Re: wrong question perhaps?
My own experience is that most of the public sector take data protection very seriously and are abjectly terrified of the fall out of a significant data loss. The ICO fines worry them but the bad PR scares them. It might seem unlikely but even though the public sector doesn't need to turn a profit or win your business it is very conscious of its PR (or at least those at the top are).
Where this falls down is in the operation. So the words are said that this stuff is very important, they might even be heartfelt but if security starts to cost money and or time it's very quickly put to the side as a blocker. Schools have no interest in security if it means they have to do anything. Various teams will side step security if it means it is easier to do the thing they are focussed on. "Why include security they only ask awkward questions and mean that I can't get the latest shiny tomorrow!".
Security is a hard sell, it's insurance at worst and a comfort at best. If you do your job properly nothing happens. If the organisation is lucky nothing happens anyway.
I have asked for public executions for those managers that ignore security and then cock up but as yet I've been rebuffed.
Biting the hand that feeds IT
