Recognizing the Environment
The CIO's title might be Director of IT. She might also be the network administrator, the help desk escalation point, and the person who drives to the data center on Saturday when the HVAC alert fires. The institution has between 800 and 6,000 students. The IT staff is three to twelve people. There is no CISO. There may not be a dedicated security role at all.
If the person you're talking to describes their identity environment as "we use Active Directory and it mostly works," you are in a Tier 3 institution. Community colleges. Small liberal arts colleges. Regional teaching institutions where the entire annual IT budget would not cover a single enterprise identity deployment at an R1.
The buying environment here is structurally different from mid-size institutions. Entirely different decision dynamics, different budget mechanics, different relationship between technical authority and spending authority. If you run a Tier 2 playbook, you will waste the call.
Who's in the Room
At a mid-size university, an identity purchase moves through committee: vendor risk review, IT governance, CFO's office, possibly a provost sign-off. At Tier 3, decision authority concentrates in one or two people. The CIO (or Director of IT) and the VP of Finance. Sometimes the president, if the dollar amount crosses a threshold that might be as low as $25,000.
The coalition-building that defines a Tier 2 sale doesn't apply. One person has both technical understanding and budget authority, or can walk down the hall to the person who does. But that person is overwhelmed. She has nine other fires and identity governance is not one of them today. Your email sits unopened alongside forty others because she is the entire security function, the entire IAM function, and the help desk escalation path, all at once.
The corollary: when she does engage, decisions can move fast. No committee calendar. No six-month procurement cycle. A conversation with the VP of Finance, a purchase order, a start date. Attention is the bottleneck.
What Actually Triggers a Purchase
At Tier 3, identity purchases follow events. Something happened.
A peer institution got hit. The Community College of Beaver County ransomware incident (March 2026) sent a signal through every community college system in the region. When a peer goes down, the CIO's phone rings. The president asks the question. The honest answer is usually yes, we have similar gaps. That is the opening.
The insurance carrier forced the conversation. Cyber insurers now require MFA evidence and vendor risk documentation (EDUCAUSE, May 2025) as conditions for coverage. Dean & Draper (March 2025) reports that several carriers have exited the education market, and institutions that cannot demonstrate basic controls face rising premiums or outright denial. For a community college operating on margins where a $40,000 premium increase has to come from somewhere, the insurance renewal conversation becomes the security conversation. The VP of Finance is in the room because the carrier told her she has to be.
A system-office mandate arrived. State legislatures passed 99 cybersecurity-related bills in 2025 (Government Technology, February 2026). Some require NIST CSF alignment. Some mandate MFA. Some are unfunded. But when the system chancellor's office sends a directive requiring specific controls by a specific date, the CIO has cover to spend money she couldn't justify before. The mandate is the permission structure.
The pattern across all three: something external forced the conversation. Nobody woke up wanting to buy an identity solution. Your job between triggers is to maintain the relationship so that when the trigger fires, you are the call she makes.
The Safety Net Disappeared
This context matters because it has changed materially in the last twelve months.
The Multi-State ISAC, which provided free threat intelligence, vulnerability scanning, and incident response to public institutions for 21 years under a CISA cooperative agreement, shifted to a fee-based model (starting ~$1,495/year) after federal funding ended September 30, 2025. Two-thirds of states and thousands of local governments have dropped out.
The Multi-State ISAC (Cybersecurity Dive, October 2025) transition hit Tier 3 hardest. For the community college CIO who relied on MS-ISAC's free Albert sensor for network monitoring, that capability simply vanished. The fee-based model (StateTech, February 2026) is modest by enterprise standards, but at institutions where every line item gets scrutinized, it represents a new cost for something that used to be free.
The broader CISA contraction compounds the loss. The agency's workforce fell from roughly 3,400 to 2,400, a reduction of more than 29 percent, by December 2025. Regional security advisors are being consolidated, the K-12 Cybersecurity Government Coordinating Council was paused in Spring 2025 (U.S. Department of Education), and the Cyber Defense Education and Training program absorbed a $45 million cut (Nextgov/FCW, June 2025). The external safety net that partially compensated for being under-resourced no longer exists. Your identity conversation lands in an environment where the gap between what she needs and what she has access to is wider than it was a year ago.
How the Money Actually Moves
Most Tier 3 institutions lack procurement offices capable of running a competitive bid for identity software. They use cooperative purchasing vehicles. If you are not on one, you are adding friction to a process with almost no tolerance for it.
| E&I Cooperative Services | OMNIA Partners | |
|---|---|---|
| Focus | Education-exclusive, member-owned | Broad public sector including education |
| Cost to join | Free | Free |
| Cybersecurity contracts | Yes, explicit category (Sept 2024) | Yes |
| Procurement benefit | Pre-negotiated; satisfies most state/federal bid requirements | Pre-negotiated; direct purchasing, no separate bid |
| Additional value | Annual patronage refunds based on usage | Cross-sector contract breadth |
If your product is available through E&I or OMNIA, say so in the first conversation. It removes the procurement objection before it forms. If it is not, understand that you are asking a three-person IT shop to run a procurement process they do not have staff for.
Vocabulary Signals
Listen for how the CIO describes her environment.
- "We're mostly on-prem" means Active Directory, possibly with Azure AD Connect (now Entra Connect), possibly not.
- "We use Google" means Google Workspace as the de facto identity provider, likely without formal lifecycle management.
- "Our SIS handles it" means the student information system is doing identity work it was not designed to do, and nobody has mapped the provisioning flow.
- "Zero trust" — ask what she means by it. At Tier 3, it often means awareness of the direction without the staff to translate it into architecture. That awareness is real. Meet her where she is.
- "We passed our audit" — ask which one. A financial aid compliance review and a penetration test are different conversations, but at Tier 3 they sometimes get conflated because the same person handles both.
What Kills the Call
The enterprise pitch. If your first slide shows a deployment architecture that assumes a dedicated IAM team, a SOC, and a vendor risk committee, you have told her you do not understand her institution. She does not have those things. She is the IAM team.
Leading with NHI or agentic AI. Non-human identity governance and agentic AI risk are real concerns and growing. They are not first-call concerns at Tier 3. These institutions are working on MFA coverage and basic lifecycle management. If you lead with machine identity governance, you are solving a problem she will have in three years while she is dealing with one she has right now. Hold that argument. Bring it back when foundational controls are in place and she is ready for what comes next. You will know because she will ask.
Not knowing the consortium question. If she asks whether you are on E&I and you don't know what E&I is, the call is functionally over. You have revealed that you haven't done the basic work of understanding how her institution buys things.
Treating her like she's behind. She knows her environment has gaps. She does not need you to catalog them. A 2,500-student community college with four IT staff and a $200K security budget is an institution type with its own constraints, its own decision dynamics, and its own definitions of what progress looks like. The rep who gets the second call is the one who demonstrated, in the first call, that she understood that.
Between Triggers
At Tier 3, the sale almost never closes on the first call. It closes when the trigger fires and you are the person she already trusts. That trust gets built in the months between triggers, through acts that demonstrate value without asking for anything in return.
The Canvas breach summary from the companion piece in this issue, trimmed to two paragraphs with the question her institution should be asking its LMS vendor about ungoverned credential pathways, forwarded without a pitch attached. A ten-minute check-in after the MS-ISAC transition that asks how she's replacing the Albert sensor and leaves it there. An introduction to a peer CIO at a similar-sized college who solved a lifecycle management problem with similar constraints.
The institution that eventually buys from you will buy because, when the insurance carrier said "show us your MFA coverage or we're not renewing," you were already in the conversation.