4Quays
Sign In

Canada's PQC Workforce Challenge: An Executive Summary

Canada faces a projected deficit of 15,000-25,000 PQC specialists by 2035. Four recommendations for Ontario universities to close the quantum-safe skills gap.

Cover Image for Canada's PQC Workforce Challenge: An Executive Summary

4Quays Technology Inc.

In this Executive Summary we have focussed on post-quantum cryptographies as the primary driver for quantum-safe IT outcomes. Other methods exist such as quantum key distribution and more should be expected. However, the projected deficit herein for specialized human resources in Canada focusses on the fact that demand for quantum-safe outcomes will necessarily rely on PQC during the relevant period of examination (i.e. until 2035). Organizations must be quantum-safe before cryptographically relevant computers emerge. Mosca's Theorem suggests we are in the red zone meaning time to transition is now a real concern.

  • Using four independent estimation methodologies, we currently estimate the Canadian PQC transition with a central estimate of approximately 15,000--25,000 incremental jobs over the 2026--2035 period. This does not end the PQC era, it transitions it into operations, incident management and re-implementing on-going new PQC and other quantum-safe algorithms.
  • These jobs span software and hardware companies (including IoT) that must update their products (the "supply side") and enterprises and organizations across all sectors, particularly national critical functions that must migrate their own systems to PQC (the "demand side").
  • PQC migration is not just a technical upgrade but an enterprise-wide transformation requiring interdisciplinary talent spanning applied mathematics, protocol engineering, systems architecture, data modelling, operations, governance, incident and risk management. And AI/ML and Cloud applications.
  • Canada's current estimated cybersecurity workforce deficit of 10,000--25,000 unfilled roles (i.e. the current knowledge base does not provide the actual operational experience needed) over the 2026-2035 period, means PQC-specific talent should benefit from intense job demand and opportunities until academic and training pipelines are scaled significantly.
  • Cryptography is typically offered as a single elective course within broader cybersecurity or computer science programs, not as a meaningful specialization track. Historically this made sense given the stability, best practices and long secure life of classic cryptographies and their supporting systems. A review of Canadian cybersecurity curricula reveals consistent patterns that require fresh assessment.
  • PQC migration, implementation, operations and incident management require skills that go well beyond introductory cryptography, theories of applied cryptography and should include classroom and lab learnings from real world operations. In fact, the overall skill sets are akin to a specific systems engineering, architecture, operations and governance specialization.
  • There are a host of relevant factors, very difficult to quantify yet, but which appear probative, which are quite likely to impact the above skills gap in PQC:
    • The Theory to Practice gap (this may well increase the headcount that may have to be thrown at problems given the lack of developed specialists, the complexity of archeological layers of IT artefacts and emergent environments and new applications)
    • The AI/ML Opportunity Risk (this may greatly decrease the available pool as key talents elect to go into these markets)
    • The US Market Attraction Risk (job prestige and salary differentials may bleed the available pool away from Canada)
    • The Operational Technology Risk (uplifting long lived OT products requiring solutions may further bleed talent to the US et al given our relative global weakness in OT markets)
    • The Retirement Risk (existing human resources that implemented roots of trust and have hands on experiences upgrading prior cryptographic algorithms in operations (e.g. SHA-1 to SHA-2 etc.), are aging out and may not be an available source of knowledge and experience transmission).
    • The Geo-Political Risk (may increase demand in each jurisdiction as sovereigns may choose to create sovereign cryptographies and/or not adopt NIST standards embedded in US Platform companies that extract and collate data from AI, Cloud and Quantum).

Some Ideas

The following ideas are drafted as recommendations for consideration directed to the Council of Ontario Universities (COU) and Ontario's 24 publicly assisted universities to consider whether course corrections are required to help address the anticipated skills shortages. They are aligned with the province's 2025--2030 Strategic Mandate Agreements (SMAs), Ontario's $750 million STEM investment over five years, and the COU's own 2026 pre-budget submission which explicitly identifies cybersecurity and defence as strategic sectors where universities must develop the workforce and research that power Ontario's long-term competitiveness.

Recommendation 1: Establish PQC-Focused Graduate Programs

Ontario universities should develop dedicated Master's and PhD streams in Applied Cryptography and Quantum-Safe Systems. The current pipeline analysis demonstrates that only ~5% of cybersecurity graduates possess the interdisciplinary skills required for introduction into PQC work. Existing programs treat cryptography as one module among many; the PQC transition demands dedicated depth and breadth.

Recommended program structures:

  • Master's (or Graduate Certificate) in Applied Cryptography and Quantum-Safe Systems (course-based, 12--16 months): Covering lattice-based cryptography (e.g. ML-KEM, ML-DSA), hash-based signatures (e.g. SLH-DSA), protocol engineering (TLS 1.3, IPsec, SSH), HSM/PKI architectures, crypto-agility architectures, and principles of enterprise migration and planning for steady state operations.
  • PhD programs in Quantum-Safe Cryptographic Systems: Aligned with the research frontier including algorithm optimization, side-channel resistance, emergent alternatives, formal verification of PQC implementations, entropy, interoperability, latencies, and compute environments for OT and IoT.
  • Continuing Education and Micro-Credentials: Purpose-built PQC certificate programs (8--12 weeks) for mid-career professionals, targeting upskilling pathways identified in herein as the single largest possible source of PQC talent (35% of projected workforce). These should be eligible for Ontario's Canada Tax Credit Benefit and aligned with the CCCS PQC Roadmap's Phase 1 (Preparation) and Phase 2 (Identification) skill requirements.

Anchor institutions: An approach required to bring specific intentionality and distribution of scarce skills into real world quantum-safe applications and operations: University of Waterloo (Cybersecurity and Privacy Institute), University of Toronto, Carleton University (Ottawa proximity to CCCS/CSE), Queen's/RMC (NSERC CREATE Cybersecurity Program), University of Guelph (MCTI program), and York University (Lassonde School computer security degree) are potentially well-positioned to lead.

Alignment: Ontario SMA 2025--2030 performance metrics (graduate employment, experiential learning, research impact); Ontario's $750M STEM investment; COU 2026 pre-budget priority of cybersecurity workforce development; CCCS PQC Roadmap Phase 1 requirement for departmental migration plans by April 2026.

Recommendation 2: Industry-University Collaboration for Teaching and Research

PQC is an applied and evolving discipline where academic theory must be continuously tested against enterprise and advanced threat realities. Ontario universities should establish structured collaboration models with industry practitioners who bring direct experience in prior and emergent quantum-safe cryptographic operations, migration planning, and architectural governance.

Specific mechanisms:

  • Industry Adjunct and Practitioner-in-Residence appointments: Bring PQC migration leads, applied cryptographic engineers, security architects and operations personnel (including incident management) from Canadian enterprises and government (CSE/CCCS, major banks, telcos, critical infrastructure operators) into graduate classrooms.
  • Joint Research Chairs in Cryptographic Operations and Sovereignty: Funded through NSERC, Ontario Research Fund, and industry matching. Research priorities should include: Cryptographic inventory and Bills of Materials (CBOM) and their automation, cryptographic entropy measurements in constrained compute applications, crypto-agility architecture patterns, PQC migration risk modelling, cascade failure scenarios, side injection attacks including EMP.
  • Applied Research Partnerships with PQC Solution Providers: Ontario-based companies building PQC discovery, inventory, and migration tools should provide real world learnings and help co-develop research programs with university labs. This creates a virtuous cycle: prior experience in cryptography leads to innovation from the quantum and AI event, adoption leads to real world learnings, academic research improves tools, tools create experiential learning opportunities for students, helping graduates to enter industry with hands-on PQC migration experience.
  • Defence and Intelligence Community Engagement: The recent "New Architecture of Power" paper frames cryptographic sovereignty as a five-layer national capability (cryptographic, cognitive, metabolic, spatial, adaptive). Ontario's proximity to CSE (Ottawa), CFB Kingston, and the broader Five Eyes intelligence community creates unique opportunities for classified and unclassified research collaborations. The paper's concept of the "sovereignty multiplier" -- measuring how effectively a state's technical and institutional systems convert latent capacity into decisive action -- provides insights into research frameworks that help bridge defence studies and applied PQC for quantum-safe systems.

Alignment: COU 2026 pre-budget submission emphasis on university research driving innovation in defence and cybersecurity; NSERC CREATE program model (Queen's/RMC); Ontario SMA experiential learning metrics; National Quantum Strategy $360M allocation.

Recommendation 3: PQC Test Labs and Centres of Excellence

Ontario should establish dedicated PQC Test Labs and at least one Centre of Excellence in Cryptographic Operations and Change Management. PQC migration is not just a software update -- it also involves deep interoperability testing, latency and performance benchmarking, supply chain integrations and operabilities, centralized operational and failure-mode analysis that requires intentional and purpose-built innovations.

Sample proposed infrastructures:

  • Ontario PQC Interoperability Centre of Excellence Test Lab: A shared facility where enterprises, government departments, and software vendors can test PQC-migrated systems against real-world protocols and reference IT stacks. A test lab can help replicate sample conditions safely. Located at a hub university (Waterloo or Toronto) with satellite access for other institutions.
  • Centre of Excellence in Enterprise Cryptographic Operations: An interdisciplinary research centre spanning computer science, mathematics, engineering, business/governance, and public policy. Research agenda aligned to frameworks for enterprises and organizations, boards, regulators, and insurers. Industry membership model ensures financial sustainability and knowledge transfer.
  • HSM/KMS Testing Facility: Many deployed HSMs and almost all PKI's do not yet support PQC algorithms. A shared testing facility with vendor-loaned hardware allows select students and researchers to gain hands-on experience with Thales, Entrust, AWS CloudHSM, and other platforms so that the impact of future compute platforms and their data protocols can be considered. This directly addresses the PQC QA/Testing Specialist and OT Security Specialist roles identified in the workforce taxonomy.

Alignment: Ontario Research Fund infrastructure programs; Canada Foundation for Innovation (CFI); National Quantum Strategy quantum communication and PQC roadmap; CCCS sensor programs and network monitoring tools; Rogers Cybersecure Catalyst model (Toronto Metropolitan University).

Recommendation 4: High School Outreach and Talent Pipeline Development

The PQC workforce challenge cannot be solved at the graduate level alone. Ontario universities must build a deliberate pipeline from high school into cryptography and quantum-safe computing introductory programs. The evidence is clear: McKinsey found only one qualified quantum candidate for every three job openings globally, and the WEF Quantum Economy Network identifies workforce development as a key theme requiring K--12 engagement. Prior epochs of sovereign inflections did look to identity high potential talents at the high school levels.

Proposed outreach programs:

  • Ontario Cryptography Scholars Program: A competitive enrichment program for Grade 11--12 students with strong mathematics backgrounds (Advanced Functions, Calculus and Vectors, Data Management). Modelled on existing enrichment programs (e.g., Waterloo's Centre for Education in Mathematics and Computing), this program introduces number theory, modular arithmetic, symmetric/asymmetric encryption concepts, and quantum computing fundamentals. Students who complete the program receive guaranteed consideration for university cryptography/PQC streams. IBM's Qubit by Qubit partnership has demonstrated this model works: over 6,000 high schoolers participated in quantum computing courses, and the majority expressed interest in pursuing quantum careers.
  • Math-to-Crypto Pathway Awareness Campaign: Many high-potential mathematics students are unaware that cryptography represents a high-demand, high-salary career path ($110K--$200K+ for PQC roles). A targeted campaign in partnership with Ontario high school guidance counsellors, the Ontario Mathematics Coordinators Association, and university admissions offices should position cryptography alongside AI, data science, and software engineering as a marquee STEM career. The COU's 2026 pre-budget submission notes that 135,000 graduates leave Ontario universities annually -- ensuring that a meaningful fraction is cryptography-ready requires upstream pipeline work.
  • Summer Research Experiences for High School Students: Ontario universities should offer 4--6-week summer research placements in cryptography and cybersecurity labs for top-performing high school students. This mirrors the IBM-Princeton model cited by McKinsey, which combines academic research with translational applied work and has demonstrated measurable impact on career interest. The NSERC CREATE Cybersecurity Program at Queen's/RMC provides a graduate-level template that can be adapted for pre-university audiences.
  • Indigenous and Underrepresented Community Engagement: The ISC2 2024 Cybersecurity Workforce Study found that diverse backgrounds can help solve the talent gap, and the Rogers Cybersecure Catalyst emphasizes tapping "latent talent pools" including veterans, new Canadians, and women (currently ~25% of cybersecurity professionals globally). University outreach programs should specifically target underrepresented communities, Indigenous schools, and northern Ontario institutions to ensure the PQC pipeline is inclusive.

Alignment: Ontario's 2025--2030 SMA support for up to 20,500 STEM seats per year; Ontario Ministry of Education STEM priorities; IBM Qubit by Qubit model (McKinsey, Dec 2022); WEF Quantum Economy Blueprint Framework workforce development theme; Rogers Cybersecure Catalyst latent talent pool approach.

Watch the Discussion

For further context on enterprise quantum-safe architecture, watch this video series featuring John M Scott, Brad McInnis, and Imraan Bashir discussing the "Why, When and How" of becoming quantum-safe: