The purpose of treating these policies as code is not just to capture policies in as software and data, but to automate security for consistent application across the enterprise and apply software engineering practices to them — for instance, keeping the code under version control, and observing and monitoring policy operation.
This enables enterprises to automate their security policies, increasing their protection against disruption and threats.