Tier 2 Portrait — The Mid-Size University CIO Who Signs Alone

The structural fact that defines a Tier 2 deal is concentration. One person holds the budget, the vendor relationship, and the GLBA compliance obligation. That person is the CIO. They have a CISO or director-level equivalent who influences the decision but doesn't sign it, a CFO or president who controls whether the budget request survives, and enough institutional complexity to need real identity governance without enough staff to evaluate it on a leisurely timeline. If you pitch IAM as security spend at Tier 2, it dies in the budget conversation you'll never see. The reframe is cost-reduction automation. Everything below follows from that.

Recognition Cues

You can confirm Tier 2 in five minutes with public sources:

Enrollment: 5,000–25,000 total headcount (not FTE). Below 5,000, the institution likely lacks the lifecycle complexity and faces a lighter GLBA compliance burden. Above 25,000, you're usually looking at R1 infrastructure and distributed IT governance with independent security budget authority.
Carnegie classification: R2 (139 institutions in the 2025 Research Activity Designations), M1, or Doctoral/Professional. The 2025 update separated research activity from institutional classification; many institutional websites still display 2021 Basic labels. Note: 32 former R2 institutions moved to R1 in 2025, so verify against the current designations.
Federation footprint: Listed in the InCommon participant registry. Running Shibboleth IdP or a hybrid Shibboleth/commercial IdP. A pure commercial IdP with no Shibboleth presence means a different federation conversation.
IT org chart signals: CIO title (not VP of IT, not Director of Technology). If a CISO is listed, check reporting line. At Tier 2, the CISO almost always reports to the CIO.
Research expenditures: $5M–$50M. Enough to create research identity governance complexity (PI affiliations, sponsored accounts, lab access). Too small to fund a dedicated research computing identity team.
Health sciences or satellite campuses: Present but not autonomous. A nursing school, a clinical affiliation, an extension campus. These generate identity lifecycle edge cases without the budget to solve them independently.

Representative institutions: Ball State, Western Michigan, James Madison, Boise State, University of North Dakota.

What Hurts Right Now

Three pressures are hitting the same CIO simultaneously, and the CIO doesn't have the staff to address them in sequence.

Provisioning and deprovisioning friction is the center of gravity (universal). A 15,000-student institution with annual lifecycle churn routinely approaching or exceeding 40% of total enrollment creates and retires thousands of accounts each semester: new admits, graduates, transfers, stop-outs, dual-enrolled and continuing education students cycling through every term. At Tier 2, this process is semi-manual: batch feeds from the SIS to the IdP, with manual exception handling for affiliations that don't fit clean categories. The labor cost is real, and the orphaned accounts are worse. They persist because deprovisioning requires a human decision nobody has time to make, and every one of them is a GLBA finding waiting to happen.

GLBA compliance pressure arrives without compliance staff (universal). The Safeguards Rule has been in effect since June 2023, with breach notification requirements added November 2023. MFA for any system touching Title IV student financial data. A designated Qualified Individual to oversee the information security program. Annual reporting to the board. At Tier 2, the QI is almost always the CIO personally. The 5,000-student threshold matters: institutions above it face the full nine-element requirement (Baker Tilly, February 2026). Noncompliance jeopardizes Title IV eligibility, which is the revenue stream that keeps the institution open.

The budget is contracting underneath all of this (universal in direction; severity varies by enrollment composition). Fitch's deteriorating sector outlook and S&P's documentation of operating deficits at mid-size privates form the financial backdrop. International student revenue contraction hits institutions with significant international enrollment hardest. The CISO staffing crisis compounds it everywhere: EDUCAUSE's 2025 Cybersecurity Workforce report finds teams "overwhelmed by excessive workloads, understaffing, and limited institutional support"; cross-sector data puts it sharply — only 11% of CISOs report adequate staffing (IANS/Artico, 2025), and security budgets are growing at roughly 4%. At Tier 2, 4% growth on a small base buys nothing. Over a third of institutions now outsource some cybersecurity services (EDUCAUSE, 2023), and the vCISO model is increasingly common at this tier. Field input from AEs encountering vCISO structures at current Tier 2 accounts would sharpen this prevalence estimate; public data is thin.

The Reframe That Matters

The CIO needs to automate lifecycle management to reduce headcount dependency, satisfy GLBA access control requirements, and close the orphaned-account risk, all within a contracting budget. IAM positioned as a new security line item competes against that pressure. Position it as the automation that reduces manual labor costs and closes the compliance gap, and it works with the budget conversation rather than against it.

Who's in the Room

Role	Controls	Cares About	Risk If Absent
CIO	IT budget, vendor relationship, GLBA QI designation	Cost justification, compliance posture, operational continuity	No deal. Period.
CISO / Dir. of InfoSec	Technical evaluation, HECVAT review	Architecture fit, federation coexistence, risk reduction	CIO lacks technical confidence to sign
Registrar / VP Enrollment	SIS data that drives provisioning	Enrollment operations, data integrity	Lifecycle integration fails post-sale
CFO / VP Finance	Budget approval above CIO authority	Cost avoidance, FTE reduction, audit remediation	Budget request dies in cycle

CIO — the single signer. Controls the IT budget, owns the vendor relationship, and is personally named as the GLBA Qualified Individual. At master's-level institutions, the CIO reports to the president or the CFO in roughly equal proportion (EDUCAUSE ECAR, 2018; structural pattern corroborated by 2025 EDUCAUSE Hotline discussion, though updated survey data would strengthen this). This matters for your deal. If the CIO reports to the CFO, your deal lives or dies on cost justification. If the CIO reports to the president, the compliance and institutional-risk framing has a shorter path to approval. Find out which before your first meeting.

CISO or Director of Information Security — the influencer. Reports to the CIO at the vast majority of Tier 2 institutions (83% of CISOs report to the CIO, EDUCAUSE 2018). Does not hold independent budget. Evaluates architecture, runs the HECVAT review, shapes the CIO's technical confidence. This person may also carry the privacy officer title, dedicating on average 10% of their time to privacy duties (EDUCAUSE). They will be your most technically rigorous evaluator and your most time-constrained stakeholder. Keep both of those facts in front of you.

Registrar or VP of Enrollment Management — the pain owner you won't meet. Doesn't attend the IAM evaluation, but owns the process that generates the lifecycle churn. Their office files the SIS data that drives provisioning. If your solution requires changes to how enrollment data flows, the Registrar's cooperation is a prerequisite. Getting the Registrar's pain into the conversation, even indirectly, strengthens the CIO's internal case. Field validation from current pipeline would confirm this pattern across institutions; the claim is drawn from operational experience at this tier.

CFO or VP of Finance — the budget gate. Cares only whether the CIO's request survives the budget cycle. The CIO has to translate your value proposition into the CFO's language: cost avoidance, FTE reduction, audit finding remediation. Your job is to arm the CIO with the numbers that survive that room.

Most commonly missing stakeholder: the Registrar. Every time.

Sound Like You Belong

We cover this because the three-minute detection window is real. Campus CISOs and CIOs have heard hundreds of vendor pitches. They can tell within the first few exchanges whether you understand their institutional context or whether you're running an enterprise playbook with "university" pasted over "company." The vocabulary signals below are evidence of work done, and the absence of that evidence is its own signal.

Use naturally: "lifecycle governance," "student lifecycle churn," "orphaned accounts," "affiliation-based access" (they think in eduPerson attributes, not roles), "federation," "the IdP," "HECVAT," "InCommon." If you reference the institution's Shibboleth deployment, say "your Shibboleth IdP" or "your federation presence." Not "your SSO."

Acknowledge by name: InCommon as the federation trust framework. Internet2 as the community infrastructure InCommon operates within. HECVAT as the security assessment instrument. REN-ISAC as the sector threat intelligence community. GLBA Safeguards Rule as the compliance driver. Treat these as institutional infrastructure, because that's what they are.

Frame identity as operational. At Tier 2, identity governance is the thing that breaks during the first week of fall semester when 4,000 new students need accounts, 800 continuing students changed majors, and 200 graduates still have active credentials. Lead with that operational reality. The CIO has lived it.

Name the budget constraint. "I know you're being asked to do more with the same headcount" earns trust because it's true.

Trust-Killers

"You're probably already paying for this through your Microsoft licensing." The most common incorrect play. Most mid-size institutions are on A1 or A3, not A5. Even A5 includes Entra ID P2 but does not include Entra ID Governance, which is the lifecycle automation layer that solves the provisioning problem. Probe which licensing tier they're on before conceding the bundling objection. Note: Microsoft adjusts education SKU bundling periodically — verify current tier-specific inclusions before deploying this in conversation. The structural point holds regardless: the governance layer is a separate purchase.
Leading with "zero trust" or "identity is the new perimeter." Generic enterprise framing. The Tier 2 CIO has heard it. It doesn't connect to their operational pain, which is that they can't deprovision accounts fast enough and they're one audit cycle away from a GLBA remediation plan.
Enterprise customer logos without higher ed references. Fortune 500 logos signal that you don't understand the difference between an enterprise with an HR system of record and a university with a SIS, an HR system, a research administration system, and a continuing education platform, none of which agree on who is currently affiliated.
Pitching agentic AI or NHI governance at Tier 2. Premature. The Identity + AI category argument has a place, but at an institution that hasn't solved basic lifecycle automation, it reads as a vendor who can't see the institution in front of them. Hold it.
Skipping the HECVAT. If you can't produce a completed HECVAT with every line answered (verify the current version before citing a version number in conversation), the CISO will flag it and the deal slows to the speed of your compliance team's response time. Every unanswered line tells them something about how seriously you take their process.
Treating the CISO as the decision-maker. The CISO influences. The CIO signs. If your entire engagement is with the CISO, you have a champion without budget authority. The budget conversation happens between the CIO and whoever the CIO reports to, and that conversation is where your deal gets decided.

Things to follow up on...

Canvas breach, May 2026: ShinyHunters exploited Free-For-Teacher accounts to exfiltrate 3.65 TB from Instructure's Canvas LMS, disrupting final exams at colleges nationwide and demonstrating exactly the credential governance gap that Tier 2 institutions carry in their third-party vendor relationships.
NC State's Shibboleth-to-Entra migration: The first major public university to announce a Shibboleth SSO migration to Entra ID, with no estimated end date for Shibboleth — a competitive signal worth tracking, but the undefined timeline and persistent InCommon federation requirements mean coexistence, not displacement.
HECVAT 4.1.5 now includes AI: The February 2025 release consolidated Full, Lite, and On-Premise into a single 321-question assessment with new sections on privacy and AI governance aligned to the NIST AI RMF.
Entra Governance is unbundled: Microsoft's lifecycle automation layer (Entra ID Governance) is not included in A5/P2 and requires a separate purchase or the full Entra Suite at $12/user/month — the most important competitive fact for the Tier 2 provisioning conversation.