If you want to be assured of the strength of your question, or at least give the user a fighting chance of staying secure, let them choose and input the security questions. The self-service password feature page should educate the user in how to create truly secure security questions. Suggest some good examples.
If your Web site's password reset self-service feature doesn't allow custom questions, or can't be recoded and can use only precanned, weak questions, try to require multiple successful answers to multiple questions. The Web sites I see using this type of query often ask the user to select 5 to 10 questions to which they can input the answers. And when using the feature, the user must successfully answer 2 to 4 of the questions. This makes it a little harder for an unauthorized person to break into the account.
Of course, any password resets or changes should be sent to the e-mail address on record asking for confirmation before being committed. If an attacker has access to your e-mail account and knows the answers to multiple or custom security questions, your issues go well beyond the things a columnist can help you with.