It was the fall of 2024, near the end of the UGA president’s planning retreat, when my phone buzzed with the kind of call every CIO dreads. Our information security team had discovered a series of compromised workstations and services. A threat actor had infiltrated parts of our enterprise, gaining control of computer accounts, including some with elevated privileges. The pattern was serious, and it was spreading.

For a CIO at a large research institution, this is the moment that sends a chill down the spine. Institutions facing this scenario have been forced to disconnect from the Internet for days or weeks to regain control. I knew the stakes. My first move was to activate our Mandiant retainer. Their team engaged within hours. Over the next two weeks, they validated that we had contained the intrusion. They mapped out the attacker’s path, showing how they slipped around our defenses. They also handed us a detailed set of remediations, the kind that would reduce or eliminate the chance of a similar attack succeeding again, requiring several university-wide IT policy changes.

Under our bylaws, decisions on IT policy reside in the CIO’s office. We reviewed the proposed changes with key constituency groups. We expected a debate but heard very little. And then, after the policies were enacted and rolled out, the pushback began. It arrived quickly and with force. My team felt blindsided by the intensity. Many in the community felt blindsided by the impact. The silence during our attempts at earlier consultation had not been agreement. It had been something else entirely.

In today’s Dispatch, I want to reflect on what we learned from that experience and outline a practical approach to shared governance that can help any CIO lead meaningful change with greater clarity, less surprise, and far less tension.

The big picture

A familiar pattern shows up whenever a CIO introduces a needed policy or process change. The reaction rarely centers on the substance. It centers on how the change was delivered. People say no one asked them. They say it arrived without warning. These comments point to something deeper. Shared governance is not a procedural step. It is part of how people understand their role and identity inside the institution. When IT treats a change as a process execution, the community interprets it as a shift in power, a threat to local practice, or a disruption to routines that carry meaning.

Most failures follow the same path. A small internal group shapes the policy, moving quickly to solve an urgent problem. By the time the broader community sees the proposal, it feels final. Leadership hears little during early consultation and assumes silence means agreement. It never does. The first exposure to a structural shift almost always triggers confusion or hesitation. That hesitation can become resistance. The conflict is emotional, not intellectual. Any CIO who wants to lead change without unnecessary turbulence must address that pattern directly and build a process that gives people time, clarity, and a sense of recognition before decisions are made.

A structured approach to governance

Shared governance works best when communities acknowledge the difference between decision rights and influence rights. Decision rights describe who ultimately owns the call. Influence rights describe who deserves to shape, question, and inform that call. Across a large campus, nearly everyone sits somewhere on one of those two paths. Most people do not resent a CIO’s decision rights. They resent processes that ignore their influence rights. When influence is bypassed, even necessary decisions feel imposed. When influence is honored, the same decision feels legitimate.

The institution benefits from a predictable rhythm that respects both kinds of rights. Significant change should move through a structure that mirrors the rituals of legislative bodies. Every major policy or process update deserves two readings. The first introduces the issue. Leadership explains the problem the institution is trying to solve and the direction of the proposed solution. The aim is not consensus. The aim is friction. This is the moment for stakeholders to surface concerns, question assumptions, and expose risks that may not be visible from the center.

The second reading comes after time has passed and feedback has been absorbed. Leadership returns with a revised version. They explain what changed and why. They walk through what remains and the rationale for keeping it. They ask again for unresolved concerns. By this point, the community has had time to think and shift from initial reaction toward genuine engagement. The process gives people the space to move from emotion to clarity, and from surprise to contribution.

Why the second reading matters

People engage more seriously on the second reading. The first reading hits the room cold. It triggers confusion or silence, and neither is helpful. Silence, in particular, creates risk. It leaves leadership with a false sense of alignment. The second reading signals something different. It shows that leadership is committed to transparency. It shows that feedback is sought and that the CIO is willing to pause, revise, and return. Once a second reading becomes part of the governance pattern, people cannot credibly claim later that they were left out of the process. The surprise disappears. The temperature drops. The conversation becomes constructive rather than defensive.

The bridge to empathy

This structure works best when paired with Chris Voss’ concept of the accusation audit. Before the first reading, the leadership team should list every fear or suspicion the audience might hold. They should name them honestly. People may fear a loss of control. They may believe the change will increase workloads without support. They may suspect the decision is already made. Naming these concerns out loud removes their emotional power. It gives the room a chance to relax. It shows stakeholders that leadership understands their perspective before asking for their input.

After the first reading, the team should conduct a second, shorter audit of new concerns that arise. When they return for the second reading, they can close the loop. They can say what they heard, how it shaped revisions, and why certain items remain unchanged, reinforcing trust. It makes engagement feel real rather than symbolic.

The final word

The gains of a predictable process are real. A structured approach helps leadership surface conflict, reduce defensiveness, and build trust through clear engagement and responsiveness. Stakeholders get space to think, ask questions, and shape outcomes. The institution gains a reliable way to modernize policy, strengthen compliance, and introduce new tools without triggering backlash. Disagreement still happens, but it becomes manageable. It becomes part of a constructive rhythm rather than a surprise.

CIOs cannot avoid difficult decisions or the pressures that come with modernization. They can avoid the cycle of unnecessary conflict that undermines credibility and burns relationships. The Two Readings Method, paired with a thoughtful accusation audit, creates a rhythm that fits the culture of higher education while still supporting decisive action. The goal is never manufactured consensus. The goal is clarity, trust, and a shared sense of responsibility for the institution’s long-term resilience.