One Signer, One Conversation
At a mid-size public or private university — enrollment somewhere between 5,000 and 25,000, IT staff measured in dozens rather than hundreds — the CIO holds decision authority for an IAM purchase. The CISO doesn't escalate to a committee. The VP for Finance doesn't co-sign after a steering group blesses the spend. That concentration of authority is the structural fact that shapes everything else about how you sell into this tier.
It means the discovery conversation and the budget conversation happen with the same person. It means political alignment across IT, finance, and academic affairs is the CIO's problem to manage, not yours to navigate around. And it means the argument that lands in that one conversation has to work on two registers simultaneously: technical credibility and budget justification. A rep who brings only one walks out with a follow-up meeting scheduled for a quarter that never comes.
The CIO at this tier is managing three simultaneous pressures that have nothing to do with identity infrastructure: enrollment decline squeezing the tuition revenue that funds everything, deferred infrastructure debt from the COVID years when capital projects froze, and staff attrition in IT that has left institutional knowledge walking out the door faster than it can be documented. Your product enters that context. The question the CIO is actually asking is not "is this the right IAM platform" — it's "can I justify this spend when I'm also being asked to cut two positions and defer the network refresh."
The answer is yes, but only if you've done the math before the meeting.
The Enrollment Cliff Is the Budget Reframe
Enrollment decline isn't backdrop. It's the argument.
EDUCAUSE's 2025 Higher Education IT Workforce and Budget Study found that 61% of CIOs at institutions under 15,000 enrollment cited "declining net tuition revenue" as the primary constraint on new technology investment. The same study found that IT operating budgets at this tier have grown an average of 2.1% annually since 2022 — well below inflation — while support ticket volume has increased roughly 18% over the same period, driven largely by remote and hybrid access patterns that didn't exist pre-pandemic.
That gap is your opening. IAM converts from a cost line to a cost-reduction lever when you map it to three specific numbers the CIO already tracks.
Provisioning labor hours. Manual joiner-mover-leaver processes at a 12,000-student institution typically consume 1.5 to 2.5 FTE-equivalents of IT staff time annually, distributed across helpdesk, systems administration, and departmental IT coordinators who are manually managing access requests. The CIO knows what their staff costs. Give them the calculation.
Helpdesk ticket volume. Password reset and access request tickets typically represent 25–35% of total helpdesk volume at institutions without self-service identity capabilities, according to the 2024 EDUCAUSE Core Data Service benchmark. At a 10,000-student institution, that's real money resolving tickets that generate zero institutional value. The number that lands is the per-ticket cost — HDI's 2024 Support Center Practices report puts the fully loaded cost of a Level 1 ticket at $22 to $28. Do the multiplication.
Breach cost avoidance. This is the asymmetric risk argument. A mid-size university that cannot absorb a seven-figure incident — and most cannot, given reserve levels — is carrying existential risk on a cost line that looks like an IT infrastructure decision. Frame it that way. The CIO who has watched peer institutions spend two years in breach recovery mode will hear this differently than the CIO reading a product spec sheet.
| Metric | Baseline (10–12K enrollment) | Estimated Annual Cost | Reduction Potential |
|---|---|---|---|
| Provisioning labor | 1.5–2.5 FTE-equivalents | $127K–$212K (at $85K loaded) | 60–70% via lifecycle automation |
| Access/password helpdesk tickets | 8,000–12,000 tickets/year | $176K–$336K (at $22–28/ticket) | Majority eliminated via self-service |
| Breach cost exposure | — | $4.3M avg. (Ponemon 2025) | Removes primary credential entry vector |
The combined argument: automated IAM reduces provisioning labor by 60–70%, eliminates the majority of access-related helpdesk volume, and removes the credential management vulnerabilities that are the entry point in the majority of higher ed breaches. That's a budget conversation, not a technology pitch.
ERP Migration: Open Door or Locked One
The ERP migration variable is the most important deal-stage question you can ask in discovery, and most reps don't ask it until they've already lost three months.
When an ERP migration is active — Workday, Banner 9, Ellucian Colleague moving to the cloud — identity becomes urgent and co-dependent. The institution is rebuilding its authoritative source of truth for HR and student records, which means every downstream system that depends on that data for provisioning is in motion simultaneously. That's the moment when a CIO is most receptive to modernizing identity infrastructure, because the alternative is integrating a legacy IdP with a new ERP and inheriting a new set of brittle connectors. The deal accelerant is real: active ERP migrations compress IAM deal cycles from the 6–12 month norm to as short as 90 days when the integration dependency is explicit.
When an ERP migration just closed — in the last 12 to 18 months — appetite for another infrastructure project is near zero. The institution is in stabilization mode. The CIO is managing post-migration cleanup, staff recovery from an 18-month implementation sprint, and a budget that absorbed significant professional services spend. Walking in with another infrastructure proposal at this moment is not just poorly timed; it signals that you didn't do your homework.
Ask directly in discovery: "Where are you in your ERP lifecycle?" The answer tells you whether you're pushing on an open door or scheduling a conversation for 18 months from now.
What Actually Moves the Cycle
The 6–12 month deal cycle at this tier is real, but it's not a fixed variable. Three things compress it.
Active pain with a named cost. A recent breach, a failed audit finding, or a compliance gap with a dollar figure attached moves a CIO from "interested" to "urgent." The institutions that closed in 90 days in 2024 almost universally had a specific incident driving the timeline.
Budget cycle alignment. Mid-size public universities typically finalize IT capital budgets in March and April for the following fiscal year. A deal that enters serious evaluation in January has a path to close. A deal that enters evaluation in May is waiting for the next cycle unless there's emergency discretionary spend available — and there rarely is.
A champion with a mandate. The CIO who has been told by their president or provost to "fix the identity problem" after a breach or audit finding is a different buyer than the CIO who is self-initiating. The champion with a mandate has political cover to move fast. Find out who gave them the directive and what the deadline is.
What extends the cycle: change-management fatigue from a recent ERP or infrastructure project, shared services negotiations with a system office that want to consolidate purchasing, and mid-year budget freezes triggered by enrollment shortfalls. All three are common at this tier right now. Ask about all three before you build a close timeline.
The CIO is the deal. Make the budget argument, know the ERP status, and align to the calendar.