Seeing an institution's name in the headlines for a security breach may be among a CIO's-- and a president's--worst nightmares. Whether the breached data involves social security numbers, credit card accounts, clinical records, or research, this is bad news. Federal agencies that provide research funding may lose confidence in data integrity, putting millions of dollars in grants at risk. Legislators may seek additional oversight. Beyond image, institutions face issues of liability and business continuity. Considering that colleges and universities manage some of the world's largest networks and collections of computers, the risk and the importance of the issue should not be underestimated. In this article, the author suggests that, in thinking about information security, the CIO and the executive team should ask themselves the following strategic questions: (1) Should security be treated as a campus governance issue or as an IT governance issue?; (2) Is it known which institutional assets need to be protected? (3) Do all IT users consider that security is their responsibility; and (4) How are academic values and institutional integrity ensured without ensuring security? (Contains 12 notes.)