In an organization, policy affects the culture and work practices.
A good policy is practically achievable, acceptable and having buy-in with all levels why they have to follow these directives.
In contrast, badly written policies will create conflict, politics and non-compliance because auditors will point out you are not doing the work according to the policies.
Even worst in cybersecurity, certain cybersecurity practitioners micro-manage the protection technology down to brand name but no published standard is available. Everything is just in their mind with word slipping out from their mouth as recommendation.
We must always bear in mind that cybersecurity is to help running business securely and don’t overkill with unnecessary controls. There are lots of threats outside the cyber domains affecting business. The bottom line is to adopt resilience approach for prompt recovery rather than adding protection because you never know the threats outside your knowledge domain. Protections will require overheads to sustain their effectiveness too.