISO

Why This Is a PM Problem Too

Every geopolitical shock lands on your Gantt chart as scope creep, vendor change, or budget overrun. A tariff turns your storage vendor into a financial liability. A sanction erases a supplier overnight.

These aren't cyber or legal problems. They're delivery problems. The sooner PMs own them, the fewer emergency rebuilds you'll face when compliance sends red flag emails at 4pm Friday.

Stress Test Your Third Parties

You don't need to become a policy analyst. Just be a sharper vendor interrogator.

Map the blast radius. For each key supplier, know where their servers, support teams, and parent companies sit. If they touch a sanction prone region, flag them now.

Upgrade your vendor checklist. Can they pin data to specific regions? Do they have exit clauses if regions become non-viable? Will they share sub-processor locations? Have they committed to notify ownership changes? Do they have tested sanctions response? If answers are vague, walk away.

Bake it into your plan. Insert a Geopolitical and Supply Chain Review milestone before contract signature. Make it visible. If it's in the plan, it gets done.

Learning Through Real Scenarios

The 2025 tariff shock. In March, the U.S. imposed 25% tariffs on Canada and Mexico and raised Chinese import duties to 20%. Cloud hardware vendors passed costs directly to customers.

One European integrator saw firewall bills rise 18% mid deployment. Another re-sourced components from Taiwan, pushing rollout two months late.

The lesson? Even if your servers aren't in China, their parts might be. Tariffs hit the entire chain.

The Russia-Ukraine disruption. The war severed logistics across Eastern Europe. A Polish cloud provider hosting EU backups lost cooling access when its Russian supplier was sanctioned.

Finance and health tech projects rebuilt in-region storage within 60 days, scrambling for providers whilst keeping systems running.

The lesson? Data residency isn't a legal checkbox. It's operational survival when geopolitics shifts.

A Framework That Works

When regulators demand in-region logging:

Freeze non-essential work immediately. Don't wait to see how serious it is.

Map where every log and backup lives. Get the full picture in 24 hours.

Compare against new requirements. Identify gaps and prioritise what moves first.

Switch to regionalised vendor or enable dual region redundancy. Have the technical solution ready.

Update risk log, timeline, and comms the same day. Stakeholders hear from you first, not regulators.

My Favourite Links on This Topic

Final Thought

Geopolitical cyber risk isn't a one-off storm. It's the new climate you build in. PMs who treat it as a design input will ship faster, stay compliant, and keep sponsors off the front page.

P.S. Share this with any PM who thinks geopolitics is someone else's problem. It stops being theoretical when your vendor gets sanctioned.

Next Week: Your turn. Tell me what challenge you're facing, and I'll tackle it in next week's issue.

See you next week,

Khalil

Reply

or to participate.