Many security policies are aspirations, doomed to fail because they are unrealistic. Not only can they be unachievable, but may in fact encourage people to disregard policies because, after all, "we can't really do that." 

Further, enterprises may not be able to collect on cyber insurance policy payouts because they didn't meet their own, internal standards. These and other issues surrounding information security policies are discussed in this conversation between Security Current's Vic Wheatman and Gartner's Dr. Anton Chuvakin.